Category:OWASP Insecure Web App Project

InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling.

InsecureWebApp is primarily a teaching aid to challenge and improve secure design and coding skills. Architects and developers need to learn how to identify vulnerabilities in a real web application. The goals of this tool are threefold: 1) demonstrate how dangerous application vulnerabilities can be, 2) close the gap between the theory of web application security and the actual code that we design and build, 3) learn how these vulnerabilities can be fixed.

InsecureWebApp assumes that you already know some theory about web application vulnerabilities in particular parameter tampering, broken authentication, SQL injection and HTML injection. To learn more, please see owasp.org's Guide Project and use the OWASP WebGoat Project training environment.

Screenshots
Some screenshots are available of example vulnerabilties including HTML and SQL injection.

Challenge
Download it and see if you're up to the challenges listed in the instructions. Spotting a vulnerability as part of a code review is a key skill but it's not easy - even when the code is simple and small...

History
The InsecureWebApp project was conceived in 2004 by Lawrence Angrave. It was licensed to the community as an open source project in April 2005. InsecureWebApp is sponsored by IsthmusGroup, Madison Wisconsin and is an OWASP project.

Download
InsecureWebApp is an open source project available for download here. It as available as Eclipse 3 project with source, a zip of deployable war file that can be dropped into Tomcat, or as a Tomcat server with the war file already included. Note, only the Eclipse version includes the project source code.