-------------- bWAPP - README -------------- bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project! It is for security-testing and educational purposes only. It includes: */ Injection vulnerabilities like SQL, SSI, XML/XPath, JSON, LDAP, HTML, iFrame, OS Command and SMTP injection */ Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) */ Unrestricted file uploads and backdoor files */ Authentication, authorization and session management issues */ Arbitrary file access and directory traversals */ Local and remote file inclusions (LFI/RFI) */ Server Side Request Forgery (SSRF) */ XML External Entity Attacks (XXE) */ Heartbleed vulnerability (OpenSSL) */ Shellshock vulnerability (CGI) */ Drupal SQL injection (Drupageddon) */ Configuration issues: Man-in-the-Middle, cross-domain policy file, information disclosures,... */ HTTP parameter pollution and HTTP response splitting */ Denial-of-Service (DoS) attacks */ HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues */ Unvalidated redirects and forwards */ Parameter tampering */ PHP-CGI vulnerability */ Insecure cryptographic storage */ AJAX and Web Services issues (JSON/XML/SOAP) */ Cookie and password reset poisoning */ Insecure FTP, SNMP and WebDAV configurations */ and much more... bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows using Apache/IIS and MySQL. It can be installed with WAMP or XAMPP. It's also possible to download our bee-box, a custom VM pre-installed with bWAPP. This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together. You can find more about the ITSEC GAMES and bWAPP projects on our blog. We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'. This course can be scheduled on demand, at your location! More info: http://goo.gl/ASuPa1 (pdf) Enjoy! Cheers Malik Mesellem Twitter: @MME_IT