bWAPP - an extremely buggy web application !

bWAPP or a buggy web application is a free and open source web application build to allow security enthusiasts, students and developers to better secure web applications. It is for educational purposes only.

bWAPP contains a lot of vulnerabilities from the OWASP Top 10 project.

It includes:
*/ injection vulnerabilities like SQL, HTML, command and mail injections
*/ Cross-Site Scripting (XSS)
*/ Cross-Site Request Forgery (CSRF)
*/ malicious file uploads
*/ authentication, authorization and session management issues
*/ directory traversal
*/ information disclosures
*/ configuration issues
*/ much more...

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows using Apache and MySQL. It can also be installed with WAMP or XAMPP.

This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.


bWAPP - Bug fixes and new features

Current version: bWAPP v1.01 updated on 10/01/2013

Bug fixes:

PHP session errors
connection setting issues (setting 'localhost:3306' not valid)
time period for the 'security_level' cookie has changed to 1 year.
New features:
none


bWAPP - INSTALL
///////////////
It is pretty easy to install bWAPP.
Requirements
////////////
*/ Windows, Linux, Unix, Mac OS,...
*/ a web server (Apache, IIS,...)
*/ the PHP extensions
*/ a MySQL installation
*/ (or you could install WAMP or XAMPP)

Installation steps
//////////////////

No! I will not explain how to install Apache/IIS, PHP and MySQL :)

*/ Extract the 'zip' or 'tar' file.

example on Linux:

tar -cvf bWAPP.tar

*/ Move the directory 'bWAPP' (and the entire content) to the root of your web server.

*/ Give full permission to the folders 'passwords' and 'images'.

example on Linux:

chmod 777 passwords/
chmod 777 images/

*/ Edit the file 'config.inc' with your own MySQL settings.

example:

$server = "localhost"; // your database server (IP/name), here 'localhost
$username = "root"; // your MySQL user, here 'root'
$password = ""; // your MySQL password, here 'blank'

*/ Browse to the file 'install.php' in the directory 'bWAPP'.

example: http://localhost/bWAPP/install.php

*/ Click on 'here' (Click 'here' to install bWAPP).

The database 'bWAPP' will be created.

*/ Go to the login page. If you browse the bWAPP root folder you will be redirected.

example: http://localhost/bWAPP/
example: http://localhost/bWAPP/login.php

*/ Login with the default credentials or make a new user.

default credentials: bee/bug

*/ You are ready to explore and exploit bWAPP!

Source-

Screenshot-