Setup Web Pentest Lab using Broken Web Applications (Beginner Guide)

Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products.


The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:

  • learning about web application security
  • testing manual assessment techniques
  • testing automated tools
  • testing source code analysis tools
  • observing web attacks
  • testing WAFs and similar code technologies

All the while saving people interested in doing either learning or testing the pain of having to compile, configure, and catalog all of the things normally involved in doing this process from scratch.

First Download Open Web Application Security Project VM image from here

Now extract the VM image in your pc and open it in your VMware.

Now it will ask for username and password to log in.

Username: root

Password: owaspbwa

After login, it will display the message to access web apps url.

Open Web Brower with IP to access all web apps such as webgoat, Mutillidae.

Click on OWASP WebGoat to see common web applications flaws.

Click on OWASP Mutillidae to see common web applications vulnerability.

Click on Bricks to see variations of commonly seen application security vulnerabilities and exploits.

Click on bWAPP tot covers all major known web bugs, including all risks from theĀ OWASP.

Click on DVWA to see web applications security.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets.

Leave a Reply

Your email address will not be published. Required fields are marked *