Installing OWASP BWA

OWASP Broken Web Applications (BWA) is a collection of vulnerable web applications designed by the OWASP project for education and practicing web security. This virtual machine includes multiple web applications with various vulnerabilities.

⚠️ Warning: OWASP BWA intentionally contains security vulnerabilities. Never connect it to public networks or the Internet. Use only in isolated lab environments.

About OWASP BWA

OWASP BWA includes numerous vulnerable applications such as:

  • WebGoat - OWASP learning environment
  • DVWA (Damn Vulnerable Web Application) - Vulnerable PHP/MySQL web application
  • Mutillidae - OWASP vulnerable web application
  • bWAPP - Buggy vulnerable web application
  • Hackxor - Realistic game for practicing web hacking
  • And many more...

Extracted Files After Unzip

FileDescription
OWASP_Broken_Web_Apps.vmdkMain virtual disk — required
OWASP_Broken_Web_Apps.vmxVMware configuration (for reference)
OWASP_Broken_Web_Apps.vmsdSnapshot metadata (optional)
OWASP_Broken_Web_Apps.nvramNVRAM/BIOS state (usually not needed)
OWASP_Broken_Web_Apps.vmxfAdditional VMware metadata (unnecessary)

Summary: Only the OWASP_Broken_Web_Apps.vmdk file is sufficient to run the machine in VirtualBox. Other files are used for VMware.

Installing OWASP BWA on VirtualBox

Method 1 — Import OVA File (Recommended)

If you have an .ova file:

  1. Open VirtualBox
  2. From the menu, select File → Import Appliance
  3. Select the .ova file and click Next
  4. Review the settings (you can adjust RAM and CPU)
  5. Click Import and wait for the import to complete

Method 2 — Use VMDK Directly

If you only have a .vmdk file:

  1. Open VirtualBox
  2. Click New
  • Name: OWASP-BWA
  • Type: Linux
  • Version: Ubuntu (32-bit) or Ubuntu (64-bit) depending on version
  1. RAM: at least 1 GB (recommended 2 GB)
  2. When selecting hard disk: choose Use an existing virtual hard disk file and select the OWASP-BWA.vmdk file
  3. Create the VM and open Settings:
  • System → Motherboard: verify Boot Order
  • System → Processor: at least 1-2 CPUs
  • Network: use Host-Only Adapter or NAT

Method 3 — Convert OVF to VirtualBox

If you have an .ovf file:

  1. From the menu File → Import Appliance in VirtualBox
  2. Select the .ovf file
  3. Review and confirm the settings

Network Configuration

For security, always use one of these:

  • Host-Only Network: for access only from the host system (most secure)
  • NAT Network: if you need internet access for updates (use cautiously)
  • Internal Network: for connecting with other VMs in the lab

Never use Bridged Network!

Initial Setup

  1. Start the VM

  2. Wait for the system to boot

  3. Default login credentials (typically):

    • Username: root
    • Password: owaspbwa

  4. Find the machine's IP address:

ifconfig
# or
ip addr show
  1. From your host system browser, navigate to the IP address:
http://[IP_ADDRESS]
  1. The OWASP BWA main page will display with a list of all vulnerable applications

Security and Practical Tips

  • Snapshot: Take a snapshot before starting practice so you can restore the system to its initial state
  • Network Isolation: Always ensure the VM is on an isolated network
  • Updates: Avoid updating the VM's operating system as it may patch vulnerabilities
  • Documentation: Each application has its own documentation that you should read
  • Practice Ethically: Only practice on these VMs, not on real systems

References