Step 1

Download the OWASP BWA files: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Step 2

Create a folder and extract all files there. Probably a good idea to put the folder right next to your other virtual machines, if you have any. This folder shouldn't move around.

Step 3

Open VirtualBox and create a new machine named OWASP BWA (or whatever) as Linux/Ubuntu. Set RAM to something appropriate (I'm using 2Gb because I can).

Use existing hard drive, select the files you just extracted.

Step 4

Run.

Optional

You might want to fiddle around with various settings, like bridging the network interface etc. It's not recommended to allow anyone since OWASP BWA contains multiple security holes, though.