vulnerable web app

All posts tagged vulnerable web app

Good Evening friends.  Today we will see how to setup Vulnerawa in Wamp Server. For those newbies who don’t know what is vulnerawa, it is a vulnerable webapp coded by me to simulate a real website for practice. Read more about it here. First, download Wamp Server from here   as appropriate to your system requirements. We will use “WAMPSERVER (64 BITS & PHP 5.3.10) 2.2d″ for this howto. Install the Wamp Server. Open browser and type “localhost” in the urlbar to see if wamp server is working as shown below.







We can see that there are no projects available. Now download Vulnerawa from here. You will find a zip file as shown below. Now we will extract the contents of this file into the root folder of Wamp server. Right click on the zip file, go to 7-zip as shown below ( or any other unzipping software )  and select “Extract files” option. Extract the files to the folder “C:\\wamp\www” which is the root folder for Wamp server.


Now lets check the root folder to see if the files are extracted. Go to wamp server’s root directory and you should see the folder named “vulnerawa1.0.2” as shown below.



Now open your browser and type “localhost” once again. Now we can see our projectVulnerawa1.0.2 listed in the Projects section as shown below.


Click on the project. If you see the below webpage, then you have successfully setup Vulnerawa. If it gives you some error go to the url and type “http://localhost/vulnerawa1.0.2” directly. Happy hacking practice.


Here’s a video version of this howto.

Vulnerawa stands for “Vulnerable Web Application”. This vulnerable web application developed by me is still in its nascent stages. I have started developing “Vulnerawa” to simulate a real website, i.e practice website hacking on this application and you are ready for hacking real websites. It is available for download here, it has only SQL Injection vulnerabilities. (Go here to see how to setup Vulnerawa). Here’s a picture of Vulnerawa below.


This vulnerable web app  has two SQL injection vulnerabilities, url based and Login Bypass. As an example, let’s see login bypass using SQL injection. Click on link “Login”. You will be greeted with a login form. Enter single quote character(‘) as shown below in the picture below and click on “Submit”.


You will get an error as shown below,i.e the web app is vulnerable to SQL injection. This trick also works on realtime websites if they are vulnerable to SQL injection.


As the webapp is vulnerable to SQL injection, try to bypass the login form as shown here. If you successfully bypass the login form, you will be taken to page shown below.


In the above page, apart from congrats message, you can see some google search queries. Copy these queries and enter it in a Google search box. This will give you a list of websites with login forms. You can check if they are vulnerable using the same method(the single quote)  as shown above. Let’s say you found one vulnerable website as shown below. Let’s try to bypass it.


We have successfully bypassed the website as shown below.