InsecureWebApp
is part of


hosted at SourceForge.net Logo
Screen shot - using SQL Injection to change the administrator login and password
InsecureWebApp Screenshot. Using SQL Injection to change the administrator login and password

 About InsecureWebApp

InsecureWebApp is a web application that includes common web application vulnerabilities (see owasp.org for more information). It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling.

InsecureWebApp is primarily a teaching aid to challenge and improve secure design and coding skills. Architects and developers need to learn how to identify vulnerabilities in a real web application. The goals of this tool are threefold: 1) demonstrate how dangerous application vulnerabilities can be, 2) close the gap between the theory of web application security and the actual code that we design and build, 3) learn how these vulnerabilities can be fixed.

InsecureWebApp assumes that you already know some theory about web application vulnerabilities in particular parameter tampering, broken authentication, SQL injection and HTML injection. To learn more, please see owasp.org's Guide and use the WebGoat training environment.

 Screenshots

Some screenshots are available of example vulnerabilties including HTML and SQL injection.

 Challenge

Download it and see if you're up to the challenges listed in the instructions. Spotting a vulnerability as part of a code review is a key skill but it's not easy - even when the code is simple and small...

 History

The InsecureWebApp project was conceived in 2004 by Lawrence Angrave. It was licensed to the community as an open source project in April 2005. InsecureWebApp is sponsored by IsthmusGroup, Madison Wisconsin and is an OWASP project.

 Download

InsecureWebApp is an open source project available for download here. It as available as Eclipse 3 project with source, a zip of deployable war file that can be dropped into Tomcat, or as a Tomcat server with the war file already included. Note, only the Eclipse version includes the project source code.