Wednesday, July 25, 2012

OWASP BWA VM version 1.0 released

Hello OWASP Leaders,

Today, I am proud to announce the release of the OWASP Broken Web
Applications Project VM version 1.0. This new release is now available
for download from https://sourceforge.net/projects/owaspbwa/files/.
If you are not familiar with the project, we produce a VM containing a
variety of web applications with security vulnerabilities.  A list of
the applications included on the current 1.0 release is at the bottom
of this email for your reference.

In addition to just using the applications, the VM has a few other
interesting features:

- Samba shares for editing and viewing source code, configuration
files, and log files
- Scripts for easily recompiling applications (that need compilation
for source code changes to take effect)
- ModSecurity is installed and the OWASP Core Rule Set can be easily enabled

One major effort we have undertaken as part of the 1.0 release is to
update the project documentation.  We now have a relatively detailed
User Guide at http://code.google.com/p/owaspbwa/wiki/UserGuide.

Going forward, my plans for the project are to:
- Work to move the project "up the list" to a be a "Stable Quality"
OWASP project.
- Continue to improve documentation
- Continue to catalog vulnerabilities in the VM
- Periodically release new versions as the applications included on
the VM are updated.

I welcome any feedback and contributions to this project.  Feel free
to email me directly or join our Google Group.  I will also be
demonstrating the new release at the Black Hat USA Arsenal this week,
so you can also catch me there if you will be in Vegas.

Chuck Willis


The lists below are current as of the 1.0 release of OWASP BWA.

Training Applications -  Applications designed for learning which
guide the user to specific, intentional vulnerabilities.

- OWASP WebGoat version 5.4+SVN (Java)
- OWASP WebGoat.NET version 2012-07-05+GIT
- OWASP ESAPI Java SwingSet Interactive version 1.0.1+SVN
- Mutillidae version 2.2.3 (PHP)
- Damn Vulnerable Web Application version 1.8+SVN (PHP)
- Ghost (PHP)

Realistic, Intentionally Vulnerable Applications - Applications that
have a wide variety of intentional security vulnerabilities, but are
designed to look and work like a real application.

- OWASP Vicnum version 1.5 (PHP/Perl)
- Peruggia version 1.2 (PHP)
- Google Gruyere version 2010-07-15 (Python)
- Hackxor version 2011-04-06 (Java JSP)
- WackoPicko version 2011-07-12+GIT (PHP)
- BodgeIt version 1.3+SVN (Java JSP)

Old Versions of Real Applications - Open source applications with one
or more known security issues.

- WordPress 2.0.0 (PHP, released December 31, 2005) with plugins:
  o myGallery version 1.2
  o Spreadsheet for WordPress version 0.6
- OrangeHRM version 2.4.2 (PHP, released May 7, 2009)
- GetBoo version 1.04 (PHP, released April 7, 2008)
- gtd-php version 0.7 (PHP, released September 30, 2006)
- Yazd version 1.0 (Java, released February 20, 2002)
- WebCalendar version 1.03 (PHP, released April 11, 2006)
- Gallery2 version 2.1 (PHP, released March 23, 2006)
- TikiWiki version 1.9.5 (PHP, released September 5, 2006)
- Joomla version 1.5.15 (PHP, released November 4, 2009)
- AWStats version 6.4 (build 1.814, Perl, released February 25,2005)

Applications for Testing Tools - Applications designed for testing
automated tools like web application security scanners.

- OWASP ZAP-WAVE version 0.2+SVN (Java JSP)
- WAVSEP version 1.2 (Java JSP)
- WIVET version 3+SVN (Java JSP)

Demonstration Pages / Small Applications - Little applications or
pages with intentional vulnerabilities to demonstrate specific
concepts.

- OWASP CSRFGuard Test Application version 2.2 (Java)
- Mandiant Struts Forms (Java/Struts)
- Simple ASP.NET Forms (ASP.NET/C#)
- Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

OWASP Demonstration Applications - Demonstration of an OWASP
application. Does not contain any intentional vulnerabilties.

- OWASP AppSensor Demo Application (Java)

No comments: