In recent days, web applications are often targeted by attackers due to their high accessibility and the sensitive information they store. Web penetration testing is the process of assessing the security of a web application by simulating attacks against it. The goal is to identify vulnerabilities and weaknesses in the application's security defenses so that they can be fixed before attackers can exploit them.
In this article, we are going to setting up a web application pen-testing Lab for practicing web penetration testing.
Downloading a Broken web application is often necessary for
practicing web penetration testing because it provides a safe and controlled
environment for testing various attack techniques. Broken web applications are
intentionally designed to contain vulnerabilities that can be exploited by
testers to learn about web application security and practice penetration testing
techniques. By exploiting these vulnerabilities, testers can gain a deeper
understanding of how attackers might be able to penetrate a real-world web
application.
Moreover, practicing on a broken web application can help
testers build their skills and gain practical experience in identifying,
exploiting, and mitigating vulnerabilities in web applications. This can improve the overall security of web applications and protect
against potential attacks.
The Broken Web Application (BWA) is an OWASP project that
provides a self-contained VM complete with a variety of applications with known
vulnerabilities.
The OWASP Broken Web Applications Project provides a collection of vulnerable web applications that can be used for educational and training purposes. These applications are designed to be used by security professionals, developers, and testers to learn about web application security vulnerabilities and how to exploit them.
The Broken Web Applications Project includes a variety of
web applications, including those built with popular web frameworks such as
Java, .NET, and Ruby on Rails. These applications are intentionally vulnerable
to common security vulnerabilities, such as SQL injection, cross-site scripting
(XSS), and cross-site request forgery (CSRF).
Listed Broken Web Applications are all listed below:
- Training Applications
- OWASP WebGoat
- OWASP WebGoat .NET
- OWASP ESAPI Java SwingSet Interactive
- OWASP Multilidae II
- OWASP RailsGoat
- OWASP Bricks
- OWASP Security Shepherd
- Ghost
- Magical Code Injection Rainbow
- bWAPP
- Damn Vulnerable Web Application
- Realistic, Intentionally, Vulnerable Applications
- OWASP Vicnum
- OWASP 1-Liner
- Google Gruyere
- Hackxor
- WacloPicko
- Bodgelt
- Cyclone
- Peruggla
- Old (Vulnerable) Versions of Real Applications
- WordPress
- OrangeHRM
- GetBoo
- GTD-PHP
- Yazd
- WebCalendar
- Gallery2
- Tiki Wiki
- Joomla
- AWStats
- Applications for Testing Tools
- OWASP ZAP-WAVE
- WAVSEP
- WIVET
- Demonstration Pages/ Small Applications
- OWASP CSRFGuard Test Application
- Mandiant Struts Forms
- Simple ASP .NET forms
- Simple Form with DOM Cross-Site Scripting
- OWASP Demonstration Application
- OWASP AppSensor Demo Application
Security professionals, developers, and testers can use these applications to learn about web application security vulnerabilities and how to identify and exploit them. This can be useful for improving the security of web applications and for understanding the types of attacks that can be used against them.
Installation steps
You can install the OWASP Broken Web Applications Project by
performing the following steps:
1. Firstly, we have to download the OWASP Broken Web Applications Project from sourceforge.net. The project is available as a virtual machine or as a set of source code files.
2. Download the OVA file, since we are going to run it on VirtualBox.
.png)
3. Launch VirtualBox and select "File" → "Import Appliance" from the menu bar.
.png)
4. In the "Appliance to Import" dialog box, click the "Choose" button:
.png)
5. Select the OWASP Broken Web Applications Project OVA file that you downloaded previously.
.png)
6. Review the import settings and make any necessary changes. Once the necessary changes are all checked, Click on the "Finish" button to start the import process.
.png)
Wait for the import process to complete. This may take several minutes, depending on the speed of your computer.
7. Once the import process is complete, the OWASP Broken Web
Applications Project virtual machine should appear in the VirtualBox Manager.
.png)
Your VM is now loaded in the VirtualBox Manager.
8. To access vulnerable web applications from your host machine, you must configure the network settings for the Virtual Machine.
By default, the virtual machine is configured to use a NAT network, which allows it to access the internet but does not allow outside connections to access the virtual machine.
.png)
9. To access the virtual machine from your host
machine, you can change the network settings to use a bridged network adapter
or a host-only network adapter.
.png)
10. Now, let's start the Virtual Machine. Select the virtual
machine and click the "Start" button to start the virtual machine.
Wait for the virtual machine to boot up.
.png)
11. Once it is ready, you can log in and access the vulnerable web applications.
- Username: root
- Password: owaspbwa
12. Open the Firefox browser on your host system, not in the VM.
Using the Firefox Browser on your host machine, enter the URL provided, where
the IP address is specific to your machine.
.png)
In your browser, you are presented with an index page containing links to vulnerable web applications. These applications will be used as targets throughout upcoming videos.
