VK9 Security

How to set up bWAPP – Linux

by | Apr 8, 2020 | Labs

bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows.

https://github.com/jehy-security/bwapp

https://sourceforge.net/projects/bwapp/

Installation

1. Download the main file

2. make a directory in /var/www/html and unzip the downloaded file there

  • sudo mkdir /var/www/html/bWAPP
  • sudo mv bWAPP_latest.zip /var/www/html/bWAPP/
  • cd /var/www/html/bWAPP/
  • ls
  • sudo unzip bWAPP_latest.zip

3. Having all the files extracted navigate to ./bWAPP/admin

  • cd bWAPP/admin/
  • ls

4. Make sure to start apache & mysql services

  • sudo service mysql start
  • sudo service mysql status
  • sudo service apache2 start
  • sudo service apache2 status

5. Modify the SQL credentials in settings.php, credentials used to log in to mysql

  • cat settings.php

Confirm you can log in to mysql, using the same credentials you put on settings.php

  • mysql -u root -p
  • show databases;

Extra

If you still have issues you can set the database password by logging into the mysql and run

Change user and password at will

  • ALTER USER 'root'@'localhost' IDENTIFIED BY 'bug';
  • flush privileges;

6. Give full permissions to the following directories documents, images, passwords & logs

  • sudo chmod 777 documents/
  • sudo chmod 777 images/
  • sudo chmod 777 passwords/
  • sudo chmod 777 logs/
  • ls -ld documents images passwords logs

7. Now access the application from the browser. Probably you will face the following error

  • http://127.0.0.1/bWAPP/bWAPP/login.php

8. To fix it access /bWAPP/bWAPP/install.php, and, click on “here”

  • http://127.0.0.1/bWAPP/bWAPP/install.php

9. After that this message should show

10. Now click on log in to get back to the page where we got the error

  • 127.0.0.1/bWAPP/bWAPP/login.php

11. The credentials are bee/bug

12. There you can do the following

  • Change current password
  • Create a new user
  • Change security level
  • Reset the database
  • Select the instance to test “choose your bugs”