bWAPP - Bug fixes and new features

The buggy web application, is a free and open source web application build to allow security enthusiasts, students and developers to better secure web applications.

It includes all vulnerabilities from the OWASP Top 10 project.
bWAPP prepares you to conduct successful penetration testing and ethical hacking projects.
Download bWAPP from here.

Another possibility is to download our bee-box, a custom Linux VM pre-installed with bWAPP. Bee-box gives you several ways to hack and deface the bWAPP web application. It's even possible to hack the bee-box to get full root access... With bee-box you have the opportunity to explore all bWAPP vulnerabilities. Hacking, defacing and exploiting without going to jail... how cool is that!?!

Download bee-box from here.

Current version: bWAPP v1.5

Release date: 09/09/2013

Total bugs: > 55

New features 

• ClickJacking (Movie Tickets)
• Cross-Domain Policy File
• Cross-Site Scripting - Reflected (HREF)
• Cross-Site Scripting - Reflected (PHP_SELF)
• HTML5 Web Storage (Secret)
• HTTP Parameter Pollution
• Insecure Direct Object References (Price)

Bug fixes

• Input validations and error handling
• XSS issues :)

Modifications

• SQL Injection (Login) > welcome message has changed
• New vulnerable XSS validation check (medium level)
• test.php file > extra urldecode function

--Version: bWAPP v1.4
Release date: 15/07/2013
Total bugs: > 50

New features 

• LDAP Injection
• Client-Site Validation (Password)
• PHP Eval Function
• Remote and Local File Inclusion
• Unsecure files: phpinfo.php, config.inc, test.php
• Integration with bee-box (Ubuntu OS)

Bug fixes

• Input validation and error handling

Modifications

• Bugs are rearranged according to the OWASP Top 10 project (A1>A10)
• Creation of users without e-mail activation
• New hero table with passwords in clear text
• SQL Injection (Login) > applied to the new hero table

--Version: bWAPP v1.3
Release date: 20/01/2013
Total bugs: 47

New features 

• SQL Injection (Select)
• Broken Authentication - Forgotten Function
• Broken Authentication - Password Attacks
• Authorization Testing - Restrict Folder Access

Bug fixes

• HTML5 issues

Modifications

• Better compatibility with IE9
• Stylesheet modifications
• Favicon
• Filename 'config.inc' changed to 'config.inc.php'

--


Version: bWAPP v1.2

Release date: 17/01/2013

New features 

• Cross-Site Scripting - Stored (Cookies)
• Cross-Site Request Forgery (Secret)
• Insufficient Transport Layer Protection
• Security Misconfiguration - MiTM (HTTP)
• Security Misconfiguration - MiTM (SMTP)
• Security Misconfiguration - Robots
• Information Disclosure - Robots
• Insecure Directory Object References (Secret)
• Session Management - Cookies (Secure)
• Session Management - Strong Sessions

Bug fixes

• CSRF: code optimization and error handling
• Cookie 'security_level' is vulnerable for injection (I'm really sorry, this was not intentional :p )

Modifications

• Name change: Session Management - Cookie Security >> Session Management - Cookies (HTTPOnly)
• Name change: Cross-Site Scripting - Stored >> Cross-Site Scripting - Stored (Blog)

--


Version: bWAPP v1.1

New features

• HTML Injection - Reflected (Current URL)
• Cross-Site Scripting - Reflected (Back Button)
• XML and XPath Injection (Login)
• XML and XPath Injection (Search)

Bug fixes 

• Directory traversal: wrong directory in GET parameter (directory images/ has changed to documents/)

--Version: bWAPP v1.01

New features

• none

Bug fixes

• PHP session errors
• connection setting issues (setting 'localhost:3306' not valid)
• time period for the 'security_level' cookie has changed to 1 year.

Source: 

http://itsecgames.blogspot.fr