Tiwap is a web application penetration test learning tool that contains a lot of vulnerabilities. It also begins a web security test platform. This tool is based on Python and Flask to help some information security enthusiasts or testers learn and understand various types. Web security vulnerability. The inspiration of the tool is from DVWA, and developers have tried to re-generate a variety of web vulnerabilities.

This tool is for educational purposes only, we strongly recommend that users are installed and using Tiwap on virtual machines instead of installing them in an internal or external server.

Tool installation & configuration

In order to help the majority of users to install and use Tiwap easily, we have helped everyone complete the configuration of the project, we only need to install Docker on the local system.

After installing Docker, we can run the following command to download and install Tiwap:

Gitclonehttps: //github.com/tombstoneGhost/tiwapcdtiwapdocker-composeup

Note: This tool installation is only supported on the Linux platform, and the compatibility with Windows platform is now resolved.

After the experimental environment starts, we can log in with the default credentials:

Username: admin Password: admin

Tool technology stack

Front end: HTML, CSS and JavaScript backend: Python – Flask Database: SQLITE3 and MongoDB Vulnerability Information The current version of the TIWAP experimental environment contains twenty security vulnerabilities, specifically as follows: SQL injection SQL injection Nosql injection Command injection business Logical Vulnerability Sensitive Data Promotion XML External Software Security Error Configuration Reflective XSS Storage XSS DOM-based XSSHTML Injection Unsafe Certificate Verify Hard Coded Credentials Unsafe File Upload Violent Crack Directory Traversing Cross-Term Request Forgery (CSRF) Server Request Forgery (SSRF) server-side template injection (SSTI)

Among them, each vulnerability provides three grades of vulnerability utilization difficulty, namely low LOW, intermediate Medium, and difficult Hard, we can make a corresponding configuration in the setup page according to your own needs.

License agreement

The development and distribution of this project follow the MIT open source license agreement.

project address