## https://sploitus.com/exploit?id=4383F0C7-EBE8-5B56-BF36-62B145F70D77
# Vulnerable Web App โ Attack & Defend Lab
A deliberately-vulnerable PHP login application built to demonstrate **5 common web
vulnerabilities** and the **fix for each**. Educational project โ shows both offensive
(finding bugs) and defensive (fixing them) skills.
> โ ๏ธ **For learning only.** This app is intentionally insecure. Run it **locally**
> (`127.0.0.1`) and never expose it to a public network.
## Stack
- PHP (built-in dev server) ยท MariaDB ยท Linux
- Tested with: `curl`, `hydra`
## Setup
```bash
# 1. Database (MariaDB running)
sudo mysql alert(document.cookie)
Reflected: /dashboard.php?msg=alert('x')
Brute force: hydra -l rick -P wordlist 127.0.0.1 -s 8000 http-post-form \
"/login.php:username=^USER^&password=^PASS^:Invalid credentials" -f
Traversal: /download.php?file=../../../../etc/passwd
```
Compare each against the `*_safe.php` version to see it blocked.
## File structure
```
vulnapp/
โโโ config.php / db.php # config + DB connection
โโโ login.php / login_safe.php
โโโ register.php / register_safe.php
โโโ dashboard.php / dashboard_safe.php
โโโ download.php / download_safe.php
โโโ logout.php
โโโ .htaccess # Apache hardening
โโโ files/ welcome.txt # public download
โโโ private/ secret.txt # traversal demo target
โโโ screenshots/ # proof images
```
See **`./Project3-Writeup.md`** for the full step-by-step attack/fix walkthrough with results.
## Known limitation
The brute-force lockout is **session-based**, so a cookie-discarding attacker can bypass it.
Production-grade defense tracks failures **server-side by IP + username** (or adds CAPTCHA /
exponential backoff).