Today I am going to tell you about a really interesting web app that helps you to practise the basics (and some advanced) techniques of pentesting. I am talking about bWAPP.
BWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
BWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project. The focus is not just on one specific issue... bWAPP is covering a wide range of vulnerabilities! Some of them are: SQL injections, privilege escalations, local and remote file cinlusions, directory traversals... and a lot more!
Let´s download and configure it in your Linux OS.
I could not access the web page due to restrictions, but if you use torghost (as I explained in this post), you can. The URL to download the app is: www.itsecgames.com
There is a "Download" link where you can download as a zip file. Extract the file and copy the bWAPP folder into /var/www/html/
Go to the folder: /var/www/html/bWAPP/admin and open the settings.php script with a text editor.
Now locate the line $db_password= “bug”; inside the script and delete the bug word, save the script and exit.
Open a new terminal and start the Apache2 with command service apache2 start. Start the MySQL server too by typing service mysql start. Hit enter.
Open a new tab in FireFox and write the next url:
Now you can see: click here to install bWAPP. Click here and now go to the login section and log in to the bWAPP panel. The default username is bee and the pass is bug.
Maybe you can get the following error:
If you get the above error, that means your bWAPP database is not listed in MYSQL.
To solve this error, Open up the terminal and run the command-
- unzip bWAPP_latest.zip -d /var/www/html/
- sudo chmod -R 777 /var/www/html/bWAPP
- kali@kali:~/Downloads$ service apache2 start
- kali@kali:~/Downloads$ service mysql start
And now, if you return to the url: localhost/bWAPP, you will get a message saying ‘bWAPP has been installed successfully‘. Navigate through all different bugs and explore this app, I highly recommend it as you can perform a lot of (white) hacking attacks.
Hope you find this post useful!