Why? Because BWAPP is supposed to be vulnerable. The default credentials mimic real-world bad practices: default admin accounts, weak passwords, and lack of account lockout. Here’s where it gets interesting. Even if you don’t know the password, you can log in as bee — or any user — using SQL injection directly on the login page.
One question that appears repeatedly in forums, GitHub discussions, and lab write-ups is: bwapp login password
Example payload in the username field: ' or '1'='1' -- (leave password blank) bwapp login password
