{"id":13540244,"url":"https://github.com/s4n7h0/xvwa","last_synced_at":"2025-04-06T07:13:01.955Z","repository":{"id":45632034,"uuid":"44470991","full_name":"s4n7h0/xvwa","owner":"s4n7h0","description":"XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.  ","archived":false,"fork":false,"pushed_at":"2020-09-12T17:26:24.000Z","size":2235,"stargazers_count":1699,"open_issues_count":4,"forks_count":338,"subscribers_count":81,"default_branch":"master","last_synced_at":"2024-10-29T18:02:50.447Z","etag":null,"topics":["application-security","knowledge","learning-appsec","mysql","php","vulnerability","xvwa"],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s4n7h0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-10-18T08:34:45.000Z","updated_at":"2024-10-21T18:12:55.000Z","dependencies_parsed_at":"2022-09-11T23:40:26.283Z","dependency_job_id":null,"html_url":"https://github.com/s4n7h0/xvwa","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s4n7h0%2Fxvwa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s4n7h0%2Fxvwa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s4n7h0%2Fxvwa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s4n7h0%2Fxvwa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s4n7h0","download_url":"https://codeload.github.com/s4n7h0/xvwa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247445671,"owners_count":20939958,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","knowledge","learning-appsec","mysql","php","vulnerability","xvwa"],"created_at":"2024-08-01T09:01:43.416Z","updated_at":"2025-04-06T07:13:01.938Z","avatar_url":"https://github.com/s4n7h0.png","language":"PHP","funding_links":[],"categories":["\u003ca id=\"761a373e2ec1c58c9cd205cd7a03e8a8\"\u003e\u003c/a\u003e靶机\u0026\u0026漏洞环境\u0026\u0026漏洞App","OWASP Top 10","PHP","PHP (184)","Support","Vulnerable Web apps:","Vulnerable Web Applications","Downloadable Applications","Xtreme Vulnerable Web Application (XVWA)"],"sub_categories":["\u003ca id=\"60b4d03a0cff6efc4b9b998a4a1a79d6\"\u003e\u003c/a\u003e靶机生成","Node","Mobile Security Labs"],"readme":"Xtreme Vulnerable Web Application (XVWA) \n=========================================\nXVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.  It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility. \n\n\n![Image of XVWA Home Page](https://pbs.twimg.com/media/CWsFq1SVEAACsCh.png:large) \n\nXVWA is designed to understand following security issues. \n\n+ SQL Injection – Error Based \n+ SQL Injection – Blind\n+ OS Command Injection\n+ XPATH Injection \n+ Formula Injection\n+ PHP Object Injection \n+ Unrestricted File Upload\n+ Reflected Cross Site Scripting \n+ Stored Cross Site Scripting \n+ DOM Based Cross Site Scripting \n+ Server Side Request Forgery (Cross Site Port Attacks) \n+ File Inclusion \n+ Session Issues \n+ Insecure Direct Object Reference \n+ Missing Functional Level Access Control \n+ Cross Site Request Forgery (CSRF)\n+ Cryptography \n+ Unvalidated Redirect \u0026 Forwards\n+ Server Side Template Injection\n\nGood Luck and Happy Hacking!\n\n\n## Disclaimer \n\nDo not host this application on live or production environment. XVWA is totally vulnerable application and giving online/live access of this application could lead to complete compromise of your system. We are not responsible for any such bad incidents. Stay safe ! \n\n## Copyright\nThis work is licensed under GNU GENERAL PUBLIC LICENSE Version 3\nTo view a copy of this license, visit http://www.gnu.org/licenses/gpl-3.0.txt\n\n\n## Instructions \nXVWA is hassle-free to setup. You can set this up on windows, linux or Mac. Following are the basic steps you should be doing on your Apache-PHP-MYSQL environment to get this working.  Let that be WAMP, XAMP or anything you prefer to use. \n\n## Manual Installation Method\n\nCopy the xvwa folder in your web directory. Make sure the directory name remains **xvwa** itself. Make necessary changes in xvwa/config.php for database connection. Example below: \n\n```php\n$XVWA_WEBROOT = '';  \n$host = \"localhost\"; \n$dbname = 'xvwa';  \n$user = 'root'; \n$pass = 'root';\n```\n\nPlease note that mysql version 5.7 and above requires sudoer to access root user. This means apache user will not be able to use 'root' username to access the database. In such cases, a new username would need to be created and config.php file would also need to be changed accordingly.  \n\n\nMake following changes in PHP configuration file\n\n```php\nfile_uploads = on \nallow_url_fopen = on \nallow_url_include = on \n```\n\nXVWA will be accessible at http://localhost/xvwa/\n\nSetup or reset the database and table here http://localhost/xvwa/setup/\n\nThe login details\n\n```php\nadmin:admin\nxvwa:xvwa\nuser:vulnerable\n```\n\n## Automatic Installation Script\nI have written a small script to easily automates XVWA Setup in linux distributions. Run this with *root* to install the dependencies if not found in your linux environment\n\u003ehttps://github.com/s4n7h0/Script-Bucket/blob/master/Bash/xvwa-setup.sh \n\n## Alternative Setup Environments\n### Docker \nI have also seen a multiple dockers published to setup XVWA. Our thanks to all of them. Any docker lovers can also checkout below work. https://github.com/tuxotron/xvwa_lamp_container \n### Live ISO \n[@knoself](https://twitter.com/knoself) made XVWA live ISO on minimal Ubuntu server 14.04.x [(issue27)](https://github.com/s4n7h0/xvwa/issues/27)\nhttps://mega.nz/#!4bJ2XRLT!zOa_IZaBz-doqVZz77Rs1tbhXuR8EVBLOHktBGp11Q8 \n```\nUser = xvwa\nPass = toor\n```\n\n## About \nXVWA is intentionally designed with many security flaws and enough technical ground to upskill application security knowledge. This whole idea is to evangelize web application security issues. Do let us know your suggestions for improvement or any more vulnerability you would like to see in XVWA future releases. \n\n\n## Authors:\n\n- @s4n7h0 https://twitter.com/s4n7h0\n- @samanL33T https://twitter.com/samanl33t \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs4n7h0%2Fxvwa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs4n7h0%2Fxvwa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs4n7h0%2Fxvwa/lists"}