is part of

hosted at Logo
Screen shot - using SQL Injection to change the administrator login and password
InsecureWebApp Screenshot. Using SQL Injection to change the administrator login and password

 About InsecureWebApp

InsecureWebApp is a web application that includes common web application vulnerabilities (see for more information). It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling.

InsecureWebApp is primarily a teaching aid to challenge and improve secure design and coding skills. Architects and developers need to learn how to identify vulnerabilities in a real web application. The goals of this tool are threefold: 1) demonstrate how dangerous application vulnerabilities can be, 2) close the gap between the theory of web application security and the actual code that we design and build, 3) learn how these vulnerabilities can be fixed.

InsecureWebApp assumes that you already know some theory about web application vulnerabilities in particular parameter tampering, broken authentication, SQL injection and HTML injection. To learn more, please see's Guide and use the WebGoat training environment.


Some screenshots are available of example vulnerabilties including HTML and SQL injection.


Download it and see if you're up to the challenges listed in the instructions. Spotting a vulnerability as part of a code review is a key skill but it's not easy - even when the code is simple and small...


The InsecureWebApp project was conceived in 2004 by Lawrence Angrave. It was licensed to the community as an open source project in April 2005. InsecureWebApp is sponsored by IsthmusGroup, Madison Wisconsin and is an OWASP project.


InsecureWebApp is an open source project available for download here. It as available as Eclipse 3 project with source, a zip of deployable war file that can be dropped into Tomcat, or as a Tomcat server with the war file already included. Note, only the Eclipse version includes the project source code.