owaspbwa OWASP Broken Web Applications

This is the VM for the Open Web Application Security Project (OWASP) Broken Web Applications project. It contains many, very vulnerable web applications, which are listed below. More information about this project can be found in the project User Guide and Home Page.

For details about the known vulnerabilities in these applications, see https://sourceforge.net/p/owaspbwa/tickets/?limit=999&sort=_severity+asc.

!!! This VM has many serious security issues. We strongly recommend that you run it only on the "host only" or "NAT" network in the virtual machine settings !!!

Training Applications

OWASP WebGoat Version: 5.4+SVN Language: Java User Credentials (username/password): guest/guest User Credentials (username/password): user/user User Credentials (username/password): basic/basic Admin Credentials (username/password): webgoat/webgoat Link: home page	OWASP WebGoat.NET Version: 2012-07-05+Git Language: C# ASP.NET User Credentials (username/password): bob@ateliergraphique.com/123456 Link: home page
OWASP ESAPI Java SwingSet Interactive Version: 1.0.1+SVN Language: Java Link: home page	OWASP Mutillidae II Version: 2.6.24+SVN Language: PHP User Credentials (username/password): user/user Admin Credentials (username/password): admin/admin Link: home page
OWASP RailsGoat Version: Git Language: Ruby on Rails Admin Credentials (username/password): admin@metacorp.com/admin1234 User Credentials (username/password): jack@metacorp.com/yankeessuck Link: home page	OWASP Bricks Version: 2.2+SVN Language: PHP Link: home page
OWASP Security Shepherd Version: 2.4+Git Language: Java Admin Credentials (username/password): admin/password Link: home page	Ghost Language: PHP User Credentials (username/password): test/test User Credentials (username/password): anonymous/anonymous Admin Credentials (username/password): admin/admin Link: home page
Magical Code Injection Rainbow Version: 2014-08-20+Git Language: PHP Link: home page	bWAPP Version: 1.9+Git Language: PHP User Credentials (username/password): bee/bug Link: home page
Damn Vulnerable Web Application Version: 1.8+GIT Language: PHP User Credentials (username/password): user/user Admin Credentials (username/password): admin/admin Link: home page

Realistic, Intentionally Vulnerable Applications

OWASP Vicnum Version: 1.5 Language: PHP/Perl Link: home page	OWASP 1-Liner Version: Git Language: Java / JavaScript Link: home page
Google Gruyere Version: 2010-07-15 Language: Python User Credentials (username/password): cheddar/orange Admin Credentials (username/password): administrator/secret Link: home page	Hackxor Version: 2011-04-06 Language: Java JSP Link: home page
WackoPicko Version: 2011-07-12+Git Language: PHP User Credentials (username/password): scanner1/scanner1 User Credentials (username/password): scanner2/scanner2 User Credentials (username/password): bryce/bryce Admin Credentials (username/password): admin/admin Admin Credentials (username/password): adamd/adamd Link: home page	BodgeIt Language: Java JSP Version: 1.4+SVN User Credentials (username/password): test@thebodgeitstore.com/password Link: home page
Cyclone Language: Ruby on Rails User Credentials (username/password): cycloneuser-3@cyclonetransfers.com/password Link: home page	Peruggia Version: 1.2 Language: PHP User Credentials (username/password): user/user Admin Credentials (username/password): admin/admin Link: home page

Old (Vulnerable) Versions of Real Applications

WordPress Version: 2.0.0 Language: PHP Release Date: December 31, 2005 User Credentials (username/password): user/user Admin Credentials (username/password): admin/admin Link: home page Plugins: myGallery version 1.2 Spreadsheet for WordPress version 0.6	OrangeHRM Version: 2.4.2 Language: PHP Release Date: May 7, 2009 User Credentials (username/password): user1/user1 User Credentials (username/password): user2/user2 Admin Credentials (username/password): admin/admin Link: home page
GetBoo Version: 1.04 Language: PHP Release Date: April 7, 2008 User Credentials (username/password): user/user User Credentials (username/password): demo/demo Admin Credentials (username/password): admin/admin Link: home page	GTD-PHP Version: 0.7 Language: PHP Release Date: September 30, 2006 Link: home page
Yazd Version: 1.0 Language: Java Release Date: February 20, 2002 User Credentials (username/password): user/user User Credentials (username/password): user2/user2 User Credentials (username/password): mod/mod Admin Credentials (username/password): admin/admin Link: home page	WebCalendar Version: 1.0.3 Language: PHP User Credentials (username/password): user/user User Credentials (username/password): assistant/assistant Admin Credentials (username/password): admin/admin Release Date: April 11, 2006 Link: home page
Gallery2 Version: 2.1 Language: PHP User Credentials (username/password): user/user Admin Credentials (username/password): admin/admin Release Date: March 23, 2006 Link: home page	Tiki Wiki Version: 1.9.5 Language: PHP User Credentials (username/password): user/user Admin Credentials (username/password): admin/admin Release Date: September 5, 2006 Link: home page
Joomla Version: 1.5.15 Language: PHP User Credentials (username/password): author/author User Credentials (username/password): editor/editor User Credentials (username/password): publisher/publisher User Credentials (username/password): registered/registered Admin Credentials (username/password): admin/admin Release Date: November 4, 2009 Link: home page	AWStats Version: 6.4 (build 1.814) Language: Perl Release Date: February 25, 2005 Link: home page

Applications for Testing Tools

OWASP ZAP-WAVE Version: 0.2+SVN Language: Java JSP Link: home page	WAVSEP Version: 1.5 Language: Java JSP Link: home page
WIVET Version: 3+SVN Language: PHP Link: home page

Demonstration Pages/Small Applications

OWASP CSRFGuard Test Application Version: 2.2 Language: Java Link: home page	Mandiant Struts Forms Language: Java Struts
Simple ASP.NET Forms Language: C# ASP.NET	Simple Form with DOM Cross Site Scripting Language: JavaScript

OWASP Demonstration Application
OWASP AppSensor Demo Application Language: Java Link: home page

Vulnerabilities in Applications

For information about the known vulnerabilities in these applications (or to submit some), visit https://sourceforge.net/p/owaspbwa/tickets/?limit=999&sort=_severity+asc.

For More Information

For more information about the specific versions of applications running and how to adminsiter this VM, see http://code.google.com/p/owaspbwa/wiki/UserGuide.

Call for Feedback

If you encounter a problem with this VM (including with any of the installed applications), please submit an issue report on Google Code at http://code.google.com/p/owaspbwa/issues/list.

This project is sponsored by Mandiant, a FireEye Company