1 | P a g e

OWASP BWA

Contents Introduction ........................................................................................................................................... 2

Applications Included ........................................................................................................................... 2

Training Applications ....................................................................................................................... 2

Realistic, Intentionally Vulnerable Applications ........................................................................... 2

Old Versions of Real Applications ................................................................................................... 3

Applications for Testing Tools ......................................................................................................... 3

Demonstration Pages / Small Applications ..................................................................................... 3

OWASP Demonstration Applications ............................................................................................. 3

Getting Started ...................................................................................................................................... 3

Download ........................................................................................................................................... 4

Virtual Machine Format .................................................................................................................. 4

Viewing the VM's Starting Page ...................................................................................................... 4

Application Usernames and Passwords .......................................................................................... 4

Management .......................................................................................................................................... 5

Usage ...................................................................................................................................................... 5

Updating Application Code .............................................................................................................. 5

Enabling and Disabling OWASP ModSecurity Core Rule Set ..................................................... 6

Logging .............................................................................................................................................. 6

Advanced Topics ................................................................................................................................... 7

Converting Virtual Machine Format .............................................................................................. 7

Updating Components From Repositories ..................................................................................... 7

All Components ............................................................................................................................. 7

OWASP BWA Specific Content .................................................................................................. 7

Getting Involved .................................................................................................................................... 8

Reporting Bugs .................................................................................................................................. 8

Known Vulnerabilities ...................................................................................................................... 8

2 | P a g e

Introduction

This is the user guide for the Open Web Application Security Project (OWASP) Broken Web

Applications Project. This open source project produces a Virtual Machine (VM) running a

variety of web applications with security vulnerabilities.

NOTE - This document is a work in progress. Please provide us feedback on any errors

or areas not covered

Applications Included

This project includes open source applications of various types. Below is is a list of the

applications and versions currently on the VM. A the version number ending in +SVN or

+GIT indicates that the application is pulled directly to the VM from the application's public

source code repository and the code running may be later than the version number indicated.

The lists below are current as of the 1.1.1 release.

Training Applications

Applications designed for learning which guide the user to specific, intentional

vulnerabilities.

OWASP WebGoat version 5.4+SVN (Java)

OWASP WebGoat.NET version 2012-07-05+GIT (ASP.NET)

OWASP ESAPI Java SwingSet Interactive version 1.0.1+SVN (Java)

OWASP Mutillidae II version 2.6.3.1+SVN (PHP)

OWASP RailsGoat (Ruby on Rails)

OWASP Bricks version 1.4+SVN (PHP)

Damn Vulnerable Web Application version 1.8+GIT (PHP)

Ghost (PHP)

Magical Code Injection Rainbow version 2013-01-27+GIT (PHP)

Realistic, Intentionally Vulnerable Applications

Applications that have a wide variety of intentional security vulnerabilities, but are designed

to look and work like a real application.

OWASP Vicnum version 1.5 (PHP/Perl)

OWASP 1-Liner (Java/JavaScript)

Google Gruyere version 2010-07-15 (Python)

Hackxor version 2011-04-06 (Java JSP)

3 | P a g e

WackoPicko version 2011-07-12+GIT (PHP)

BodgeIt version 1.3+SVN (Java JSP)

Cyclone Transfers (Ruby on Rails)

Peruggia version 1.2 (PHP)

Old Versions of Real Applications

Open source applications with one or more known security issues.

WordPress 2.0.0 (PHP, released December 31, 2005) with plugins:

o myGallery version 1.2

o Spreadsheet for WordPress version 0.6

OrangeHRM version 2.4.2 (PHP, released May 7, 2009)

GetBoo version 1.04 (PHP, released April 7, 2008)

gtd-php version 0.7 (PHP, released September 30, 2006)

Yazd version 1.0 (Java, released February 20, 2002)

WebCalendar version 1.03 (PHP, released April 11, 2006)

Gallery2 version 2.1 (PHP, released March 23, 2006)

TikiWiki version 1.9.5 (PHP, released September 5, 2006)

Joomla version 1.5.15 (PHP, released November 4, 2009)

AWStats version 6.4 (build 1.814, Perl, released February 25,2005)

Applications for Testing Tools

Applications designed for testing automated tools like web application security scanners.

OWASP ZAP-WAVE version 0.2+SVN (Java JSP)

WAVSEP version 1.2 (Java JSP)

WIVET version 3+SVN (PHP)

Demonstration Pages / Small Applications

Little applications or pages with intentional vulnerabilities to demonstrate specific concepts.

OWASP CSRFGuard Test Application version 2.2 (Java)

Mandiant Struts Forms (Java/Struts)

Simple ASP.NET Forms (ASP.NET/C#)

Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

OWASP Demonstration Applications

Demonstration of an OWASP application. Does not contain any intentional vulnerabilties.

OWASP AppSensor Demo Application (Java)

Getting Started

4 | P a g e

Download

The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH

FILES CONTAIN THE EXACT SAME VM! I recommend that you download the .7z

archive if possible to save bandwidth (and time). 7-zip IS available for Mac, Linux, and other

Operating Systems.

Download from http://sourceforge.net/projects/owaspbwa/files/.

Virtual Machine Format

The Open Web Application Security Project (OWASP) Broken Web Applications Project is

distributed as a Virtual Machine in VMware format compatible with their no-cost VMware

Player and VMware vSphere Hypervisor (ESXi) products (along with their older and

commercial products).

See Converting Virtual Machine Format if you want to use the VM with other virtualization

software.

The VM requires no installation. Simply extract the files from the archive and then start the

VM in your virtualization software.

Viewing the VM's Starting Page

When the OWASP BWA VM is started, it will provide information on the console with the

IP address of the VM and various ways to access and manage it.

It is highly recommended (though not required for most applications) that you add an entry

into your 'hosts' file of your virtual host OS to resolve the hostname 'owaspbwa' with the IP

address shown in the console on bootup. The entry will look like below (replace

192.168.15.130 with the IP of your VM). This document (and the vulnerability list at

https://sourceforge.net/p/owaspbwa/tickets/?limit=999&sort=_severity+asc) assume that you

have added this entry.

192.168.15.130 owaspbwa

Once the entry is added, you can view the main page for the VM at http://owaspbwa/. That

page includes links and lots of additional information about each of the applications.

Application Usernames and Passwords

In general, applications on OWASP BWA have been configured with an administrative

account named 'admin' with a password of 'admin' and a "normal" user account named 'user'

with a password of 'user'. In some cases, however, this was not possible or additional

accounts were required.

The full list of credentials for each application can be found on the main OWASP BWA web

page (in the VM at http://owaspbwa/). In order to view the credentials for each application,

5 | P a g e

click the green plus next to the application name on that we page to show more information

about the application.

Management

Once booted, the VM can be administered few a few different mechanisms. Note, these are

not considered "in scope" for the vulnerabilities in the VM... they are just there to support

management. Administrative interfaces:

SSH

Samba shares

Console login

PHPMyAdmin (at http://owaspbwa/phpmyadmin/)

In all cases, use a username of "root" and a password of "owaspbwa".

Usage

Updating Application Code

Software for many applications can be updated in place by editing the files (.php, .jsp, .aspx,

etc). This can be done on the command line (via the console or SSH), but is more commonly

done via the Samba shares at \\owaspbwa\. Once files are edited, the resulting changes should

take effect immediately.

Some applications require compilation and redeployment before changes take effect,

however. For those, the source code can be edited using Samba shares (or on the command

line), then a script can be run in a terminal to rebuild and redeploy the application. The

following tables shows information for the applications that require compilation.

Application Source Location (Share) Rebuild Script

OWASP

WebGoat (Java) \\owaspbwa\owaspbwa\WebGoat-svn\

owaspbwa-

webgoat-

rebuild.sh

OWASP

WebGoat.NET \\owaspbwa\owaspbwa\webgoat.net-git\

Cannot currently

be rebuilt on VM.

Can rebuild on

another machine

via share.

OWASP ESAPI

SwingSet

Interactive

\\owaspbwa\owaspbwa\owasp-esapi-java-swingset-

interactive-svn

owaspbwa-

swingset-

interactive-

rebuild.sh

6 | P a g e

OWASP

CSRFGuard Test

Applications

\\owaspbwa\owaspbwa\owaspbwa-svn\misc-

src\OWASP-CSRFGuard-TestApp-2.2-src and

\\owaspbwa\owaspbwa\owaspbwa-svn\misc-

src\OWASP-CSRFGuard-TestApp-2.2-Vulnerable-

src

owaspbwa-

csrfguard-test-

apps-rebuild.sh

Yazd \\owaspbwa\owaspbwa\owaspbwa-svn\misc-

src\Yazd_1.0-src

owaspbwa-yazd-

rebuild.sh

Enabling and Disabling OWASP ModSecurity Core Rule

Set

The VM ships with Apache ModSecurity enabled, but no rule sets in use (so nothing is

blocked or logged). The VM provides easy mechanisms to enable and disable the OWASP

!ModSecurity Core Rule Set as shown below. The purpose of this feature is to allow users to

see firsthand the effectiveness (and limitations) of the Core Rule Set in catching malicious

requests.

In order to log (but not block) any requests using the OWASP ModSecurity Core Rule Set,

run the following command. Log messages appear in /var/log/apache2/error.log (shared at

\\owaspbwa\var\log\apache2\error.log).

owaspbwa-modsecurity-crs-log.sh

In order to both block and log requests using the OWASP ModSecurity Core Rule Set, run:

owaspbwa-modsecurity-crs-block.sh

To disable all ModSecurity rules (returning to the state the VM ships in), run:

owaspbwa-modsecurity-crs-off.sh

Users can edit the Core Rule Set rules in effect by editing files under

/etc/apache2/modsecurity-crs/ (shared at \\owaspbwa\etc\apache2\modsecurity-crs\). Users

are also free to alter the Apache configuration to use an entirely different set of ModSecurity

rules.

Logging

The logging configuration for all components on the VM have been left at the default

settings, but the user is free to edit the logging configuration in order to see the impact of

changes.

Logs can be accessed under the /var/log/ directory (shared at \\owaspbwa\var\log\). All logs

are deleted when the VM is distributed, so all log entries that a user sees are due to their own

activity on the system.

7 | P a g e

Advanced Topics

Converting Virtual Machine Format

The OWASP BWA developers believe that the VM should be easily convertible to run under

virtualization software other than VMware products.

Users have reported the VM to work in the following virtualization software packages:

VirtualBox

Users who attempt to use the VM in another virtualization software are encouraged to

provide feedback on the process, whether or not it was successful.

Updating Components From Repositories

Various components on the OWASP BWA VM can be updated from their public repositories.

Any such updates carry a risk of breaking the respective application, but have potential to

provide additional features without having to wait for the next release of the OWASP BWA

VM.

Generally, users who desire this feature should try updating all components first. If errors are

encountered, please report them to the OWASP BWA developers. Then, revert the VM to an

earlier, working state and attempt to update only the OWASP BWA specific content.

All Components

In order to update the files for OWASP BWA, along with code for applications that are

pulled from public source code repositories, run the command:

owaspbwa-update-all.sh

This may result in application errors if there are updates to the application that do not work in

the VM. This is often due to changes in the structure of the database used by the application.

If this occurs, check the application for instructions on how to rebuild the database. Some

applications include a page or link that will rebuild the database automatically.

OWASP BWA Specific Content

Code and files that are not available in any other public repositories are stored in the SVN

repository for OWASP BWA at Google Code. That can be updated by running:

owaspbwa-update-owaspbwa-only.sh

Running this command may also update the application databases stored on the VM. That

update may cause issues with applications that have their own public repository since the

application itself is not updated by this command.

8 | P a g e

Getting Involved

Reporting Bugs

All known bugs (not the intentional security issues) in the VM are in the Google Code issue

tracker (that is, "Issues" in the menu above). Please report any additional bugs you discover.

Known Vulnerabilities

The known security vulnerabilities in the applications are tracked at

https://sourceforge.net/p/owaspbwa/tickets/?limit=999&sort=_severity+asc. Please submit

any additional issues that you discover.