Tuesday, January 14, 2014

bWAPP: bee-box an extremely Buggy web app !

Posted by at Tuesday, January 14, 2014 Read our previous post

bee-box is a custom Linux VMware virtual machine pre-installed with bWAPP, our extremely buggy web application.

bee-box gives you several ways to hack and deface the bWAPP website. It's even possible to hack the bee-box to get full root access...

With bee-box you have the opportunity to explore all bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that? :)

You can download bee-box from here. Have fun!



bWAPP includes:

  • Injection vulnerabilities like SQL, XML/XPath, LDAP, HTML, Server-Side Includes, Command and SMTP injection
  • Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services issues (JSON/XML/SOAP)
  • PHP CGI remote code execution
  • Malicious, unrestricted file uploads
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, Cross-domain policy file, information disclosures,...
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks
  • HTML5 ClickJacking, Cross-origin resource sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards
  • Parameter tampering, HTTP verb tampering and cookie poisoning
  • Insecure WebDAV and FTP
  • Backdoor files
  • Insecure cryptographic storage



bWAPP is a PHP application that uses a MySQL database.

It can be hosted on Linux and Windows using Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
This project is part of the ITSEC GAMES project.

You can find more about bWAPP on this blog very soon.

We will cover the installation procedure and most of the web application issues/bugs.






These are the requirements for installing bee-box:

  • Windows, Linux or Mac OS
  • VMware Player, Workstation or Fusion

An overview of the installation steps:

  • Extract the 'rar' file.
  • Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.
  • Start the VM. It will login automatically.
  • Check the IP address of the VM.
  • Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected. 
    example: http://[IP]/bWAPP/ example: http://[IP]/bWAPP/login.php
  • Login with the default bWAPP credentials, or make a new user. 
    default credentials: bee/bug
  • You are ready to explore and exploit the bee!


Some additional notes:

  • Linux credentials:
    bee/bug - root/bug
  • MySQL credentials:
  • Modify the Postfix settings (relayhost,...) to your environment.
    config file: /etc/postfix/
  • Take a snapshot of the VM before hacking the bee-box.
    There is also a backup of the bWAPP website (/var/www/bWAPP_BAK).
  • To reinstall the bWAPP database, delete the database with phpmyadmin

    Afterwards, browse to the following page: https://[IP]/bWAPP/install.php
  • Don't upgrade the Linux operating system, you will lose all fun :)
  • Check the SecurityTube ( for some amazing hacking videos.
    Thanks Vivek!

We also offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'. This course can be scheduled on demand, at your location!



This project is part of the ITSEC Games project. ITSEC Games are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC Games and bWAPP projects on our blog.


(Size: 1.3G)


  • Filename: bee-box_v1.0.rar
  • File size: 1.3G
  • MD5: E93740BA4698DBD43213DF133B4F30D4
  • SHA1: 9C1C9A8AFD8120A8403D2C5D5A00E748D816C5AC


  1. BlueHost is ultimately the best website hosting provider for any hosting plans you need.


    Get professional trading signals delivered to your cell phone daily.

    Follow our trades right now and gain up to 270% per day.


[#] iNFO [#]

All the information provided on this site is for educational purposes only.
The site and it's author is in no way responsible for any misuse of the information.
©2012 Security is just an Illusion is powered by Blogger - Template designed by Stramaxon - Best SEO Template