You may need an insecure web application as part of yearly developer compliance training. You may need an insecure web application for a companywide contest for cyber security awareness month. Perhaps you just like playing with insecure web applications on the weekend. There are a variety of insecure web applications out there. If you have specific needs -- maybe XSS in VBScript as opposed to JavaScript --, or regular use-case where you want something similar to showcase the OWASP top 10 yet different topics and look every time. Then what is out there may not work for you. This talk introduces a new tool -- ORIWAP (One Random Insecure Web Application Please), which can randomly generate an insecure web application (the security features, visual style, and data -- users, passwords, forum postings, about page). If you don't like randomness you can specify some or all of the settings and an application will be generated. The talk will demo creating several new applications, and show the variety of options for creating the perfect insecure web application for you. This talk will also discuss how the code works for each area: security features, visual style, and data.