Students, developers and security enthusiasts can learn the theoretical part of the web application penetration testing but how do they practice. Legally, trying hacking skills on the random web applications available on the internet is criminal offense.
For the purpose of practicing hacking, there are web applications developed with deliberately introduced bugs. Buggy Web App (bWAPP) is one of such applications. bWAPP has over 100 security vulnerabilities. It covers all the risks from OWASP top 10 project.
Goal of this application is to provide legal and secure environment for practicing web application penetration testing skill.
bWAPP is developed using PHP and MySQL. So, to install this application we need a web server and database server.
In this post, we are going to learn how to install this application on windows operating system.
Download bWAPP here

Click the download link in the above picture
Download XAMPP here

Click the download link for the latest version of XAMPP windows 64 bit
Installing and configuring XAMPP
Double click the downloaded EXE file and click next button. This will take you through the whole process of installation. I always keep installing any software in D: drive not in C: drive where operating system is installed.

Keep the default settings and just change the installation driver to D: (D:\xampp). This will install the XAMPP on to the windows. Now, go to D:\xampp folder and see lot of folders & files are being installed here. Under this folder there is xampp-control file. Double click this file and start the xampp-control panel which looks like as below.

Look at the above picture that shows different stuff Apache, MySQL, FileZilla, Mercury & Tomcat. What are these?
- Apache – Web server
- MySQL – Database server
- FileZilla – FTP server
- Mercury – Mail server
- Tomcat – Application server
To run a simple web application web server and database servers are required. Apache web server & MySql serve this purpose. We will not go in detail into the other applications which are installed with xampp.
This completes the installation of the xampp. Let us go to the installation and configuration of bWAPP application.
Installation of bWAPP
Extract / unzip “bWAPP_latest.zip” and then copy the “bwapp” folder to D:\xampp\htdocs (C:\xampp or D:\xampp depending on your installation)
Refer to these below pictures.


After copying the bWAPP folder into the “htdocs” folder, go to “admin” folder inside the bwapp folder as in the below picture.

Open the “settings.php” file in a notepad and search for $db_password = “bug”. Remove the “bug” and make it blank as below.

Now, configuration of the bWAPP application is ready. We need to do the installation part. For that the XAMPP control panel needs to be started and then start both:
- Apache web server
- MySql database server
To start the XAMPP control panel –> go to xampp installation folder (C:\xampp) –> double click “xampp-control” application file. This will start the xampp control panel as below.

Click “start” for both Apache and MySql servers. After the start, both the buttons become “stop” and the status of the applications is changed to “running”.
Open a browser (chrome/firefox) and then open the URL: http://localhost:80/bwapp/install.php and then continue with installation of the bwapp application by clicking the “here” as in the below picture.

After clicking the link “here” bwapp gets installed successfully. Now click “login” button and enter username as “bee” and password “bug” –> login
This completes successful installation and login to bWAPP application. Application is ready!! start hunting for vulnerabilities. All the best!!!