Advanced Vulnerable Web Application (AVWA) is a very vulnerable web application focus on modern advanced vulerabilities.
The main goal is to be an aid for security professionals , pentesters and web developers to test their security skills in a legal environment And learn about new vulnerabilities and exploit in today world.
Advanced Vulnerable Web Application is not safe! Do not upload it to your hosting provider's public html folder or any Internet facing servers , as they will be compromised.
We want it to cover all modern vulnerabilities , includes and not limited to
- API Security ( JWT Security , OAuth Flows .. etc )
- CRLF / Header Injection
- Advanced XSS ( CSP bypass , Cross Origin issues .. etc )
- XXE
- Object Injection / Use After Free Vulnerabilities
- Template Injection RCE
- Advanced SQL Injection ( 2nd order , error based , blind SQLI )
- ReDoS attack / Format String Attack
- Server Side Request Forgery ( SSRF )
Highly inspired from vulnerable web application for pentesters (DVWA , Webgoat .. etc)
AVWA is in very early stage , All ideas are welcome .. just open issue in this repo with prefix [IDEA] , and we will discuss it in public to implement it. or drop us an email at opensource@shieldfy.io