Share
## https://sploitus.com/exploit?id=4383F0C7-EBE8-5B56-BF36-62B145F70D77
# Vulnerable Web App โ€” Attack & Defend Lab

A deliberately-vulnerable PHP login application built to demonstrate **5 common web
vulnerabilities** and the **fix for each**. Educational project โ€” shows both offensive
(finding bugs) and defensive (fixing them) skills.

> โš ๏ธ **For learning only.** This app is intentionally insecure. Run it **locally**
> (`127.0.0.1`) and never expose it to a public network.

## Stack
- PHP (built-in dev server) ยท MariaDB ยท Linux
- Tested with: `curl`, `hydra`

## Setup
```bash
# 1. Database (MariaDB running)
sudo mysql alert(document.cookie)
Reflected:  /dashboard.php?msg=alert('x')
Brute force: hydra -l rick -P wordlist 127.0.0.1 -s 8000 http-post-form \
             "/login.php:username=^USER^&password=^PASS^:Invalid credentials" -f
Traversal:  /download.php?file=../../../../etc/passwd
```
Compare each against the `*_safe.php` version to see it blocked.

## File structure
```
vulnapp/
โ”œโ”€โ”€ config.php / db.php          # config + DB connection
โ”œโ”€โ”€ login.php / login_safe.php
โ”œโ”€โ”€ register.php / register_safe.php
โ”œโ”€โ”€ dashboard.php / dashboard_safe.php
โ”œโ”€โ”€ download.php / download_safe.php
โ”œโ”€โ”€ logout.php
โ”œโ”€โ”€ .htaccess                    # Apache hardening
โ”œโ”€โ”€ files/        welcome.txt    # public download
โ”œโ”€โ”€ private/      secret.txt     # traversal demo target
โ””โ”€โ”€ screenshots/                 # proof images
```

See **`./Project3-Writeup.md`** for the full step-by-step attack/fix walkthrough with results.

## Known limitation
The brute-force lockout is **session-based**, so a cookie-discarding attacker can bypass it.
Production-grade defense tracks failures **server-side by IP + username** (or adds CAPTCHA /
exponential backoff).