OWASP Broken Web Applications v0.91rc1 available

The Open Web Application Security Project (OWASP) Broken Web Applications Project is distributed as a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).

Applications included

This project includes applications from various sources (listed in no particular order).

Intentionally Vulnerable Applications:

• OWASP WebGoat version 5.3-SNAPSHOT (Java)
• OWASP Vicnum version 1.4 (Perl)
• Mutillidae version 1.3 (PHP)
• Damn Vulnerable Web Application version 1.06 (PHP)
• Peruggia version 1.2 (PHP)
• OWASP CSRFGuard Test Application version 2.2 (Java)
• Mandiant Struts Forms (Java/Struts)
• Simple ASP.NET Forms (ASP.NET/C#)
• Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

Old Versions of Real Applications:

• WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
• phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
• Yazd version 1.0 (Java, released February 20, 2002)

User Accounts

The various vulnerable web applications have some user accounts created and some content included. See ApplicationAccounts for details.

Management

Once booted, the VM can be administered few a few different mechanisms. Note, I don’t consider these components "in scope" for the vulnerabilities in the VM... they are just there to support management. Administrative interfaces:

• SSH
• Samba shares
• Console login
• PHPMyAdmin (at http://owaspbwa/phpmyadmin)
• Tomcat Manager (at http://owaspbwa:8080/manager/html)

Vulnerabilities

Please review the Issues Page to see what people have already reported and feel free to submit some additional items for everyone’s benefit.

Installation

The VM requires no installation. Simply extract the files from the archive and then start the VM in a VMware product. Once the machine is booted, you can access it via the console, SSH, or Samba using:

Note:

• The VM is entirely command line driven. X-Windows or other GUI systems have not been installed.
• The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH FILES CONTAIN THE EXACT SAME VM! Please download the .7z archive if possible to save bandwidth (and time).
• Most importantly, the VM may not get an IP address from DHCP on boot up. Run dhclient.
• The GPLv2 license for this project is only for any custom modifications and code created for this project.