Web Security Testing Framework


bWAPP, or a buggy web application, is a free and open source deliberately insecure web application developed by MME. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. "A security testing framework made for educational purposes".


What makes bWAPP so unique? Well, it has over 100 different web vulnerabilities and issues!
It covers all major known web bugs, including all risks from the OWASP Top 10 project. The OWASP Top 10 represents a broad consensus about what the most critical web application security flaws are.

Open source

bWAPP is an open source PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP. Another possibility is to download our bee-box, a virtual machine pre-installed with bWAPP.
bWAPP and bee-box can both be downloaded from here.


Portal      Shellshock

SQL injection      Drupageddon

CAPTCHAs      Web Services - SOAP

ClickJacking      Web Services - SOAP


  • Injections including SQL, SSI, XML,...
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Web Services issues (SOAP/WSDL)
  • Heartbleed bug (OpenSSL)
  • Shellshock vulnerability (CGI)
  • Drupageddon & Drupalgeddon2 (new!)
  • Local/remote file inclusions (LFI/RFI)
  • XML External Entity attacks (XXE)
  • Denial-of-Service (DoS) attacks

Contact us

Do not hesitate to contact us if you have any questions. We will gladly help you!