Broken Web Applications Project - A Virtual Machine For Web Application Security Researchers

The Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.

You can use this for:
  • learning about web application security
  • testing manual assessment techniques
  • testing automated tools
  • testing source code analysis tools
  • observing web attacks
  • testing WAFs and similar code technologies

The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. We recommend that you download the .7z archive to save bandwidth and time.


Version 1.2 - 2015-08-03
  • Updated Mutillidae
  • Other miscellaneous, minor updates

Version 1.2rc1 - 2015-06-24
  • Updated Mutillidae and WAVSEP
    • Removed IP address restrictions on Mutillidae
    • Added script to rebuild WAVSEP
  • Added bWAPP application and script to automatically update bWAPP
  • Added OWASP Security Shepherd application and supporting scripts.
  • Likely updated other applications

Version 1.1.1 - 2013-09-27
  • Updated Mutillidae and transitioned to use its new Git repository
  • Fixed issue with Tomcat not starting in some circumstances

Version 1.1 - 2013-07-30
  • Updated Mutillidae, Cyclone, and WAVSEP 
  • Updated OWASP Bricks and configured it to pull from SVN
  • Fixed ModSecurity CRS blocking and rebuilt ModSecurity to include Lua support
  • Increased VM's RAM allocation to 1Gb
  • Set Tomcat to run as root (to allow some traversal issues tested by WAVSEP)
  • Updated landing page for OWASP 1-Liner to reflect that the application is not fully functional

Version 1.1beta1 - 2013-07-10
  • Added new applications: OWASP 1-liner, OWASP RailsGoat, OWASP Bricks, SpiderLabs "Magical Code Injection Rainbow", Cyclone
  • Updated Mutillidae (name, version, and to use new SVN repository)
  • Updated DVWA to new Git repository
  • Added SSL support to web server
  • Updated ModSecurity and updated Core Rule Set to current in Git
  • Known issues:
    • ModSecurity CRS blocking does not work
    • OWASP 1-liner application appears to have functional issues (it was heavily modified to run on the VM through Apache)
    • Other new applications have not been fully tested 
    • User Guide has not been updated

Version 1.0 - 2012-07-24
  • Added new application: WIVET (
  • Updated WAVSEP, Mutillidae, Vicnum
  • Created new category for "Applications for Testing Tools", containing OWASP ZAP WAVE, WIVET, and WAVSEP
  • Major update to User Guide at
  • Removed some other project Wiki pages that were incorporated into User Guide.
  • More improvements to index.html

Version 1.0rc2 - 2012-07-14
  • Added new application: WAVSEP (
  • Updated WebGoat.NET, WebGoat (Java), and other applications from source repositories.
  • Updated Mutillidae.
  • Removed links to OWASP ESAPI SwingSet (non-Interactive).  That application has been deprecated and replaced by the SwingSet Interactive.
  • Changed version numbers in index.html to better indicate applications that are updated from public SVN or GIT repositories.
  • Layout improvements to index.html file (layout could still use some work).
  • Fixed bugs in Yazd (may have been present in 1.0rc1 or before)
  • Changes MySQL configuration to store database and table names as lower case (facilitates use of software written on Windows that may not strictly adhere to one case for identifiers)

Version 1.0rc1 - 2012-04-04
  • Added new applications:
    • Added OWASP WebGoat.NET (
    • Added OWASP ESAPI SwingSet (
    • Added OWASP ESAPI SwingSet Interactive (
    • Added Jotto (from OWASP Vicnum project
  • Updated applications: Mutillidae, WebGoat (Java), ModSecurity, ModSecurity, Core Rule Set, BodgeIt, OWASP ZAP WAVE, Damn Vulnerable Web Application,WackoPicko
  • Added owaspbwa-* scripts to build and deploy applications from source (WebGoat, Yazd, CSRFGuard Test Apps, SwingSet Apps)
  • Added owaspbwa-update-*.sh scripts to automatically pull updates from source repositories (OWASP BWA only and for all applications)
  • Cleaned up installations of WebGoat and Yazd
  • Fixed issue with PHP configuration to allow Remote File Include (RFI) vulnerabilities.
  • Created User Guide at (not yet complete).

Version 0.94 - 2011-07-24
  • No changes from 0.94rc3.

Version 0.94rc3 - 2011-07-14
  • More fixes to hackxor applications

Version 0.94rc2 - 2011-07-13
  • Fixes to hackxor applications

Version 0.94rc1 - 2011-07-11
  • Added a number of new applications, including Gruyere, Hackxor, WackoPicko, BodgeIt, TikiWiki, Joomla, Gallery2, WebCalendar, AWStats, and ZAP-Wave
  • New and improved "home" page in the VM 

Version 0.93rc1 - 2011-01-19
  • Rebuilt OrangeHRM database to fix login issue 
  • Configured mod_proxy on Apache web server to reverse proxy applications running on Tomcat web server. Disabled direct access to Tomcat server
  • Installed ModSecurity to 2.5.13 from source (needed by Core Rule Set)
  • Configured the ModSecurity Core Rule Set.  It is disabled by default, but can be enabled through the use of new shell scripts in /usr/local/bin
  • Adjusted Samba shares to follow symlinks
  • Removed some miscellaneous old/duplicate files
  • Attempted to fix phpBB issues, but was unsuccessful.  That application is broken for this release and marked as such in the index.html file

Version 0.92rc2 - 2010-11-15
  • Fixed bug with MySQL databases not starting properly

Version 0.92rc1 - 2010-11-10
  • Developed method for tracking known issues in the applications at
  • Updated base OS to Ubuntu 10.04 LTS
  • Updated DVWA to SVN version > 1.07
  • Updated Mutillidae to version 1.5
  • Updated WebGoat to SVN version > 5.3
  • Added and configured three "real" applications suggested by Matt Tesauro:
    • Added application: GetBoo version 1.04 (
    • Added application: GTD-PHP version 0.7 (
    • Added application: OrangeHRM version 2.4.2 (
  • Fixed bug in DVWA database permissions that was preventing stored XSS from working

Version 0.91rc1 - 2010-03-24
  • Updated OWASP Vicnum to version 1.4 (
  • Added application: Ghost (
  • Added application: Peruggia version 1.2 (
  • Added application: OWASP AppSensor Demo (
  • Fixed bug where VM would sometimes not get an address from DHCP on boot
  • Fixed bug where PHP magic quotes were enabled for some applications, preventing SQL Injection
  • Changed password for some applications to match standard users named 'admin' and 'user' with the password the same as the username
  • Moved databases, applications that run on Apache web server, some configuration files, and some applications that run on Tomcat web server into SVN with symlinks to the SVN directory in the normal file system.
  • Fixed bug in where permissions on /var/www/dvwa were not set properly

Version 0.9 - 2009-11-11
  • Initial Release

No comments

Powered by Blogger.