In our original Keeping Up With The Hackers post, AppSec expert Dave Ferguson graced our blog with a fantastic post speaking on the tools he uses to stay up-to-date with his hacking skills. For this post, we spoke with Malik Mesellem, another security expert with over 15 years of experience and a love of securing web apps.
Securing our web applications is fast becoming one of the most important aspects in security. We demand our websites be user-friendly, attractive, dynamic, public-facing….and secure, all at the same time. It ends up being an incredibly tough job – and something that attackers have learned to take advantage of, thanks to a few reasons: Web apps are always online, often include mission-critical business applications that contain sensitive data and offer direct access to any data stored on the backend. The icing on the cake is that many web apps are custom made and may not have been written and created with security at top of mind.
Application security experts learn how to defend their web applications against security threats in numerous numbers of ways and, like in any profession, must first learn the theory before putting those skills into practice. There’s just one problem with putting your skills into practice – the skill of hacking can get you some serious jail time if you hack the wrong places.
Enter bWAPP, an open source, deliberately insecure web application that covers all the biggest vulnerabilities. It serves as an educational tool designed to teach developers and security professionals how to think like hackers, learning to successfully mitigate security risks by learning how attackers discover security vulnerabilities. From OWASP XSS and SQL Injection issues to NSA-style backdoor flaws, bWAPP maintains a healthy list of 60+ vulnerabilities to give white hat hackers the treasure trove they need to be able to succeed in battling malicious hackers.
Malik Mesellem, bWAPP’s Belgian creator, is an IT security professional with over 15 years of experience. He is, self-admittedly, obsessed with web application security. In 2010, Malik founded a security consultancy and auditing company, MME BVBA, and through that he came to the idea of starting a project like bWAPP.
“As a penetration tester, I was looking for a lab environment to test and improve my web application pentesting skills,” Malik says. “There are many deliberately insecure web applications, but most of them lack diversity and flexibility, so that’s why I started to create my own vulnerable application.”
“For me, it was also good practice to learn how to deal with these web vulnerabilities, and to learn some secure coding techniques and best practices,” he continued. Malik says that both building the tool and practicing with it have helped him expand his AppSec expertise. And while Malik created the project initially for himself, he quickly realized it would be well-received by security enthusiasts, systems engineers, developers and students alike.
“Education is the most powerful weapon which we can use to secure the world,” Malik says. “bWAPP is my contribution to free security education.” He added that he hopes that the project reaches people from countries that suppress religious and political entities, enabling them with a way to fight back.
Malik created the project to be host-able on Linux, Windows and Mac with Apache/IIS and MySQL; it’s written in PHP and uses a MySQL database. It can also be installed with WAMP or XAMPP. Another possibility is to download the bee-box, a custom Linux Ubuntu virtual machine with bWAPP pre-installed.
Malik created bWAPP as part of his ITSEC Games project – “a fun approach to IT security education,” as he describes it. His consultancy firm, MME, works with organizations to bolster their security, through ethical hacking courses and workshops, as well as performing penetration testing and security audits.
OWASP is currently working on adding bWAPP to their BWA (Broken Web Apps) project, which offers a virtual machine of vulnerable and open source web apps similar to bWAPP. The main idea behind these projects is to be able to get the experience you need to be the most successful security practitioner you could be: learning by breaking.
“It’s all about testing, testing, testing,” Malik says. “Would you be at ease with a pilot who had just read the manual of his plane?”
You can practice your hacking skills on bWAPP here. Bonus: Malik just released version 1.9 with new vulnerabilities. Here’s a Stack Overflow Q&A on other deliberately insecure web apps with a running list of projects.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.