OWASP Broken Web Applications

The Broken Web Applications (BWA) Project from OWASP is a collection of vulnerable web applications, which are distributed as a virtual machine with the purpose of providing students, security enthusiasts, and penetration testing professionals a platform for learning and developing web application testing skills, testing automated tools, and testing Web Application Firewalls (WAFs) and other defensive measures:

The latest version of BWA at the time of this writing is 1.2, released in August 2015. Even though it is more than a couple of years old, it is a great resource for the prospective penetration tester. It includes some of the most complete web applications made vulnerable on purpose, for testing purposes, and it covers many different platforms; consider these examples:

• WebGoat: This is a Java-based web application with an educational focus. It contains examples and challenges for the most common web vulnerabilities.
• WebGoat.NET and RailsGoat: These are the .NET and Ruby on Rails versions of WebGoat, respectively.
• Damn Vulnerable Web Application (DVWA): This is perhaps the most popular vulnerable-on-purpose web application available. It is based on PHP and contains training sections for common vulnerabilities.

OWASP BWA also includes realistic vulnerable web applications, that is, vulnerable-on-purpose web applications that simulate real-world applications, where you can look for vulnerabilities that are less obvious than in the applications listed previously. Some examples are as follows:

• WackoPicko: This is an application where you can post pictures and buy photos of other users
• The BodgeIt Store: This simulates an online store where one needs to find vulnerabilities and complete a series of challenges
• Peruggia: This simulates a social network where you can upload pictures, receive comments, and comment on pictures of other users

There are also versions of real-web applications with known vulnerabilities that complement this collection, which you can test and exploit; consider these examples:

• WordPress
• Joomla
• WebCalendar
• AWStats

More information on the Broken Web Applications Project and download links can be found on its website: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project.