XVWA is a badly coded web application written in PHP/MySQL that helpssecurity enthusiasts to learn application security. It’s not advisableto host this application online as it is designed to be “XtremelyVulnerable”. We recommend hosting this application in local/controlledenvironment and sharpening your application security ninja skills withany tools of your own choice. It’s totally legal to break or hack intothis. The idea is to evangelize web application security to thecommunity in possibly the easiest and fundamental way. Learn and acquirethese skills for good purpose. How you use these skills and knowledgebase is not our responsibility.

XVWA is designed to understand following security issues.

SQL Injection – Error Based

SQL Injection – Blind

OS Command Injection

XPATH Injection

Unrestricted File Upload

Reflected Cross Site Scripting

Stored Cross Site Scripting

DOM Based Cross Site Scripting

Server Side Request Forgery (Cross Site Port Attacks)

File Inclusion

Session Issues

Insecure Direct Object Reference

Missing Functional Level Access Control

Cross Site Request Forgery (CSRF)

Cryptography

Unvalidated Redirect & Forwards

Server Side Template Injection

Good Luck and Happy Hacking!

Do not host this application on live or production environment. XVWA is

totally vulnerable application and giving online/live access of this

application could lead to complete compromise of your system. We are not

responsible for any such bad incidents. Stay safe !

Instruction

XVWA is hassle-free to setup. You can set this up on windows, linux

or Mac. Following are the basic steps you should be doing on your

Apache-PHP-MYSQL environment to get this working. Let that be WAMP,

XAMP or anything you prefer to use.

Copy the xvwa folder in your web directory. Make sure the directory name remains xvwa itself.

Make necessary changes in xvwa/config.php for database connection. Example below:

$XVWA_WEBROOT = ”;

$host = “localhost”;

$dbname = ‘xvwa’;

$user = ‘root’;

$pass = ‘root’;

Make following changes in PHP configuration file

file_uploads = on

allow_url_fopen = on

allow_url_include = on

Access the application on : http://localhost/xvwa/

Setup the database and table by accessing http://localhost/xvwa/setup/

The login details

admin:admin

xvwa:xvwa

user:vulnerable

Download and read more here