Xtreme Vulnerable Web Application (XVWA) Logo

Xtreme Vulnerable Web Application (XVWA)

0
Free
Visit Website

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in a local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for a good purpose. How you use these skills and knowledge base is not our responsibility. XVWA is designed to understand the following security issues: SQL Injection, Error-Based SQL Injection, Blind OS Command Injection, XPATH Injection, Formula Injection, PHP Object Injection, Unrestricted File Upload, Reflected Cross-Site Scripting, Stored Cross-Site Scripting, DOM-Based Cross-Site Scripting, Server-Side Request Forgery (Cross-Site Port Attacks), File Inclusion, Session Issues, Insecure Direct Object Reference, Missing Functional Level Access Control, Cross-Site Request Forgery (CSRF), Cryptography.

FEATURES

ALTERNATIVES

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

A tool for redirecting HTTP and HTTPS requests to other URLs.

Static code analysis tool for infrastructure as code (IaC) and software composition analysis (SCA) with over 1000 built-in policies for AWS, Azure, and Google Cloud.

Python-based web server framework for setting up fake web servers and services with precise data responses.

A tool for identifying and extracting parameters from HTTP requests and responses

Static code analyzer for Infrastructure as Code with 500+ security policies and support for various IaC tools and cloud platforms.

OpenRASP directly integrates its protection engine into the application server by instrumentation, providing context-aware protection and detailed stack trace logging.

An API security platform that discovers, documents, and tests APIs throughout the development lifecycle while maintaining a centralized catalog of all API assets.