bWAPP – Vulnerable Web Application

 

An extremely buggy vulnerable web application

bWAPP, or a buggy web application, is a deliberately insecure web application.

bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 60 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows using Apache/IIS and MySQL. It can be installed with WAMP or XAMPP. Another possibility is to download bee-box, a custom VM pre-installed with bWAPP.

This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun… all mixed together.
You can find more about the ITSEC GAMES and bWAPP projects on teams blog.

For educational purposes only!

vulnerable web application

Features

• Injection vulnerabilities like SQL, XML/XPath, SSI, LDAP, HTML, CMD and SMTP injection
• Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
• Malicious, unrestricted file uploads
• Authentication, authorization and session management issues
• Arbitrary file access and directory traversals
• Local and remote file inclusions (LFI/RFI)
• Configuration issues: Man-in-the-Middle, Cross-domain policy file, information disclosures,…
• HTTP parameter pollution and HTTP response splitting
• Denial-of-Service (DoS) attacks
• HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
• Unvalidated redirects and forwards
• Parameter tampering
• Insecure cryptographic storage
• Server Side Request Forgery (SSRF)
• HTTP verb tampering
• AJAX and Web Services issues (JSON/XML/SOAP)
• Local privilege escalation
• Cookie poisoning
• Insecure WebDAV and FTP
• PHP CGI remote code execution
• and much more…

Download