bWAPP - An Extremely Buggy Web App For Practising Hacking

bWAPP - An Extremely Buggy Web App For Practising Hacking

bWAPP is a deliberately buggy web application that is designed to help security enthusiasts, developers, and students to discover and prevent web vulnerabilities. This security learning platform can help you to prepare for conducting successful penetration testing and ethical hacking projects.

It has over 100 web bugs, including all major known web vulnerabilities.

bWAPP select bug


  • Very easy to use and to understand
  • Well structured and documented PHP code
  • Different security levels (low/medium/high)
  • 'New user' creation (password/secret)
  • 'Reset application/database' feature
  • Manual intervention page
  • Email functionalities
  • Local PHP settings file
  • No-authentication mode (A.I.M.)
  • 'Evil Bee' mode, bypassing security checks
  • 'Evil' directory, including attack scripts
  • WSDL file (Web Services/SOAP)
  • Fuzzing possibilities

bWAPP web image


  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections
  • Authentication, authorization and session management issues
  • Malicious, unrestricted file uploads and backdoor files
  • Arbitrary file access and directory traversals
  • Heartbleed and Shellshock vulnerability
  • Local and remote file inclusions (LFI/RFI)
  • Server Side Request Forgery (SSRF)
  • Configuration issues: Man-in-the-Middle, Cross-Domain policy file,
  • FTP, SNMP, WebDAV, information disclosures,...
  • HTTP parameter pollution and HTTP response splitting
  • XML External Entity attacks (XXE)
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Drupal, phpMyAdmin and SQLite issues
  • Unvalidated redirects and forwards
  • Denial-of-Service (DoS) attacks
  • Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services issues (JSON/XML/SOAP)
  • Parameter tampering and cookie poisoning
  • Buffer overflows and local privilege escalations
  • PHP-CGI remote code execution
  • HTTP verb tampering
  • And much more...

It can be hosted on Windows/Linux with Apache/IIS and MySQL (or just use  WAMP or XAMPP).

Or, you can use the bee-box, a custom Linux virtual machine pre-installed with bWAPP.

For more information about bee-box, read this article: bee-box -  A Custom Linux VM Pre-installed with bWAPP

No comments

Powered by Blogger.