OWASP Broken Web Applications v0.9 (Virtual Machine)
The Open Web Application Security Project (OWASP) Broken Web Applications Project is distributed as a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).
Applications included
This project includes applications from various sources (listed in no particular order).
Intentionally Vulnerable Applications:
- OWASP WebGoat version 5.3-SNAPSHOT (Java)
- OWASP Vicnum version 1.3 (Perl)
- Mutillidae version 1.3 (PHP)
- Damn Vulnerable Web Application version 1.06 (PHP)
- OWASP CSRFGuard Test Application version 2.2 (Java)
- Mandiant Struts Forms (Java/Struts)
- Simple ASP.NET Forms (ASP.NET/C#)
- Simple Form with DOM Cross Site Scripting (HTML/JavaScript)
Old Versions of Real Applications:
- WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
- phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
- Yazd version 1.0 (Java, released February 20, 2002)
User Accounts
The various vulnerable web applications have some user accounts created and some content included. See ApplicationAccounts for details.
Management
Once booted, the VM can be administered few a few different mechanisms. Note, I don’t consider these components "in scope" for the vulnerabilities in the VM... they are just there to support management. Administrative interfaces:
- SSH
- Samba shares
- Console login
- PHPMyAdmin (at http://owaspbwa/phpmyadmin)
- Tomcat Manager (at http://owaspbwa:8080/manager/html)
Vulnerabilities
Please review the Issues Page to see what people have already reported and feel free to submit some additional items for everyone’s benefit.
Installation
The VM requires no installation. Simply extract the files from the archive and then start the VM in a VMware product. Once the machine is booted, you can access it via the console, SSH, or Samba using:
USERNAME: root
PASSWORD: owaspbwa
Note:
- The VM is entirely command line driven. X-Windows or other GUI systems have not been installed.
- The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH FILES CONTAIN THE EXACT SAME VM! Please download the .7z archive if possible to save bandwidth (and time).
- Most importantly, the VM may not get an IP address from DHCP on boot up. Run dhclient.
- The GPLv2 license for this project is only for any custom modifications and code created for this project.
.7z File:
MD5: d69131c4b09373b277f0b77390dae3ba (499 MB)
Zip File:
MD5: b1cacc36b890e51e985b026600f4ac7b (773 MB)
More information: here
Post scriptum
Compliance Mandates
|