Application security

OWASP Practice: Learn and Play from Scratch

June 11, 2014 by Interference Security

OWASP Practice is a virtual environment to help people who want to begin their journey into web application security. Lots of material including videos are available on the Internet, both for free and for a fee, that teach web application security in a good manner. But this project has been started for the sole purpose of helping people to understand the basics behind vulnerability and gradually moving forward. OWASP Practice contains a learning environment which helps us to understand why and how vulnerabilities are triggered. This project or any other project alone cannot help anyone master everything. It just our contribution to the community. We were all beginners in this field at some point of time, and still we are in a continuous learning phase. We hope this project helps the community.

Coming back to “OWASP Practice”, OWASP released a list of top 10 vulnerabilities. “OWASP Top 10 Web Application Vulnerabilities 2013” is one of the most popular projects by OWASP. The project starts with explaining every vulnerability in as easy words as possible, along with vulnerable demo applications and videos demonstrating the vulnerability in action.

OWASP Practice has been built with the OWASP Top 10 Web Application Vulnerabilities in mind. It is a virtual machine which hosts custom web applications which are vulnerable to OWASP Top 10 vulnerabilities. Every vulnerability has one or more practice lessons associated with it which can be used to exploit and trigger the vulnerability. Along with that, every lesson has a tutorial linked to it which can be accessed anytime to learn how the vulnerability is triggered and how to exploit it. Every lesson tutorial has screenshots in it for better understanding. Adding to the tutorials, videos demonstrating the vulnerabilities are also available for download separately.

Features of OWASP Practice:

  • Boot-to-Pwn VM with vulnerable web applications
  • Categorized lessons for OWASP vulnerabilities
  • Custom-made vulnerable practice lessons
  • Lessons covering everything from logic of vulnerability to how to trigger vulnerability
  • Tutorials explaining the vulnerability and its solution
  • Videos to demonstrate vulnerability in action
  • Source code and SQL file available

A few things that might come handy are:

  • Mozilla Firefox
  • Firefox Addons
  • Firebug
  • Live HTTP Headers
  • Tamper Data
  • User-Agent Switcher
  • Cookie Manager+
  • BurpSuite


Main Page of OWASP Practice:

OWASP Top 10 Vulnerabilities:

XSS Vulnerability description and lessons:

One of the lessons of XSS vulnerability:

Tutorial of XSS vulnerability:

Fill out the form below to for the OwaspPractice File Download: 

Downloads include:

  1. OwaspPractice Virtual Machine
  2. OwaspPractice Source Code and SQL file
  3. OwaspPractice Vulnerability Demo Videos

User Credentials:

Local User Accounts:

Username: root

Password: toor

Username: owasppractice

Password: owasppractice


Username: root


Joomla Administrator:

Username: admin

Password: admin

Posted: June 11, 2014
Articles Author
Interference Security
View Profile

Interference Security is a freelance information security researcher. Experience gained by learning, practicing and reporting bugs to application vendors. CEH certified but believes in practical knowledge and out of the box thinking rather than collecting certificates. Always open to learning more to enhance his knowledge. Information security is a hobby rather a job for him. Builds tools to automate testing and make things easier.

9 responses to “OWASP Practice: Learn and Play from Scratch”

  1. Ravi Kariya says:

    Where can I found this to download this project?

    • Interference Security says:

      You can find the download links after filling the form available on this page only, just above the “Downloads include” section.

  2. prashant says:

    I downloaded the VM. But I am not able to access the website through browser.

  3. Marco says:

    I had to change $dbname in db_connect.php to lower case to match mysql db name (owaspractice) cause it was not working with $dbname = “OwaspPractice”

  4. prashant says:

    I refine my query

    I have downloaded the OwaspPractice VM. I have installed it on my computer. I am not able to access the application and carry out activities.


    Prashant Ketkar

  5. Interference Security says:

    I apologize for the inconvenience caused. You can fix the problem using the steps below:
    1. Login using “root” user account (Username: root Password: toor)
    2. Run the following command:
    echo $” > /opt/lampp/htdocs/OwaspPractice/db-connect.php
    You can also download shell file using this link:
    and then after logging in as root run the following command:
    Let me know if you or anyone faces any other issues.

  6. Naga says:


    Please let us know how to access this web application.I have followed the below steps.
    1. Login using “root” user account (Username: root Password: toor)
    2. Run the following command:
    echo $” > /opt/lampp/htdocs/OwaspPractice/db-connect.php

    is there GUI interface for this VM or guide me for next step

  7. Ciph3r00t says:

    How to get the GUI for this machine…
    startx is not working. Do we need to install X server.
    How to access the application?

Leave a Reply

Your email address will not be published. Required fields are marked *