Acunetix Art

TEST and Demonstration site for Acunetix Web Vulnerability Scanner
WARNING: This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks. It is intended to help you test security scanners and practice manual hacking skills.
Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

Null Byte Injection

Extension check passed: images/../../../etc/passwd.jpg

File not found. But if this were PHP < 5.3.4, null byte would work!

This simulates what happens with null byte:

String before null byte: ../../../etc/passwd

Extension checked: passwd.jpg (ends with .jpg ✓)

Actual file opened: images/../../../etc/passwd

Null Byte Test

Old PHP versions (< 5.3.4) truncate strings at null byte (%00).

The extension check sees .jpg but the OS opens file.php

File:

Test payloads: