Setting up a Broken Web Application pentesting lab Environment

In recent days, web applications are often targeted by attackers due to their high accessibility and the sensitive information they store. Web penetration testing is the process of assessing the security of a web application by simulating attacks against it. The goal is to identify vulnerabilities and weaknesses in the application's security defenses so that they can be fixed before attackers can exploit them.

In this article, we are going to setting up a web application pen-testing Lab for practicing web penetration testing.

Downloading a Broken web application is often necessary for practicing web penetration testing because it provides a safe and controlled environment for testing various attack techniques. Broken web applications are intentionally designed to contain vulnerabilities that can be exploited by testers to learn about web application security and practice penetration testing techniques. By exploiting these vulnerabilities, testers can gain a deeper understanding of how attackers might be able to penetrate a real-world web application.

Moreover, practicing on a broken web application can help testers build their skills and gain practical experience in identifying, exploiting, and mitigating vulnerabilities in web applications. This can improve the overall security of web applications and protect against potential attacks.

The Broken Web Application (BWA) is an OWASP project that provides a self-contained VM complete with a variety of applications with known vulnerabilities.

The OWASP Broken Web Applications Project provides a collection of vulnerable web applications that can be used for educational and training purposes. These applications are designed to be used by security professionals, developers, and testers to learn about web application security vulnerabilities and how to exploit them.

The Broken Web Applications Project includes a variety of web applications, including those built with popular web frameworks such as Java, .NET, and Ruby on Rails. These applications are intentionally vulnerable to common security vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Listed Broken Web Applications are all listed below:

  • Training Applications
    • OWASP WebGoat
    • OWASP WebGoat .NET
    • OWASP ESAPI Java SwingSet Interactive
    • OWASP Multilidae II
    • OWASP RailsGoat
    • OWASP Bricks
    • OWASP Security Shepherd
    • Ghost
  • Magical Code Injection Rainbow
    • bWAPP
    • Damn Vulnerable Web Application
    • Realistic, Intentionally, Vulnerable Applications
    • OWASP Vicnum
    • OWASP 1-Liner
    • Google Gruyere
    • Hackxor
    • WacloPicko
    • Bodgelt
    • Cyclone
    • Peruggla
  • Old (Vulnerable) Versions of Real Applications
    • WordPress
    • OrangeHRM
    • GetBoo
    • GTD-PHP
    • Yazd
    • WebCalendar
    • Gallery2
    • Tiki Wiki
    • Joomla
    • AWStats
  • Applications for Testing Tools
    • OWASP ZAP-WAVE
    • WAVSEP
    • WIVET
  • Demonstration Pages/ Small Applications
    • OWASP CSRFGuard Test Application
    • Mandiant Struts Forms
    • Simple ASP .NET forms
    • Simple Form with DOM Cross-Site Scripting
  • OWASP Demonstration Application
    • OWASP AppSensor Demo Application

Security professionals, developers, and testers can use these applications to learn about web application security vulnerabilities and how to identify and exploit them. This can be useful for improving the security of web applications and for understanding the types of attacks that can be used against them.


Installation steps

You can install the OWASP Broken Web Applications Project by performing the following steps:

1. Firstly, we have to download the OWASP Broken Web Applications Project from sourceforge.net. The project is available as a virtual machine or as a set of source code files.


2. Download the OVA file, since we are going to run it on VirtualBox.

3. Launch VirtualBox and select "File" → "Import Appliance" from the menu bar. 

4. In the "Appliance to Import" dialog box, click the "Choose" button:

5. Select the OWASP Broken Web Applications Project OVA file that you downloaded previously.

6. Review the import settings and make any necessary changes. Once the necessary changes are all checked, Click on the "Finish" button to start the import process.

Wait for the import process to complete. This may take several minutes, depending on the speed of your computer.

7. Once the import process is complete, the OWASP Broken Web Applications Project virtual machine should appear in the VirtualBox Manager.

Your VM is now loaded in the VirtualBox Manager.

8. To access vulnerable web applications from your host machine, you must configure the network settings for the Virtual Machine

By default, the virtual machine is configured to use a NAT network, which allows it to access the internet but does not allow outside connections to access the virtual machine. 

9. To access the virtual machine from your host machine, you can change the network settings to use a bridged network adapter or a host-only network adapterSelect the Network section in the left-hand pane, and change to Host-only Adapter. Click OK.

10. Now, let's start the Virtual Machine. Select the virtual machine and click the "Start" button to start the virtual machine.

Wait for the virtual machine to boot up. 

11. Once it is ready, you can log in and access the vulnerable web applications.

  • Username: root
  • Password: owaspbwa

12. Open the Firefox browser on your host system, not in the VM. Using the Firefox Browser on your host machine, enter the URL provided, where the IP address is specific to your machine.

In your browser, you are presented with an index page containing links to vulnerable web applications. These applications will be used as targets throughout upcoming videos.

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!