Release notes for the Open Web Application Security Project (OWASP)
Broken Web Applications Project, a collection of vulnerable web
applications that is distributed on a Virtual Machine in VMware format
compatible with their no-cost and commercial VMware products.
More information about the project can be found at
The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip
Archive. BOTH FILES CONTAIN THE EXACT SAME VM! We recommend that you
download the .7z archive if possible to save bandwidth (and time).
7-zip is available for Windows, Mac, Linux, and other Operating Systems.
!!! This VM has many serious security issues. We strongly recommend that
you run it only on the "host only" or "NAT" network in the virtual machine
Version 1.0rc2 - 2012-07-14
- Added new application: wavsep (http://code.google.com/p/wavsep/)
- Updated WebGoat.NET, WebGoat (Java), and other applications from source
repositories. Updated Mutillidae.
- Removed links to OWASP ESAPI SwingSet (non-Interactive). That application
has been deprecated and replaced by the SwingSet Interactive.
- Changed version numbers in index.html to better indicate applications that
are updated from public SVN or GIT repositories.
- Layout improvements to index.html file (layout could still use some work).
- Fixed bugs in Yazd (may have been present in 1.0rc1 or before)
- Changes MySQL configuration to store database and table names as lower case
(facilitates use of software written on Windows that may not strictly adhere
to one case for identifiers)
Version 1.0rc1 - 2012-04-04
- Added new applications:
- Added OWASP WebGoat.NET
- Added OWASP ESAPI SwingSet
- Added OWASP ESAPI SwingSet Interactive
- Added Jotto (from OWASP Vicnum project -
- Updated applications: Mutillidae, WebGoat (Java), ModSecurity, ModSecurity
Core Rule Set, BodgeIt, OWASP ZAP WAVE, Damn Vulnerable Web Application,
- Added owaspbwa-*-rebuild.sh scripts to build and deploy applications from
source (WebGoat, Yazd, CSRFGuard Test Apps, SwingSet Apps)
- Added owaspbwa-update-*.sh scripts to automatically pull updates from source
repositories (OWASP BWA only and for all applications)
- Cleaned up installations of WebGoat and Yazd
- Fixed issue with PHP configuration to allow Remote File Include (RFI)
- Created User Guide at http://code.google.com/p/owaspbwa/wiki/UserGuide (not
Version 0.94 - 2011-07-24
- No changes from 0.94rc3.
Version 0.94rc3 - 2011-07-14
- More fixes to hackxor applications (thanks again to Albino Wax).
Version 0.94rc2 - 2011-07-13
- Fixes to hackxor applications (thanks to Albino Wax for fixes).
Version 0.94rc1 - 2011-07-11
- Added a number of new applications, including Gruyere, Hackxor,
WackoPicko, BodgeIt, TikiWiki, Joomla, Gallery2, WebCalendar, AWStats,
and ZAP-Wave (thanks to Mike Cyr for lots of work in this area).
- New and improved "home" page in the VM (thanks again to Mike Cyr).
Version 0.93rc1 - 2011-01-19
- Rebuilt OrangeHRM database to fix login issue (thanks to Dave van Stein
for reporting this)
- Configured mod_proxy on Apache web server to reverse proxy applications
running on Tomcat web server. Disabled direct access to Tomcat server
- Installed ModSecurity to 2.5.13 from source (needed by Core Rule Set)
- Configured the ModSecurity Core Rule Set. It is disabled by default,
but can be enabled through the use of new shell scripts in
- Adjusted Samba shares to follow symlinks
- Removed some miscellaneous old / duplicate files
- Attempted to fix phpBB issues, but was unsuccessful. That application
is broken for this release and marked as such in the index.html file
(thanks to Dave van Stein for reporting this issue)
Version 0.92rc2 - 2010-11-15
- Fixed bug with MySQL databases not starting properly (thanks to Tom
Neaves for reporting this)
Version 0.92rc1 - 2010-11-10
- Developed method for tracking known issues in the applications at
- Updated base OS to Ubuntu 10.04 LTS
- Updated DVWA to SVN version > 1.07
- Updated Mutillidae to version 1.5
- Updated WebGoat to SVN version > 5.3
- Added and configured three "real" applications suggested by Matt Tesauro:
- Added application: GetBoo version 1.04
- Added application: GTD-PHP version 0.7
- Added application: OrangeHRM version 2.4.2
- Fixed bug in DVWA database permissions that was preventing stored XSS
from working (thanks to Owen Wright for reporting this)
Version 0.91rc1 - 2010-03-24
- Updated OWASP Vicnum to version 1.4
- Added application: Ghost (http://webdevelopmentsolutions.org/)
- Added application: Peruggia version 1.2
- Added application: OWASP AppSensor Demo
- Fixed bug where VM would sometimes not get an address from DHCP on
- Fixed bug where PHP magic quotes were enabled for some applications,
preventing SQL Injection
- Changed password for some applications to match standard users named
'admin' and 'user' with the password the same as the username
- Moved databases, applications that run on Apache web server, some
configuration files, and some applications that run on Tomcat web
server into SVN with symlinks to the SVN directory in the normal file
- Fixed bug in where permissions on /var/www/dvwa were not set properly
(thanks to Dale Castle for reporting this)
Version 0.9 - 2009-11-11
- Initial Release