Release notes for the Open Web Application Security Project (OWASP)

Broken Web Applications Project, a collection of vulnerable web

applications that is distributed on a Virtual Machine in VMware format
compatible with their no-cost and commercial VMware products.
More information about the project can be found at
http://www.owaspbwa.org/.
The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip
Archive. BOTH FILES CONTAIN THE EXACT SAME VM! We recommend that you
download the .7z archive if possible to save bandwidth (and time).
7-zip is available for Windows, Mac, Linux, and other Operating Systems.
!!! This VM has many serious security issues. We strongly recommend that
you run it only on the "host only" or "NAT" network in the virtual machine
settings !!!
Version 0.94 - 2011-07-24
- No changes from 0.94rc3.
Version 0.94rc3 - 2011-07-14
- More fixes to hackxor applications (thanks again to Albino Wax).
Version 0.94rc2 - 2011-07-13
- Fixes to hackxor applications (thanks to Albino Wax for fixes).
Version 0.94rc1 - 2011-07-11
- Added a number of new applications, including Gruyere, Hackxor,
WackoPicko, BodgeIt, TikiWiki, Joomla, Gallery2, WebCalendar, AWStats,
and ZAP-Wave (thanks to Mike Cyr for lots of work in this area).
- New and improved "home" page in the VM (thanks again to Mike Cyr).
Version 0.93rc1 - 2011-01-19
- Rebuilt OrangeHRM database to fix login issue (thanks to Dave van Stein
for reporting this)
- Configured mod_proxy on Apache web server to reverse proxy applications
running on Tomcat web server. Disabled direct access to Tomcat server
- Installed ModSecurity to 2.5.13 from source (needed by Core Rule Set)
- Configured the ModSecurity Core Rule Set. It is disabled by default,
but can be enabled through the use of new shell scripts in
/usr/local/bin
- Adjusted Samba shares to follow symlinks
- Removed some miscellaneous old / duplicate files
- Attempted to fix phpBB issues, but was unsuccessful. That application
is broken for this release and marked as such in the index.html file
(thanks to Dave van Stein for reporting this issue)
Version 0.92rc2 - 2010-11-15
- Fixed bug with MySQL databases not starting properly (thanks to Tom
Neaves for reporting this)
Version 0.92rc1 - 2010-11-10
- Developed method for tracking known issues in the applications at
http://sourceforge.net/apps/trac/owaspbwa/report/1.
- Updated base OS to Ubuntu 10.04 LTS
- Updated DVWA to SVN version > 1.07
- Updated Mutillidae to version 1.5
- Updated WebGoat to SVN version > 5.3
- Added and configured three "real" applications suggested by Matt Tesauro:
- Added application: GetBoo version 1.04

(http://sourceforge.net/projects/getboo/files/)
- Added application: GTD-PHP version 0.7
(http://sourceforge.net/projects/gtd-php/files/)
- Added application: OrangeHRM version 2.4.2
(http://www.orangehrm.com/)
- Fixed bug in DVWA database permissions that was preventing stored XSS
from working (thanks to Owen Wright for reporting this)
Version 0.91rc1 - 2010-03-24
- Updated OWASP Vicnum to version 1.4
(http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project)
- Added application: Ghost (http://webdevelopmentsolutions.org/)
- Added application: Peruggia version 1.2
(http://peruggia.sourceforge.net/)
- Added application: OWASP AppSensor Demo
(http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project)
- Fixed bug where VM would sometimes not get an address from DHCP on
boot
- Fixed bug where PHP magic quotes were enabled for some applications,
preventing SQL Injection
- Changed password for some applications to match standard users named
'admin' and 'user' with the password the same as the username
- Moved databases, applications that run on Apache web server, some
configuration files, and some applications that run on Tomcat web
server into SVN with symlinks to the SVN directory in the normal file
system.
- Fixed bug in where permissions on /var/www/dvwa were not set properly
(thanks to Dale Castle for reporting this)
Version 0.9 - 2009-11-11
- Initial Release