This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:OWASP Insecure Web App Project

Jump to: navigation, search

OWASP Inactive Banner.jpg


Insecure Web App
Insecure Web App
Insecure Web App
Insecure Web App

InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling.

InsecureWebApp is primarily a teaching aid to challenge and improve secure design and coding skills. Architects and developers need to learn how to identify vulnerabilities in a real web application. The goals of this tool are threefold: 1) demonstrate how dangerous application vulnerabilities can be, 2) close the gap between the theory of web application security and the actual code that we design and build, 3) learn how these vulnerabilities can be fixed.

InsecureWebApp assumes that you already know some theory about web application vulnerabilities in particular parameter tampering, broken authentication, SQL injection and HTML injection. To learn more, please see's Guide Project and use the OWASP WebGoat Project training environment.


Some screenshots are available of example vulnerabilties including HTML and SQL injection.


Download it and see if you're up to the challenges listed in the instructions. Spotting a vulnerability as part of a code review is a key skill but it's not easy - even when the code is simple and small...


The InsecureWebApp project was conceived in 2004 by Lawrence Angrave. It was licensed to the community as an open source project in April 2005. InsecureWebApp is sponsored by IsthmusGroup, Madison Wisconsin and is an OWASP project.


InsecureWebApp is an open source project available for download here. It as available as Eclipse 3 project with source, a zip of deployable war file that can be dropped into Tomcat, or as a Tomcat server with the war file already included. Note, only the Eclipse version includes the project source code.

Project Identification

What does this OWASP project offer you?
what is this project?
OWASP Insecure Web App Project

Purpose: N/A

License: N/A

who is working on this project?
Project Leader: N/A

Project Maintainer:

Project Contributor(s): N/A

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: N/A

Project Roadmap: N/A

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact the GPC to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.

This category currently contains no pages or media.