bWAPP - An Extremely Buggy Web App For Practising Hacking

bWAPP is a deliberately buggy web application that is designed to help security enthusiasts, developers, and students to discover and prevent web vulnerabilities. This security learning platform can help you to prepare for conducting successful penetration testing and ethical hacking projects.

It has over 100 web bugs, including all major known web vulnerabilities.

Features:

• Very easy to use and to understand
• Well structured and documented PHP code
• Different security levels (low/medium/high)
• 'New user' creation (password/secret)
• 'Reset application/database' feature
• Manual intervention page
• Email functionalities
• Local PHP settings file
• No-authentication mode (A.I.M.)
• 'Evil Bee' mode, bypassing security checks
• 'Evil' directory, including attack scripts
• WSDL file (Web Services/SOAP)
• Fuzzing possibilities

Vulnerabilities:

• SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections
• Authentication, authorization and session management issues
• Malicious, unrestricted file uploads and backdoor files
• Arbitrary file access and directory traversals
• Heartbleed and Shellshock vulnerability
• Local and remote file inclusions (LFI/RFI)
• Server Side Request Forgery (SSRF)
• Configuration issues: Man-in-the-Middle, Cross-Domain policy file,
• FTP, SNMP, WebDAV, information disclosures,...
• HTTP parameter pollution and HTTP response splitting
• XML External Entity attacks (XXE)
• HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
• Drupal, phpMyAdmin and SQLite issues
• Unvalidated redirects and forwards
• Denial-of-Service (DoS) attacks
• Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
• AJAX and Web Services issues (JSON/XML/SOAP)
• Parameter tampering and cookie poisoning
• Buffer overflows and local privilege escalations
• PHP-CGI remote code execution
• HTTP verb tampering
• And much more...

It can be hosted on Windows/Linux with Apache/IIS and MySQL (or just use  WAMP or XAMPP).

Or, you can use the bee-box, a custom Linux virtual machine pre-installed with bWAPP.

For more information about bee-box, read this article: bee-box -  A Custom Linux VM Pre-installed with bWAPP

Download bWAPP

You might also like:

• 14 Best IP Hide Tools 2017

• JPassword Recovery - Free Tool To Crack Password Protected Archives (zip, rar, 7z)

• Wireless Network Watcher - Free Wireless Network Tool

• Angry IP Scanner - A Fast Network Scanning Tool

• Aircrack-ng - WiFi Network Security Suite (Monitoring, Attacking, Testing, and Cracking)

• OpenStego - A Free Tool For Data Hiding and Digital Watermarking

• Wfuzz - Web Application Password Cracking Tool

• WebSploit Framework - Tool For Vulnerability Assessment & Exploitation