Archivo de la etiqueta: 2014hacking

bWAPP: learning IT security with an app

Today we want to talk about bWAPP, an insecure web application with educational purposes, founded by Malik Masellem (@MME_IT).

There are more applications of this type, but we discovered this one in our stay in Belgium last week, and we found it interesting.

What is bWAPP?

bWAPP is an insecure open-source web application designed to improve the skills of students, developers or people interested in IT security in order to discover and prevent web vulnerabilities.

This app has more than 70 vulnerabilities such as SQL injection, Cross-Site Scripting (XSS) or Denial of Service (DoS).

We can install this app with two different steps:

  • We can download the bWAPP application and install it afterwards in our server (Apache/ISS) or in XAMPP or WAMPP.
  • In addition, we have the possibility of downloading ‘bee-box’, a virtual machine with bWAPP already installed. It takes up 7.3 Gb.

Once installed, it is time to play… here we have two examples of exploiting vulnerabilities:

XSS – Reflected:

1. We choose the vulnerability we want to exploit, in this case, ‘Cross-Site Scripting – Reflected (GET)

2. We write ‘<script>alert(“XSS”)</script>’ in ‘First name’:

3. Result:

SQL Injection:

1. Insert characters: in this case we have enough with an inverted comma  :

2. We receive the information from the database:

You can find all the information of this app, together with the download and the explanation in the following link:

Here you have some other applications where you can learn hacking techniques without getting into trouble:

  • Gruyere, a project from Google. You can find more information about this in @fluproject.
  • WebGoat, an OWASP project.
  •, an eLearnSecurity project where you can have access to several web applications with vulnerabilities to improve and learn pentesting techniques.

Time to enjoy playing and learning!

Translated by Cristina Serrano (@parole_errante)