Web Pentest Lab Setup using bWAPP in Windows 10

bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Some of the vulnerabilities included in bWAPP:

  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
  • Blind SQL and Blind OS Command injection
  • Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
  • Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
  • Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
  • Malicious, unrestricted file uploads and backdoor files
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
  • Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards, and cookie poisoning
  • Cookie poisoning and insecure cryptographic storage
  • Server Side Request Forgery (SSRF)
  • XML External Entity attacks (XXE)

Download WAMP servehereSelect save or run. Click open. After that follow the next steps.

Next you will see the Select Destination Location screen. Click Next to continue.

Next you will see the Ready to install screen. Click Install to continue.

Once the files are extracted, you will be asked to select your default browser. Select your default browser’s .exe file, then click Open to continue.

Once the progress bar is completely green, the PHP Mail Parameters screen will appear. Leave the SMTP server as localhost, and change the email address to one of your choosing. Click Next to continue.

Download the latest version of the Software from the here

Extract BWAPP lab setup in the location” C:\wamp\WWW\bWAPP” as is shown below.

Edit the file ‘admin/settings.php’ with your own database connection settings. Leave blank db_password and db_name options

Browse to the file ‘install.php’ in the directory ‘bWAPP

//localhost/bWAPP/install.php

Click on ‘here‘ (Click ‘here’ to install bWAPP). The database ‘bWAPP‘ will be created

Again Edit the file ‘admin/settings.php’ and setup the db_name see the screenshot below

Go to the login page. If you browse the bWAPP root folder you will be redirected. //localhost/bWAPP/

 Login with the default credentials or make a new user.

Default credentials:

User name: bee

Password: bug

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets.

Leave a Reply

Your email address will not be published. Required fields are marked *