The bWAPP application is an intentionally vulnerable web application. It was developed for educational purposes – in fact, bWAPP stands for buggy Web APPlication. We will show you how to deploy this web application and we will scan it using Acunetix as an IAST (interactive application security testing) tool.

The bWAPP application has a number of vulnerabilities, some of them easier to exploit than others.

Prepare Your Server – Option 1 (Pre-Compiled Virtual Machine)

  1. Download the virtual machine file here
  2. Unpack the virtual machine file using 7-Zip
  3. Using VirtualBox, create a new virtual machine with:
    • Type: Linux
    • Version: Other Linux (64-bit)
    • Memory Size: 1024Mb
    • Hard Disk: Use an existing virtual hard disk file
      • You will need to add the bee-box.vmdk file (you can find it in the folder that contains your unpacked virtual machine file) to your list of available hard disk images
      • Select bee-box.vmdk and click on the Create button
    • Adjust the network settings for the virtual machine to ensure that it is on a LAN that is reachable from your Acunetix machine

Prepare Your Server – Option 2 (Clean Install on Kali Linux 2020.1b)

First, you need to prepare your server. For this test, start with a clean installation of Kali Linux 2020.1b. Keep to a minimal set of packages:

Update Your Server

Update your server operating system:

sudo apt update
sudo apt upgrade

Prepare Web Server Components

  1. Install Apache, PHP, and MySQL:
    sudo apt install apache2 php mariadb-server php-mysql
    sudo systemctl enable apache2
    sudo systemctl start apache2
    sudo systemctl enable mariadb
    sudo systemctl start mariadb
    
  2. Create a MySQL user for bWAPP. Run the following command:
    sudo mariadb
    
  3. Create a user for bWAPP at the mysql> prompt:
    MariaDB [(none)]> grant all privileges on *.* to 'bwapp_user'@'localhost' identified by 'bwapp_pass';
    MariaDB [(none)]> exit
    
  4. Log back into the MySQL command line as the new user:
    mariadb -u bwapp_user -p
    
  5. Enter the password bwapp_pass; create a database for bWAPP:
    MariaDB [(none)]> create database bWAPP;
    MariaDB [(none)]> exit
    

Download and Configure the bWAPP Web Application

  1. Download the bWAPP application and deploy it to the web server folder:
    wget https://github.com/lmoroz/bWAPP/archive/master.zip -O bWAPP-master.zip
    unzip bWAPP-master.zip
    sudo mv bwapp-master/bWAPP/ /var/www/html/
    sudo chmod 777 /var/www/html/bWAPP/passwords/
    sudo chmod 777 /var/www/html/bWAPP/images/
    sudo chmod 777 /var/www/html/bWAPP/documents/
    
  2. Change the settings to allow bWAPP to connect to the MySQL database using default credentials:
    sudo nano /var/www/html/bWAPP/admin/settings.php
    
  3. Find the lines for MySQL connection parameters. Change them to:
    $db_server = "localhost";
    $db_username = "bwapp_user";
    $db_password = "bwapp_pass";
    $db_name = "bWAPP";
    
  4. Finally, use a browser to go to your bWAPP installation page. For example, http://mybwapp.local/bWAPP/install.php. Click on the here link to install – the browser will show the message bWAPP has been installed successfully!.

Create an Acunetix Target

Define the Target

In the Acunetix UI, go to Targets -> Add Target:

Enter the correct IP address for your server and click on the Save button. You will see a more complete interface to define your target.

Define Site Login Parameters

On the Target Information page:

  1. Enable the Site Login slider
  2. Click on the Use pre-recorded login sequence radio button
  3. Click on the New link to launch the Login Sequence Recorder
    • Enter bee in the Login field
    • Enter bug in the Password field
    • Click on the Login button
  4. Click on the Next button at the bottom of the Login Sequence Recorder window to move to the Record Restrictions phase
    • Create 3 restriction entries:
      • Click on the icon at the top of the right-hand sidebar in the Login Sequence Recorder window to create a new Restricted Request entry
      • In the restriction panel, enter GET http://X.X.X.X/bWAPP/logout.php HTTP/1.1 – replace X.X.X.X with the IP address of your server
      • Click on the icon at the top of the right-hand sidebar in the Login Sequence Recorder window to create a new Restricted Request entry
      • In the restriction panel, enter GET http://X.X.X.X/bWAPP/password_change.php HTTP/1.1 – replace X.X.X.X with the IP address of your server
      • Click on the icon at the top of the right-hand sidebar in the Login Sequence Recorder window to create a new Restricted Request entry
      • In the restriction panel, enter GET http://X.X.X.X/bWAPP/security_level_set.php HTTP/1.1 – replace X.X.X.X with the IP address of your server
  5. Click on the Next button at the bottom of the Login Sequence Recorder window to move to the User Session Detection phase
    • If the Login Sequence Recorder was able to identify a valid set of session identification parameters, it will present a dialog with the message Login Sequence Recorder has successfully identified a pattern to use for detecting session validity
    • If the Login Sequence Recorder was not able to identify a valid set of session identification parameters, you will need to browse one or more pages that are normally only accessible to logged-in users until a valid pattern is identified. Usually, it is enough to go to the Change Password page.
    • Click on the OK button in the dialog
  6. Click on the Finish button at the bottom of the Login Sequence Recorder window
  7. Click on the Save button at the top of the Target Information page

Deploy AcuSensor to the bWAPP Web Application

On the Target Information page:

  1. Enable the AcuSensor slider
  2. Click the Download PHP AcuSensor button. This will download the agent file named acu_phpaspect.php
  3. On the bWAPP server, create a folder from the terminal: mkdir /acusensor
  4. Copy the acu_phpaspect.php file into the /acusensor folder on the bWAPP server
  5. In the bWAPP server terminal window, run the following:
    sudo chmod 777 -R /acusensor/
    
  6. On the bWAPP server, edit the php.ini file:
    • Using a terminal window, run the following:
      • If using option 1 (virtual machine):
        sudo nano /etc/php5/apache2/php.ini
        
      • If using option 2 (Kali Linux 2020.1):
        sudo nano /etc/php/7.3/apache2/php.ini
        
    • Locate the line that defines the auto_prepend_file parameter and change it to:
      auto_prepend_file = /acusensor/acu_phpaspect.php
      
  7. Save the amended file

Now, reboot the bWAPP machine.

Scan the Target

Go to Targets, click on your new target, and click the Scan button. Leave default setting in the Choose Scanning Options dialog and click on the Create Scan button.

While the scan is in progress, the Scan Information page will show its findings, including confirmation that AcuSensor was used for the scan.

Acunetix will be able to use the sequence and perform a more complete scan. You should see over 250 vulnerabilities detected, including a number of high-severity items.

SHARE THIS POST
THE AUTHOR
Kevin Attard Compagno
Technical Writer
Kevin Attard Compagno is a Technical Writer working for Acunetix. A technical writer, translator, and general IT buff for over 30 years, Kevin used to run Technical Support teams and create training documents and other material for in-house technical staff.