Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products (along with their commercial products).

Led by Chuck Willis (chuck (at) securityfoundry (dot) com) and sponsored by Mandiant (www.mandiant.com).

This project now has a Google Group available at http://groups.google.com/group/owaspbwa/. Feel free to post any questions or comments on the project to that group.

Note - This project is a collection of open source software from various sources, along with some custom modifications and pieces to make it all work together. The license for each component may vary. The GPLv2 license for this project is only for any custom modifications and code created for this project.

Version 1.0rc1 of the VM was released on April 4, 2012. See the Downloads page for details and links.

For more information on the project, see the Project Summary Wiki page.