Recently, we released version 1.1 of the Mandiant-sponsored OWASP Broken Web Applications Project Virtual Machine (VM). If you are not familiar with this open source project, it provides a freely downloadable VM containing more than 30 web applications with known or intentional security vulnerabilities. Many people use the VM for training or self-study to learn about web application security vulnerabilities, including how to find them, exploit them, and fix them. It can also be used for other purposes such as testing web application assessment tools and techniques or understanding evidence of web application attacks.
If you have used previous versions of the VM, this release primarily adds new applications, including some new OWASP projects and a couple Ruby on Rails applications. It also includes some configuration changes and updates to existing applications, along with an update to ModSecurity and its ruleset. The VM itself, along with a release notes and a changelog, can be found on the project's download page.
I was fortunate to have the opportunity to show off the new version of the VM at the Black Hat Arsenal. It was great to be able to talk with attendees about the project, give them a quick demonstration, answer questions, and gather feedback.
If you have any questions, comments, or suggestions on the project, please feel free to get in contact with us using any of the methods listed in the project's User Guide. The project has a twitter feed: @owaspbwa - and you can find me on twitter as well @chuckatsf.
On Tuesday, Oct. 1 I will present "OWASP Broken Web Applications VM" as part of a webcast for Hacker Hotshots. You can learn more about the presentation here.