-------------- bWAPP - README -------------- bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 60 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project! It is for security-testing and educational purposes only. It includes: */ Injection vulnerabilities like SQL, SSI, XML/XPath, JSON, LDAP, HTML, OS Command and SMTP injection */ Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) */ Unrestricted file uploads and backdoor files */ Authentication, authorization and session management issues */ PHP-CGI and OpenSSL (heartbleed) vulnerabilities */ Arbitrary file access and directory traversals */ Local and remote file inclusions (LFI/RFI) */ Server Side Request Forgery (SSRF) */ XML External Entity Attacks (XXE) */ Configuration issues: Man-in-the-Middle, cross-domain policy file, information disclosures,... */ HTTP parameter pollution and HTTP response splitting */ Denial-of-Service (DoS) attacks */ HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues */ Unvalidated redirects and forwards */ Parameter tampering */ Insecure cryptographic storage */ AJAX and Web Services issues (JSON/XML/SOAP) */ Cookie and password reset poisoning */ Insecure FTP, SNMP and WebDAV configurations */ and much more... bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows using Apache/IIS and MySQL. It can be installed with WAMP or XAMPP. It's also possible to download our bee-box, a custom VM pre-installed with bWAPP. This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together. You can find more about the ITSEC GAMES and bWAPP projects on our blog. We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'. This course can be scheduled on demand, at your location! More info: http://goo.gl/ASuPa1 (pdf) We also offer a 4-hour workshop 'Plant the Flags with bWAPP', with the focus on attack techniques. Master modern martial arts and become a web ninja :) Perfect for your conference, convention or group event. More info: http://goo.gl/fAwCex (pdf) Enjoy! Cheers Malik Mesellem Twitter: @MME_IT