Contact Us
Home / Blog / Pentest

A Data-Driven Guide To Building Your 2025 Web Pentesting Lab with XAMPP

Pentest | November 10, 2025

In the high-stakes world of cybersecurity in October 2025, just reading about threats isn’t enough. To truly master the craft, you need hands-on practice. That’s why building your own personal, local penetration testing (pentesting) lab has become a non-negotiable requirement for any serious security professional. Let’s break down why.

Table of Contents

The Threat Landscape is Getting Worse 

The digital world is more dangerous than ever. The average cost of a single data breach has now climbed to $4.88 million. In the last year alone, 56% of organizations have experienced a security compromise.

A major new trend is software supply chain attacks, where hackers exploit vulnerabilities in third-party code. Gartner predicts that by the end of this year, 45% of organizations worldwide will have been hit by one of these attacks. In this environment, theoretical knowledge is no longer enough. You need real, demonstrable, hands-on skills.

Why You Need a Local Lab: Control, Safety, and Legality 

A local lab is a controlled, isolated environment where you can practice real-world hacking techniques legally and safely. It gives you three key advantages:

  • Total Control: You are the administrator of your own lab. You can set up specific vulnerabilities, watch the system logs to see the impact of your attacks, and reset the entire environment to a clean state whenever you want.
  • Complete Safety: A properly configured lab is a “sandbox,” completely isolated from the public internet. This means your experiments won’t cause any collateral damage, and your lab won’t be exposed to real-world threats.
  • It’s 100% Legal: This is the most important part. Attempting to scan or hack any system without explicit, written permission is illegal and can have severe consequences. A personal lab is your sanctioned space to practice and refine your skills without breaking the law.

Ultimately, a hands-on lab is what turns abstract security concepts into tangible, real-world skills. It’s the fastest and most effective way to become the kind of practitioner that companies are desperate to hire.

Section 2: Justifying the Target Environment: Why the AMP Stack Still Matters in 2025

In the tech world, it’s easy to get distracted by shiny new things. While languages like JavaScript and Python dominate developer discussions, a look at the hard data for October 2025 tells a different story. For a penetration tester, the classic AMP stack (Apache, MySQL/MariaDB, PHP) is not just relevant; it’s the biggest and most important target on the internet. Let’s look at the numbers.

The Data Doesn’t Lie: PHP and MySQL Still Run the Web 

As of today, PHP is still the server-side language for nearly 77% of the web. This incredible market share is driven by one giant: WordPress. The world’s most popular Content Management System, WordPress is built on PHP and powers a staggering 43.4% of all websites on the internet.

On the database side, MySQL and its popular fork, MariaDB, are used by a combined majority of developers. The conclusion is simple: to ignore the AMP stack is to ignore the technology that runs most of the web.

The Security Professional’s Edge: Here’s the most important insight. While PHP runs the web, far fewer developers are actively working with it today compared to a decade ago. This means a huge portion of the internet is built on legacy code and unmanaged CMS sites. These are statistically much more likely to have unpatched vulnerabilities, making them prime targets for attackers.

Your Lab Foundation: Why XAMPP is the Right Choice 

To practice attacking this environment, you need to build a local server stack. While there are many options (WAMP for Windows, MAMP for macOS), XAMPP is the superior choice for a versatile pentesting lab.

The “X” in its name means it’s cross-platform—it works on Windows, macOS, and Linux. This makes it the perfect foundation for anyone to build a practice lab, regardless of their computer. It’s also a complete package that comes bundled with essential tools like phpMyAdmin for database management, giving you a rich testing environment right out of the box.

Technology Type Market Share/Usage (%)
PHP Server-Side Language 76.7%
WordPress (PHP-based) Content Management System 43.4% of all websites
MySQL Database 40.3% (Developer Usage)
MariaDB Database 17.2% (Developer Usage)
Apache Web Server N/A (Included in XAMPP)
Node.js Web Framework 40.8% (Developer Usage)

Core Laboratory Construction: A Multi-Platform Guide to Installing XAMPP

Now it’s time to build the foundation of your pentesting lab. In October 2025, the easiest way to get a local AMP stack running is with XAMPP. This guide provides a simple, step-by-step walkthrough for installing it on Windows, macOS, and Linux.

Before You Start: A Quick Checklist 

For a smooth setup, quickly check these three things:

  • Temporarily disable your antivirus software and firewall. They can sometimes interfere with the installation process.
  • On Windows, temporarily lower your User Account Control (UAC) settings. This prevents common permission issues during setup.
  • Make sure you have administrator or sudo access on your computer.

Installing XAMPP on Windows 

  1. Download the latest installer from the official Apache Friends website.
  2. Run the .exe file. Click “OK” or “Yes” on any security prompts that appear.
  3. On the “Choose Components” screen, just leave everything selected and click “Next.”
  4. Keep the default installation directory of C:\xampp. Avoid installing in C:\Program Files\.
  5. Uncheck the box to “Learn more about Bitnami” and complete the installation.
  6. Once the XAMPP Control Panel opens, click the “Start” button next to Apache and MySQL. The module names should turn green.
  7. To verify it’s working, open your web browser and go to http://localhost. You should see the XAMPP dashboard.

Installing XAMPP on macOS 

  1. Download the installer for OS X from the Apache Friends website.
  2. Open the downloaded .dmg file and double-click the installer icon.
  3. Follow the on-screen prompts, accepting the default settings. XAMPP will be installed to your /Applications/XAMPP folder.
  4. Open the manager-osx.app from your Applications folder.
  5. Go to the “Manage Servers” tab, select Apache and MySQL one by one, and click “Start.”
  6. Verify by opening http://localhost in your browser.

Installing XAMPP on Linux 

  1. Download the .run installer from the Apache Friends website.
  2. Open a terminal and navigate to your Downloads folder. Make the installer executable with this command:
    Bash
    chmod 755 xampp-linux-*-installer.run
  3. Run the installer with sudo because it needs to install in the /opt/lampp directory:
    Bash
    sudo ./xampp-linux-*-installer.run
  4. Follow the graphical wizard, accepting the defaults. Once it’s finished, start all the services from your terminal:
    Bash
    sudo /opt/lampp/lampp start
  5. Verify by opening http://localhost in your browser.
Pentesting Lab Setup With XAMPP

Securing and Customizing the Lab Environment

It’s critical to understand that XAMPP is designed to be a development tool, which means it’s “insecure by design.” This is actually a good thing for our pentesting lab, as it mimics common real-world misconfigurations. In October 2025, our goal is a two-step process: first, we’ll do some basic hardening to protect our own network, and then we’ll intentionally weaken some internal settings to practice specific attacks.

Why XAMPP is “Insecure by Design” (And Why That’s Good for Us) 

XAMPP is built for ease of use, not for security. Out of the box, it comes with a number of intentional security weaknesses that you would never want on a live server:

  • The main database user (root) has no password.
  • The database is accessible over the network, not just from your own machine.
  • The main XAMPP dashboard is completely unrestricted.

For our lab, this is perfect. It gives us a set of common, real-world vulnerabilities to practice exploiting from day one.

Step 1: Basic Hardening to Protect Your Own Network 

While we want our lab to be vulnerable, we don’t want it to be a risk to other computers on our local network. XAMPP has a built-in security script to help with this.

  • On Windows: Open your browser and go to http://localhost/security/. Follow the links on that page to set a password for your MySQL/MariaDB database and the XAMPP directory.
  • On Linux: Open a terminal and run this command: sudo /opt/lampp/lampp security. The script will walk you through setting the necessary passwords.

It’s also a good idea to use your computer’s firewall to block other devices on your local network from accessing your lab environment.

Step 2: Customizing PHP to Enable Vulnerabilities 

Now that the perimeter is secure, we need to intentionally weaken some PHP settings to practice certain types of attacks. You’ll do this by editing your php.ini file.

To find your php.ini file: The easiest way is to create a PHP file in your htdocs folder with <?php phpinfo(); ?> in it. Open that file in your browser and search the page for “Loaded Configuration File” to find the exact path.

Here are the two key changes to make. Remember to restart the Apache server after you save the file.

  1. Enable Remote File Inclusion (RFI): This is a critical setting for many practice apps. Find the line for allow_url_include and change its value from Off to On. This will let you practice exploiting RFI vulnerabilities.
  2. Enable Error Display: Find the line for display_errors and make sure it’s set to On. In a real production server, this would be a huge security risk, but in our lab, it’s a great way to get detailed feedback when you’re testing exploits.

Deploying the Targets: A Trio of Vulnerable Applications

With your XAMPP lab environment ready, it’s time to install the vulnerable applications you’ll be practicing on. In October 2025, a great lab includes a mix of classic and modern targets. We’ll install a trio of applications: two classic PHP apps that run on XAMPP, and a modern Node.js app that runs in Docker.

The Classics (PHP/MySQL): DVWA and bWAPP 

These applications are designed to be hosted directly on your XAMPP server and are perfect for learning foundational web vulnerabilities.

Damn Vulnerable Web Application (DVWA) is a great starting point for beginners.

  1. Download the ZIP file from the official DVWA GitHub repository.
  2. Extract the contents, rename the folder to dvwa, and move it into your XAMPP htdocs directory.
  3. Configure the database by going into the dvwa/config/ folder, renaming config.inc.php.dist to config.inc.php, and editing it with your database username (root) and password.
  4. Create the database by going to http://localhost/dvwa/setup.php in your browser and clicking the “Create / Reset Database” button.
  5. Login with the username admin and password password.

bWAPP (a buggy web application) contains over 100 different vulnerabilities to practice on.

  1. Download the ZIP file from the official itsecgames.com website.
  2. Extract the bWAPP folder and move it into your htdocs directory.
  3. Configure the database by editing the admin/settings.php file with your database username (root) and password.
  4. Install the database by going to http://localhost/bWAPP/install.php and clicking the installation link.
  5. Login with the username bee and password bug.

The Modern Target (Node.js): OWASP Juice Shop 

OWASP Juice Shop is arguably the most modern and sophisticated insecure web application for security training. It’s built with Node.js, Express, and Angular.

Important: You cannot run this on XAMPP’s Apache server, which is for PHP. The correct and industry-standard way to run a self-contained app like this is with Docker.

Here’s how to get it running:

  1. Install Docker for your operating system (Windows, macOS, or Linux) if you don’t have it already.
  2. Pull the official image from Docker Hub. Open your terminal or PowerShell and run:
    Bash
    docker pull bkimminich/juice-shop
  3. Run the container. This command starts the app and makes it accessible on your machine:
    Bash
    docker run –rm -p 3000:3000 bkimminich/juice-shop
  4. Access the app. Open your web browser and go to http://localhost:3000. The Juice Shop application will load, ready for you to start hacking.
Application Technology Stack Key Vulnerabilities Covered Best For…
DVWA PHP/MySQL Foundational OWASP Top 10 (SQLi, XSS, CSRF, File Inclusion, Command Injection) Beginners learning core web vulnerability concepts in a structured way.
bWAPP PHP/MySQL Over 100 vulnerabilities, including all OWASP Top 10 and more niche bugs (e.g., SSI, XXE, Heartbleed). Intermediate users seeking broad exposure to a wide variety of attack vectors.
OWASP Juice Shop Node.js, Express, Angular, SQLite Modern vulnerabilities (DOM XSS, API security flaws, Broken Access Control, Injection, Prototype Pollution). All skill levels, especially for practicing on modern JavaScript frameworks and engaging in CTF-style challenges.

This table provides a strategic overview that allows for a structured learning path. A user can start with DVWA to master the fundamentals, progress to bWAPP to broaden their knowledge, and then tackle Juice Shop to apply their skills against a modern, realistic target.

The 2025 Pentesting Gauntlet: Mapping Theory to Practice

You’ve built your lab and deployed your targets. Now it’s time to run the gauntlet. In October 2025, this means practicing how to find and exploit the most critical security risks defined by the OWASP Top 10. This guide will walk you through a few practical exercises to get you started.

A Quick Look at the OWASP Top 10 for 2025 

The OWASP Top 10 is the industry-standard list of the most critical web application security risks. For 2025, the key trends to watch are:

  • Broken Access Control remains the #1 risk, found in a staggering 94% of all tested applications.
  • Injection attacks are evolving to include new vectors like AI Prompt Injection.
  • Vulnerable and Outdated Components are a huge threat, with software supply chain attacks on the rise.
  • Security Misconfiguration is a massive problem, especially in the cloud. Gartner predicts 99% of cloud security failures will be the customer’s fault.

Your First Practical Exercises: From Theory to Hands-On Hacking 

Let’s put theory into practice with some hands-on exercises in your new lab.

Exercise 1: Command Injection in DVWA

This is where you trick an application into running operating system commands. In DVWA, set the security to “Low” and go to the “Command Injection” page. In the ping utility, instead of just an IP address, enter 127.0.0.1; whoami. The semicolon lets you chain on a second command. The server will execute whoami, revealing the web server’s username and proving the vulnerability.

Exercise 2: SQL Injection in DVWA

SQL Injection (SQLi) lets you manipulate an application’s database queries. On the “SQL Injection” page in DVWA (Low security), try entering this classic payload into the User ID box: ‘ OR 1=1 — . This simple trick modifies the SQL query to be always true, which will bypass the login and dump all the users from the database.

Exercise 3: Broken Access Control in OWASP Juice Shop

This is about accessing things you’re not supposed to. In OWASP Juice Shop, add an item to your basket and then go to the basket page.

Using your browser’s developer tools (usually F12), look at the Network tab. You’ll see an API call to an endpoint like /rest/basket/1. This is a classic Insecure Direct Object Reference (IDOR). Try replaying that request, but change the ID to 2. If you can see someone else’s shopping basket, you’ve found the flaw.

The Pentester’s Toolkit: Essential Tools and Configuration

Your pentesting lab is built. Now it’s time to arm yourself with the tools of the trade. In October 2025, the single most important tool in your arsenal is an intercepting proxy. This guide will introduce the top free options and walk you through your first two practical exercises.

Your Most Important Tool: The Intercepting Proxy 

An intercepting proxy is a tool that sits between your web browser and the target server. It lets you see, modify, and replay every single request and response. The two best free options are OWASP ZAP and Burp Suite Community Edition.

Getting it set up is a three-step process:

  1. Start the tool. It will usually listen on localhost at port 8080.
  2. Configure your browser. The easiest way is to use the tool’s own “Launch Browser” feature, which handles all the settings for you.
  3. Install the CA certificate. This is a critical step that allows the tool to decrypt and inspect HTTPS traffic. You can usually download the certificate from a special address provided by the tool (like http://zap).

Mini-Tutorial 1: Your First Automated Scan with OWASP ZAP 

This quick exercise will find some easy vulnerabilities in the bWAPP application.

  1. In ZAP’s “Quick Start” tab, use the “Manual Explore” feature to launch a browser and navigate to your bWAPP login page.
  2. Log in to bWAPP with the username bee and password bug, and click around a few pages.
  3. Go back to ZAP, find your bWAPP site in the “Sites” tree on the left, right-click it, and select “Attack > Active Scan.”
  4. Watch the results. As ZAP finds vulnerabilities, they will appear in the “Alerts” tab at the bottom of the screen, ranked by risk level.

Mini-Tutorial 2: Automated Exploitation with sqlmap 

sqlmap is a powerful, open-source command-line tool for automatically finding and exploiting SQL injection vulnerabilities. Let’s use it on DVWA.

  1. In DVWA, set the security to “Low” and go to the “SQL Injection” page.
  2. You need your session cookie to run an authenticated scan. Open your browser’s developer tools (F12), go to the “Storage” or “Application” tab, find the value for your PHPSESSID cookie, and copy it.

Open a terminal or command prompt and run the following command, replacing <your_session_id> with the value you copied.
Bash
sqlmap -u “http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”PHPSESSID=<your_session_id>; security=low” –dbs

  1. If it’s successful, sqlmap will confirm the vulnerability and then list all the databases on the server. This proves you’ve successfully exploited the flaw and extracted data.

Field Manual: Troubleshooting Common Lab Setup Failures

Setting up a local server environment like XAMPP can sometimes hit a few snags. In October 2025, a few common issues pop up time and time again. This field manual will walk you through how to troubleshoot and fix the most frequent setup failures for your new pentesting lab.

1. The Problem: Apache Won’t Start (Port 80 is in Use)

This is the most common issue. It happens when another application on your computer (like Skype or another web server) is already using the standard web port 80.

  • The Quick Fix: In the XAMPP Control Panel, click the “Netstat” button. This will show you which application is using the port so you can shut it down.
  • The Best Fix: If you can’t stop the other program, the best solution is to change Apache’s port. In the Apache config files (httpd.conf and httpd-ssl.conf), change the “Listen” port from 80 to 8080 and from 443 to 4433. Just remember, you’ll now have to access your lab at http://localhost:8080.

2. The Problem: “Access Denied” for the Database 

When setting up DVWA or bWAPP, you might get a database connection error. This is almost always a simple mismatch in your username or password.

Follow this checklist:

  • Is MySQL running? Check the XAMPP Control Panel and make sure the “MySQL” module is green.
  • Double-check your credentials. Open the application’s config file and make sure the username is root and the password exactly matches the one you set. Typos are the number one cause of this error. If you have no password, the field should be empty (”).
  • Try 127.0.0.1 instead of localhost for the database server address.

3. The Problem: “Permission Denied” in htdocs (Linux/macOS) 

On Linux and macOS, the htdocs folder where you put your web files is owned by the root user by default. This means your regular user account can’t add or edit files in it.

The Solution: You need to change the ownership of the folder to your own user account. Open a terminal and run this single, powerful command:

Bash

  1. sudo chown -R $USER:$USER /opt/lampp/htdocs

This command recursively (-R) changes the owner (chown) of the htdocs directory to your current user ($USER). After you run it, you’ll have full permission to add and edit your lab files without any more “Permission Denied” errors.

Your penetration testing lab is now ready. This setup is the starting point for developing practical, hands-on skills in web application security.

The next step is to use it. Begin by working through the challenges in DVWA, bWAPP, and the OWASP Juice Shop. As you progress, you can explore other tools like Nmap and Metasploit to expand your capabilities. Consistent practice in this environment is how you will keep your skills sharp and relevant.

Log into your lab and find your first vulnerability today.