[Owasp-leaders] The BodgeIt Store

psiinon psiinon at gmail.com
Mon Feb 28 07:22:23 EST 2011

Hi folks,

I've just open sourced a vulnerable web app, called The BodgeIt Store:


Well, you can never have too many vulnerable apps to test against, but
also because I've found that many of the existing apps are non trivial
to install - they either have a significant number of dependencies,
are restricted to specific platforms, require dbs to be set up etc

The BodgeIt Store is:
    * Easy to install - just requires java and a servlet engine, e.g. Tomcat
    * Self contained (no additional dependencies other than to 2 in
the above line)
    * Easy to change - all the functionality is implemented in JSPs,
so no IDE required
    * Cross platform
    * Open source
    * No separate db to install and configure - it uses an 'in memory'
db that is automatically (re)initialized on start up

At the moment all of the vulnerabilities are pretty basic, so its not
suitable for security ninjas ;)

In the relatively near future I'm hoping to add things like:
   * Challenges with automated scoring (ie when you find specific
   * Ajax requests
   * More vulnerabilities (of course)

Its not an OWASP project (but I'd be happy for it to be so) and I
havnt publicised it on any of the usual sec lists as it really needs
some more docs.

But if you fancy a quick play with it then feel free, and feedback
would be appreciated.

Many thanks,


More information about the OWASP-Leaders mailing list