Home / 1.0rc2
Name Modified Size Downloads / Week Status
Parent folder
Totals: 3 Items   2.3 GB 9
readme.txt 2012-07-15 6.2 kB 33 weekly downloads
OWASP_Broken_Web_Apps_VM_1.0rc2.zip 2012-07-14 1.3 GB 55 weekly downloads
OWASP_Broken_Web_Apps_VM_1.0rc2.7z 2012-07-14 979.5 MB 11 weekly downloads
Release notes for the Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products. More information about the project can be found at http://www.owaspbwa.org/. The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH FILES CONTAIN THE EXACT SAME VM! We recommend that you download the .7z archive if possible to save bandwidth (and time). 7-zip is available for Windows, Mac, Linux, and other Operating Systems. !!! This VM has many serious security issues. We strongly recommend that you run it only on the "host only" or "NAT" network in the virtual machine settings !!! Version 1.0rc2 - 2012-07-14 - Added new application: wavsep (http://code.google.com/p/wavsep/) - Updated WebGoat.NET, WebGoat (Java), and other applications from source repositories. Updated Mutillidae. - Removed links to OWASP ESAPI SwingSet (non-Interactive). That application has been deprecated and replaced by the SwingSet Interactive. - Changed version numbers in index.html to better indicate applications that are updated from public SVN or GIT repositories. - Layout improvements to index.html file (layout could still use some work). - Fixed bugs in Yazd (may have been present in 1.0rc1 or before) - Changes MySQL configuration to store database and table names as lower case (facilitates use of software written on Windows that may not strictly adhere to one case for identifiers) Version 1.0rc1 - 2012-04-04 - Added new applications: - Added OWASP WebGoat.NET (https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET) - Added OWASP ESAPI SwingSet (https://www.owasp.org/index.php/ESAPI_Swingset) - Added OWASP ESAPI SwingSet Interactive (https://www.owasp.org/index.php/ESAPI_Swingset) - Added Jotto (from OWASP Vicnum project - http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project) - Updated applications: Mutillidae, WebGoat (Java), ModSecurity, ModSecurity Core Rule Set, BodgeIt, OWASP ZAP WAVE, Damn Vulnerable Web Application, WackoPicko - Added owaspbwa-*-rebuild.sh scripts to build and deploy applications from source (WebGoat, Yazd, CSRFGuard Test Apps, SwingSet Apps) - Added owaspbwa-update-*.sh scripts to automatically pull updates from source repositories (OWASP BWA only and for all applications) - Cleaned up installations of WebGoat and Yazd - Fixed issue with PHP configuration to allow Remote File Include (RFI) vulnerabilities. - Created User Guide at http://code.google.com/p/owaspbwa/wiki/UserGuide (not yet complete). Version 0.94 - 2011-07-24 - No changes from 0.94rc3. Version 0.94rc3 - 2011-07-14 - More fixes to hackxor applications (thanks again to Albino Wax). Version 0.94rc2 - 2011-07-13 - Fixes to hackxor applications (thanks to Albino Wax for fixes). Version 0.94rc1 - 2011-07-11 - Added a number of new applications, including Gruyere, Hackxor, WackoPicko, BodgeIt, TikiWiki, Joomla, Gallery2, WebCalendar, AWStats, and ZAP-Wave (thanks to Mike Cyr for lots of work in this area). - New and improved "home" page in the VM (thanks again to Mike Cyr). Version 0.93rc1 - 2011-01-19 - Rebuilt OrangeHRM database to fix login issue (thanks to Dave van Stein for reporting this) - Configured mod_proxy on Apache web server to reverse proxy applications running on Tomcat web server. Disabled direct access to Tomcat server - Installed ModSecurity to 2.5.13 from source (needed by Core Rule Set) - Configured the ModSecurity Core Rule Set. It is disabled by default, but can be enabled through the use of new shell scripts in /usr/local/bin - Adjusted Samba shares to follow symlinks - Removed some miscellaneous old / duplicate files - Attempted to fix phpBB issues, but was unsuccessful. That application is broken for this release and marked as such in the index.html file (thanks to Dave van Stein for reporting this issue) Version 0.92rc2 - 2010-11-15 - Fixed bug with MySQL databases not starting properly (thanks to Tom Neaves for reporting this) Version 0.92rc1 - 2010-11-10 - Developed method for tracking known issues in the applications at http://sourceforge.net/apps/trac/owaspbwa/report/1. - Updated base OS to Ubuntu 10.04 LTS - Updated DVWA to SVN version > 1.07 - Updated Mutillidae to version 1.5 - Updated WebGoat to SVN version > 5.3 - Added and configured three "real" applications suggested by Matt Tesauro: - Added application: GetBoo version 1.04 (http://sourceforge.net/projects/getboo/files/) - Added application: GTD-PHP version 0.7 (http://sourceforge.net/projects/gtd-php/files/) - Added application: OrangeHRM version 2.4.2 (http://www.orangehrm.com/) - Fixed bug in DVWA database permissions that was preventing stored XSS from working (thanks to Owen Wright for reporting this) Version 0.91rc1 - 2010-03-24 - Updated OWASP Vicnum to version 1.4 (http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project) - Added application: Ghost (http://webdevelopmentsolutions.org/) - Added application: Peruggia version 1.2 (http://peruggia.sourceforge.net/) - Added application: OWASP AppSensor Demo (http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project) - Fixed bug where VM would sometimes not get an address from DHCP on boot - Fixed bug where PHP magic quotes were enabled for some applications, preventing SQL Injection - Changed password for some applications to match standard users named 'admin' and 'user' with the password the same as the username - Moved databases, applications that run on Apache web server, some configuration files, and some applications that run on Tomcat web server into SVN with symlinks to the SVN directory in the normal file system. - Fixed bug in where permissions on /var/www/dvwa were not set properly (thanks to Dale Castle for reporting this) Version 0.9 - 2009-11-11 - Initial Release
Source: readme.txt, updated 2012-07-15