bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project. The focus is not just on one specific issue... bWAPP is covering a wide range of vulnerabilities!
bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It is supported on WAMP or XAMPP. Another possibility is to download bee-box, a custom VM pre-installed with bWAPP.
This project is part of the ITSEC GAMES project. You can find more about the ITSEC GAMES and bWAPP projects on our blog.
For security-testing and educational purposes only!
Cheers
Malik Mesellem
Feature
- SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP and SMTP injections
- Blind SQL injection and Blind OS Command injection
- Boolean-based and time-based Blind SQL injections
- Drupal SQL injection (Drupageddon)
- AJAX and Web Services issues (JSON/XML/SOAP)
- Heartbleed vulnerability (OpenSSL) + detection script included
- Shellshock vulnerability (CGI)
- Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
- phpMyAdmin BBCode Tag XSS
- Cross-Site Request Forgery (CSRF)
- Information disclosures: favicons, version info, custom headers,...
- Unrestricted file uploads and backdoor files
- Old, backup & unreferenced files
- Authentication, authorization and session management issues
- Password and CAPTCHA attacks
- Insecure DistCC, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
- Arbitrary file access with Samba
- Directory traversals and unrestricted file access
- Local and remote file inclusions (LFI/RFI)
- Server Side Request Forgery (SSRF)
- XML External Entity attacks (XXE)
- Man-in-the-Middle attacks (HTTP/SMTP)
- HTTP parameter pollution and HTTP verb tampering
- Denial-of-Service (DoS) attacks: Slow Post, SSL-Exhaustion, XML Bomb,...
- POODLE vulnerability
- BREACH/CRIME/BEAST SSL attacks
- HTML5 ClickJacking and web storage issues
- Insecure iFrame (HTML5 sandboxing)
- Insecure direct object references (parameter tampering)
- Insecure cryptographic storage
- Cross-Origin Resource Sharing (CORS) issues
- Cross-domain policy file attacks (Flash/Silverlight)
- Local privilege escalations: udev, sendpage
- Cookie and password reset poisoning
- Host header attacks: password reset poisoning en cache pollutions
- PHP CGI remote code execution
- Dangerous PHP Eval function
- Local and remote buffer overflows (BOF)
- phpMyAdmin and SQLiteManager vulnerabilities
- Nginx web server vulnerabilities
- HTTP response splitting, unvalidated redirects and forwards
- WSDL SOAP vulnerabilities
- Form-based authentication and No-authentication modes
- Active Directory LDAP integration
- Fuzzing possibilities
- and much more...
- HINT: download our bee-box VM > it has ALL necessary extensions
- bee-box is compatible with VMware and VirtualBox!
- Enjoy it little bees ;)
BTS Pentesting Lab
BTS PenTesting Lab is an open source vulnerable web application, created by Cyber Security & Privacy Foundation (www.cysecurity.org). It can be used to learn about many different types of web application vulnerabilities.
Currently, the app contains the following types of vulnerabilities:
*SQL In.........
OWASP Mutillidae II
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on th.........
NOWASP (Mutillidae)
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing ve.........
Web Application Protection
WAP automatic detects and corrects input validation vulnerabilities in web applications written in PHP Language (version 4.0 or higher) and with a low rate of false positives.
WAP detects the following vulnerabilities:
- SQL injection using MySQL, PostgreSQL and DB2 DBMS
- Reflected cross-site scri.........
pH7 Social Dating CMS - pH7CMS
pH7CMS is a Professional, Free and Open Source PHP Social Dating Software primarily designed for Web Developers and Webmasters.
This Social Dating App/Site Builder is fully coded in object-oriented PHP (OOP) with the MVC pattern (Model-View-Controller). It is low resource intensive, extremely power.........
The Ring Programming Language
The Ring is an Innovative and practical general-purpose multi-paradigm scripting language that can be embedded in C/C++ projects, extended using C/C++ code and/or used as standalone language.
The supported programming paradigms are Imperative, Procedural, Object-Oriented, Functional, Meta programmi.........
Wave Framework
Wave is a PHP micro-framework that is built loosely following model-view-control architecture and factory method design pattern. It is made for web services, websites and info-systems and is built to support a native API architecture, caching, user control and smart resource management. Wave is a co.........
gSOAP Toolkit
The gSOAP toolkit is an extensive suite of portable C and C++ software to develop XML Web services with powerful type-safe XML data bindings. Easy-to-use XML auto-serialization allows you to directly integrate XML data in C and C++ (C++11 compatible) applications. Includes WSDL/XSD schema binding an.........
Ryouko
This project has been moved to https://github.com/foxhead128/ryouko...
Lioness (Languages Interop Framework)
Framework for making Windows applications that are one .exe file in AutoHotKey_L,C++,C#, VB.NET,Java,Groovy,Common Lisp,Nemerle,Ruby,Python,PHP,Lua,Tcl,Perl,Jint,S#,WSH VBScript,HTML/JavaScript/CSS,COM, PowerShell without compiling . For .NET 4....
