Setup Home Instructions Setup / Reset
Attacks SQL Injection SQL Injection (Blind) OS Command Injection XPATH Injection Unrestricted File Upload XSS - Reflected XSS - Stored XSS - DOM Based SSRF / XSPA File Inclusion Session Flaws Insecure Direct Object Reference Missing Functional Access Control CSRF Cryptography Redirects & Forwards Server Side Template Injection

Xtreme Vulnerable Web Application (XVWA) - Instruction

XVWA is hassle-free to setup. You can set this up on windows, linux or Mac. Following are the basic steps you should be doing on your Apache-PHP-MYSQL environment to get this working. Let that be WAMP, XAMP or anything you prefer to use.

Copy the xvwa folder in your web directory. Make sure the directory name remains xvwa itself. Make necessary changes in xvwa/config.php for database connection. Example below:

$XVWA_WEBROOT = '';
$host = "localhost";
$dbname = 'xvwa';
$user = 'root';
$pass = 'root';

Make following changes in PHP configuration file.

file_uploads = on
allow_url_fopen = on
allow_url_include = on

Access the application on : http://localhost/xvwa/
Setup the database and table by accessing http://localhost/xvwa/setup/

The login details

admin:admin
xvwa:xvwa
user:vulnerable

Disclaimer
Do not host this application on live or production environment. XVWA is totally vulnerable application and giving online/live access of this application could lead to complete compromise of your system. We are not responsible for any such bad incidents. Stay safe !