OWASP Broken Web Applications v0.9 (Virtual Machine)

The Open Web Application Security Project (OWASP) Broken Web Applications Project is distributed as a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).

Applications included

This project includes applications from various sources (listed in no particular order).

GIF - 9.8 kb

Intentionally Vulnerable Applications:

Old Versions of Real Applications:

  • WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
  • phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
  • Yazd version 1.0 (Java, released February 20, 2002)

User Accounts

The various vulnerable web applications have some user accounts created and some content included. See ApplicationAccounts for details.


Once booted, the VM can be administered few a few different mechanisms. Note, I don’t consider these components "in scope" for the vulnerabilities in the VM... they are just there to support management. Administrative interfaces:

  • SSH
  • Samba shares
  • Console login
  • PHPMyAdmin (at http://owaspbwa/phpmyadmin)
  • Tomcat Manager (at http://owaspbwa:8080/manager/html)


Please review the Issues Page to see what people have already reported and feel free to submit some additional items for everyone’s benefit.


The VM requires no installation. Simply extract the files from the archive and then start the VM in a VMware product. Once the machine is booted, you can access it via the console, SSH, or Samba using:

PASSWORD: owaspbwa


  • The VM is entirely command line driven. X-Windows or other GUI systems have not been installed.
  • The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH FILES CONTAIN THE EXACT SAME VM! Please download the .7z archive if possible to save bandwidth (and time).
  • Most importantly, the VM may not get an IP address from DHCP on boot up. Run dhclient.
  • The GPLv2 license for this project is only for any custom modifications and code created for this project.
.7z File:
MD5: d69131c4b09373b277f0b77390dae3ba (499 MB)

Zip File:
MD5: b1cacc36b890e51e985b026600f4ac7b (773 MB)

More information: here

Post scriptum

  • Download OWASP Broken Web Applications v0.9: .7z | Zip

Compliance Mandates

  • Code Auditing :

    PCI/DSS 6.3.6, 6.3.7, 6.6, SOX A12.8, GLBA 16CFR Part 314.4(b) and (2);FISMA RA-5, SC-18, SA-11 SI-2, and ISO 27001/27002 (12.4.1, 12.4.3, 12.5)

Related Articles

Code Auditing
Local auditing
OWASP Broken Web Applications