bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.
Some of the vulnerabilities included in bWAPP:
- SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
- Blind SQL and Blind OS Command injection
- Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
- Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
- Cross-Site Request Forgery (CSRF)
- AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
- Malicious, unrestricted file uploads and backdoor files
- Authentication, authorization and session management issues
- Arbitrary file access and directory traversals
- Local and remote file inclusions (LFI/RFI)
- Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures
- HTTP parameter pollution and HTTP response splitting
- Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
- Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
- HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
- Unvalidated redirects and forwards, and cookie poisoning
- Cookie poisoning and insecure cryptographic storage
- Server Side Request Forgery (SSRF)
- XML External Entity attacks (XXE)
Download WAMP server here. Select save or run. Click open. After that follow the next steps.
Next you will see the Select Destination Location screen. Click Next to continue.
Next you will see the Ready to install screen. Click Install to continue.
Once the files are extracted, you will be asked to select your default browser. Select your default browser’s .exe file, then click Open to continue.
Once the progress bar is completely green, the PHP Mail Parameters screen will appear. Leave the SMTP server as localhost, and change the email address to one of your choosing. Click Next to continue.
Download the latest version of the Software from the here
Extract BWAPP lab setup in the location” C:\wamp\WWW\bWAPP” as is shown below.
Edit the file ‘admin/settings.php’ with your own database connection settings. Leave blank db_password and db_name options
Browse to the file ‘install.php’ in the directory ‘bWAPP‘
Click on ‘here‘ (Click ‘here’ to install bWAPP). The database ‘bWAPP‘ will be created
Again Edit the file ‘admin/settings.php’ and setup the db_name see the screenshot below
Go to the login page. If you browse the bWAPP root folder you will be redirected. //localhost/bWAPP/
Login with the default credentials or make a new user.
User name: bee
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets.