Web Application Penetration Testing with bWAPP
Web application security is today's most overlooked aspect of securing the infrastructure. These days, hackers are concentrating their efforts on our precious websites and web applications. Why? Websites and web applications are an attractive target for cyber criminality and hacktivism because they are 24/7 available via the Internet. Mission-critical business applications, containing sensitive data, are often published on the Internet through our web applications. In addition, traditional firewalls and SSL provide no protection against web attacks, and systems engineers know little about these sophisticated application-level attacks…
It’s definitely time to improve our web security! Defense is needed… downloading and playing with bWAPP can be a first start… Wanted: superbees.
bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.
What makes bWAPP so unique? Well, it has over 60 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.
[The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.]
Some of the vulnerabilities included in bWAPP:
- Injection vulnerabilities like SQL, XML/XPath, LDAP, HTML, SSI, Command and SMTP injection
- Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
- AJAX and Web Services issues (JSON/XML/SOAP)
- Malicious, unrestricted file uploads and NSA backdoor files ;)
- Authentication, authorization and session management issues
- Arbitrary file access, directory traversals, local and remote file inclusions (LFI/RFI)
- Configuration issues: Man-in-the-Middle, cross-domain policy file, information disclosures,...
- HTTP parameter pollution and HTTP response splitting
- Denial-of-Service (DoS) attacks, insecure WebDAV and FTP configurations
- HTML5 ClickJacking, cross-origin resource sharing (CORS) and web storage issues
- Unvalidated redirects and forwards
- Parameter tampering, cookie poisoning and insecure cryptographic storage
- And much more…
bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP. Another possibility is to download the bee-box…
The bee-box is a custom Linux VMware virtual machine pre-installed with bWAPP. It is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation! bee-box gives you several ways to hack and deface the bWAPP website. Currently there are 10 website defacement possibilities! It's even possible to hack the bee-box to get full root access, using a local privilege escalation exploit… With bee-box you have the opportunity to explore, and exploit, all bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?
Both are part of the ‘ITSEC Games’ project. The ‘ITSEC Games’ are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together!
Take a look at our ‘What is bWAPP?’ introduction guide, including free training materials and exercises. There is also a free cheat sheet available… Follow us on Twitter, and receive this cheat sheet, updated on a regular basis, including the latest hacks and hardening tweaks.
Have fun with this free and open source project!
“Education, the most powerful weapon which we can use to secure the world.”
Cheers, Malik Mesellem (@MME_IT)
- Home page - www.itsecgames.com
- Download location - sourceforge.net/projects/bwapp
- Blog - itsecgames.blogspot.com