Convert Figma logo to code with AI

s4n7h0 logoxvwa

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

1,742
352
1,742
5
View on GitHub

Top Related Projects

digininja's avatar

DVWA

11,593

Damn Vulnerable Web Application (DVWA)

WebGoat's avatar

WebGoat

8,485

WebGoat is a deliberately insecure application

rapid7's avatar

hackazon

1,002

A modern vulnerable web app

OWASP's avatar

NodeGoat

1,973

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

Quick Overview

XVWA (Xtreme Vulnerable Web Application) is an intentionally vulnerable web application designed for security professionals, developers, and students to practice and learn about web application security. It includes various common web vulnerabilities and security misconfigurations, providing a hands-on environment for testing and improving security skills.

Pros

  • Comprehensive collection of web vulnerabilities for learning and practice
  • Easy to set up and use, with clear documentation
  • Regularly updated to include new and emerging vulnerabilities
  • Suitable for both beginners and experienced security professionals

Cons

  • Not intended for production use or as a secure application template
  • May require additional configuration for some advanced scenarios
  • Limited to PHP-based vulnerabilities, not covering all possible web technologies
  • Some vulnerabilities may become outdated as security practices evolve

Getting Started

  1. Clone the repository:

    git clone https://github.com/s4n7h0/xvwa.git

  2. Set up a web server with PHP and MySQL support (e.g., XAMPP, WAMP, or LAMP).

  3. Copy the XVWA files to your web server's document root.

  4. Create a MySQL database named "xvwa" and import the provided SQL file:

    mysql -u root -p xvwa < xvwa.sql

  5. Configure the database connection in config.php:

    <?php
$XVWA_WEBROOT = '';
$host = 'localhost';
$dbname = 'xvwa';
$user = 'root';
$pass = '';
?>

  6. Access XVWA through your web browser and start exploring the vulnerabilities.

Competitor Comparisons

digininja logo

DVWA

11,593

Damn Vulnerable Web Application (DVWA)

Pros of DVWA

  • More comprehensive set of vulnerabilities, including SQL injection, XSS, and CSRF
  • Better documentation and user guide for setting up and using the application
  • Larger community and more frequent updates

Cons of DVWA

  • Less focus on modern web application vulnerabilities
  • Limited customization options for difficulty levels

Code Comparison

DVWA (PHP):

<?php
if( isset( $_GET[ 'Submit' ] ) ) {
    // Get input
    $id = $_GET[ 'id' ];

    // Check database
    $query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

    // Get results
    while( $row = mysqli_fetch_assoc( $result ) ) {
        // Get values
        $first = $row["first_name"];
        $last  = $row["last_name"];

        // Feedback for end user
        echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
    }
}
?>

XVWA (PHP):

<?php
include('config.php');
if(isset($_POST['submit'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
    $result = mysqli_query($link,$sql);
    $count = mysqli_num_rows($result);
    if($count == 1){
        $_SESSION['login_user'] = $username;
        header("location: welcome.php");
    }else{
        $error = "Username or Password is invalid";
    }
}
?>

Both examples demonstrate vulnerable SQL injection points, but DVWA's code is more detailed and includes error handling.

WebGoat logo

WebGoat

8,485

WebGoat is a deliberately insecure application

Pros of WebGoat

  • More comprehensive, covering a wider range of web application security vulnerabilities
  • Better documentation and learning resources, including detailed explanations and solutions
  • Actively maintained with regular updates and a larger community

Cons of WebGoat

  • Larger and more complex, potentially overwhelming for beginners
  • Requires more setup and resources to run compared to XVWA

Code Comparison

XVWA (PHP):

<?php
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id='$id'";
$result = mysqli_query($conn, $query);
?>

WebGoat (Java):

String query = "SELECT * FROM users WHERE userid = "
             + request.getParameter("userid");
try {
    Statement statement = connection.createStatement();
    ResultSet results = statement.executeQuery(query);
}

Both examples demonstrate vulnerable SQL injection code, but WebGoat's implementation is in Java, while XVWA uses PHP. WebGoat generally provides more context and educational content around such vulnerabilities.

Summary

WebGoat offers a more comprehensive and well-maintained platform for learning web application security, with better documentation and a larger community. However, it may be more complex for beginners. XVWA, while simpler, provides a more lightweight alternative for those looking to quickly explore common vulnerabilities in PHP applications.

rapid7 logo

hackazon

1,002

A modern vulnerable web app

Pros of Hackazon

  • More comprehensive and realistic e-commerce application, providing a broader range of vulnerabilities to explore
  • Actively maintained with regular updates and contributions from the security community
  • Includes detailed documentation and setup instructions for various deployment options

Cons of Hackazon

  • More complex setup and configuration due to its larger scope and dependencies
  • Requires more system resources to run effectively
  • May be overwhelming for beginners due to its extensive feature set

Code Comparison

XVWA (PHP):

<?php
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id='$id'";
$result = mysql_query($query);
?>

Hackazon (PHP):

<?php
$id = $this->request->param('id');
$user = ORM::factory('User', $id);
$userData = $user->as_array();
?>

The Hackazon example demonstrates better security practices by using a framework's ORM for database queries, reducing the risk of SQL injection vulnerabilities compared to XVWA's direct query construction.

OWASP logo

NodeGoat

1,973

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

Pros of NodeGoat

  • Built with Node.js, a popular and widely-used JavaScript runtime
  • Actively maintained with regular updates and contributions
  • Comprehensive documentation and tutorials for learning secure coding practices

Cons of NodeGoat

  • Focuses solely on Node.js, limiting its applicability to other languages/frameworks
  • May require more setup time due to its Node.js and MongoDB dependencies

Code Comparison

NodeGoat (JavaScript):

app.get('/login', function(req, res, next) {
    res.render('login', {
        userName: "",
        password: "",
        loginError: ""
    });
});

XVWA (PHP):

<?php
include('config.php');
if(isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
    $result = mysqli_query($conn, $query);
    if(mysqli_num_rows($result) == 1){
        $_SESSION['username'] = $username;
        header('location: dashboard.php');
    }
    else{
        $error = "Username or Password is invalid";
    }
}
?>

The code snippets demonstrate different approaches to handling login functionality, with NodeGoat using a more modern, Express-based routing system, while XVWA uses traditional PHP with direct database queries.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Xtreme Vulnerable Web Application (XVWA)

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.

Image of XVWA Home Page

XVWA is designed to understand following security issues.

  • SQL Injection – Error Based
  • SQL Injection – Blind
  • OS Command Injection
  • XPATH Injection
  • Formula Injection
  • PHP Object Injection
  • Unrestricted File Upload
  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • DOM Based Cross Site Scripting
  • Server Side Request Forgery (Cross Site Port Attacks)
  • File Inclusion
  • Session Issues
  • Insecure Direct Object Reference
  • Missing Functional Level Access Control
  • Cross Site Request Forgery (CSRF)
  • Cryptography
  • Unvalidated Redirect & Forwards
  • Server Side Template Injection

Good Luck and Happy Hacking!

Disclaimer

Do not host this application on live or production environment. XVWA is totally vulnerable application and giving online/live access of this application could lead to complete compromise of your system. We are not responsible for any such bad incidents. Stay safe !

Copyright

This work is licensed under GNU GENERAL PUBLIC LICENSE Version 3 To view a copy of this license, visit http://www.gnu.org/licenses/gpl-3.0.txt

Instructions

XVWA is hassle-free to setup. You can set this up on windows, linux or Mac. Following are the basic steps you should be doing on your Apache-PHP-MYSQL environment to get this working. Let that be WAMP, XAMP or anything you prefer to use.

Manual Installation Method

Copy the xvwa folder in your web directory. Make sure the directory name remains xvwa itself. Make necessary changes in xvwa/config.php for database connection. Example below:

$XVWA_WEBROOT = '';  
$host = "localhost"; 
$dbname = 'xvwa';  
$user = 'root'; 
$pass = 'root';

Please note that mysql version 5.7 and above requires sudoer to access root user. This means apache user will not be able to use 'root' username to access the database. In such cases, a new username would need to be created and config.php file would also need to be changed accordingly.

Make following changes in PHP configuration file

file_uploads = on 
allow_url_fopen = on 
allow_url_include = on

XVWA will be accessible at http://localhost/xvwa/

Setup or reset the database and table here http://localhost/xvwa/setup/

The login details

admin:admin
xvwa:xvwa
user:vulnerable

Automatic Installation Script

I have written a small script to easily automates XVWA Setup in linux distributions. Run this with root to install the dependencies if not found in your linux environment

https://github.com/s4n7h0/Script-Bucket/blob/master/Bash/xvwa-setup.sh

Alternative Setup Environments

Docker

I have also seen a multiple dockers published to setup XVWA. Our thanks to all of them. Any docker lovers can also checkout below work. https://github.com/tuxotron/xvwa_lamp_container

Live ISO

@knoself made XVWA live ISO on minimal Ubuntu server 14.04.x (issue27) https://mega.nz/#!4bJ2XRLT!zOa_IZaBz-doqVZz77Rs1tbhXuR8EVBLOHktBGp11Q8

User = xvwa
Pass = toor

About

XVWA is intentionally designed with many security flaws and enough technical ground to upskill application security knowledge. This whole idea is to evangelize web application security issues. Do let us know your suggestions for improvement or any more vulnerability you would like to see in XVWA future releases.

Authors: