bWAPP – A Deliberately Buggy Web App to Practice Cybersecurity

This page describes how to install bee-box, a virtual Linux installation containing bWAPP, which is a deliberately buggy web application to practice pentesting and other cyber security skills on.

From the bWAPP website:

bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.

What makes bWAPP so unique? Well, it has over 100 web vulnerabilities!

It covers all major known web bugs, including all risks from the OWASP Top 10 project.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.

Another possibility is to download the bee-box, a custom Linux VM pre-installed with bWAPP.

Download our What is bWAPP? introduction tutorial, including free exercises...

bWAPP is for web application security-testing and educational purposes only.
Have fun with this free and open source project!

Cheers, Malik Mesellem

It seemed most logical to install bWAPP in the form of bee-box, a custom Linux virtual machine pre-installed with bWAPP.

How to Install BWAPP and Bee-Box

It was somewhat tricky to get bee-box to install in Oracle VirtualBox (and it still doesn't always boot correctly), however when it's working it seems to run smoothly enough. It's based on an older version of Ubuntu Linux.

You can download the source for bee-box from here.

I installed bee-box from the above link onto my existing installation of VirtualBox. The YouTube video below explains how to do it.

The installation was ridiculously slow during the part which displays the orange progress bar. It sat not moving at all for 10 minutes, up to about 1/5 of the way through — and I was starting to think it was locked up (especially since most of the reviews on sourceforge said it didn't work), but then it instantly went from about 20% installed to fully completed.

At first, I followed the YouTube video exactly, though I suspected it would run a lot better with some more virtual RAM (it only had 1G), and some of the other VM settings tweaked.

The second time I ran it, it started up fine (and reasonably fast). I wasn't sure if it was the increased RAM (4G now, and also more video RAM) or just from being already run once.

The default username is bee and password is bug.

You can change the screen resolution in the ubuntu settings themselves, e.g. to 1920x1080, and it works fine.

The default keyboard is for Belgium so you cant type numbers (lol), or some letters. You can go into the settings, and make a US option, and then delete the belgium one.

It didn't work at first on the internet. Changing the network setting in VirtualBox Manager from the default NAT to bridged mode corrected this, and now it can ping 1.1.1.1.

But the keyboard had changed back to belgium again, which is useless, since half of the keys are completely wrong. It took some effort to make the US (English) keyboard persistent.

Next, I tried to change the keyboard type to generic 104 key (before I'd only changed the country to US from Belgium, but it was working after that, until rebooting it). I rebooted it again and it was still no good. Even thought when going into the GUI top screen menu system/preferences/keyboard, it looks like my changed and correct settings are there (it says US and generic 104 key, which were both correct now) — but in the terminal it was still giving me the belgium one.

Then, I tried this:

sudo dpkg-reconfigure console-setup

Which didn't help either, it was back to the Belgium keyboard after a reboot.

Just going into the GUI one and re-confirming the 104 generic option was enough to fix it, but it would be much nicer to not have to do it every boot.

Getting the Keyboard to Work

Later on I did some more research into the keyboard settings.

I tried the advice from this page https://itectec.com/ubuntu/ubuntu-how-to-permanently-configure-keyboard/

From that page's advice, I added this file which didn't exist before:

sudo nano /etc/default/keyboard

And I also edited the file /etc/X11/xorg.conf, which still had the wrong (belgium and 105) — it should be 'us' and 'pc104' — key options in it:

sudo nano /etc/X11/xorg.conf

The correct options (which I added to both of the above files, though it may only need one of the files edited to work) are

XKBLAYOUT="us"
XKBMODEL="pc104"

After that, I rebooted the bee-box VM, and it's working now, with the US English keyboard persistent after rebooting.

Bugs in bWAPP 🐜

Here's another quote from the bWAPP / ITSEC GAMES website, describing some of the security flaws you can experiment with:

What makes bWAPP, our extremely buggy web application, so unique? Well, it has over 100 web bugs!

bWAPP covers all vulnerabilities from the OWASP Top 10 project, including:

• SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections
• Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
• AJAX and Web Services issues (jQuery/JSON/XML/SOAP/WSDL)
• Authentication, authorization and session issues, file upload flaws and backdoor files
• Arbitrary file access, directory traversals, local and remote file inclusions (LFI/RFI)
• Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,...
• HTTP parameter pollution, HTTP response splitting and HTTP verb tampering
• Insecure DistCC, FTP, NTP, Samba, SNMP, VNC and WebDAV configurations
• HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
• XML External Entity attacks (XXE) and Server Side Request Forgery (SSRF)
• Heartbleed and Shellshock vulnerability (OpenSSL), Denial-of-Service (DoS) attacks
• Parameter tampering, cookie and password reset poisoning

This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.

Before I discovered bWAPP and bee-box, I was thinking of making a "sacrificial" VM install sometime to practice malwares etc. on, so this seems ideal.

More to follow when I experiment some more with bWAPP and bee-box...

Share This Page

If you liked this page, please share it with others! You can use the links to share on Facebook, Twitter, LinkedIn, Pinterest, and Email. Ther is also an RSS feed to get updates for the website.