Tuesday, January 14, 2014

bWAPP Insecure Cryptographic Storage

Posted by at Tuesday, January 14, 2014 Read our previous post



bWAPP, or a buggy web application, is a deliberately insecure web application.
bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It prepares to conduct successful penetration testing and ethical hacking projects. It is for educational purposes only.

What makes bWAPP so unique? Well, it has over 60 web bugs!
bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.

You can download bWAPP from here. Have fun!
It's also possible to download our bee-box, a custom Linux VM pre-installed with bWAPP.


Insecure Cryptographic Storage



Here you can set a new user with password saved on the server as txt file.

Time to Add New User



The account was added!

Download the file @


Vuln : 1

Looking the accounts.txt we see password saved in clear text.

'000', '000'

'bwapp', 'pentest'

'hacker', 'icanseeyou'


Vuln : 2

Logout with your user and reload the accounts.txt file on the server.

Public read access all humans with a brain can get the accounts.txt


  1. Just got my check for $500.

    Sometimes people don't believe me when I tell them about how much you can earn by taking paid surveys online...

    So I show them a video of myself getting paid over $500 for taking paid surveys to set the record straight once and for all.

  2. Quantum Binary Signals

    Professional trading signals delivered to your cell phone daily.

    Start following our signals today & profit up to 270% per day.

  3. BlueHost is one of the best web-hosting provider with plans for all of your hosting requirements.


[#] iNFO [#]

All the information provided on this site is for educational purposes only.
The site and it's author is in no way responsible for any misuse of the information.
©2012 Security is just an Illusion is powered by Blogger - Template designed by Stramaxon - Best SEO Template