Thread: Vulnerable Web Applications To learn Web Application Testing Skills

g0tmi1k has one more list.

g0tmi1k: [Site News] Vulnerable by Design (Part 3)

Cheers,
AMol NAik

Thanks Sohil Garg for pointing me to the link!


They are categorized based on the type of application like Web Pentesting, War Games and Insecure Distributions.

Very good collection:Pentesting Vulnerable Study Frameworks Complete List |

Watch a free short video about Top 10 vulnerable applications on your network:
Rocket Views - Top 10 vulnerable applications on your network

XMALmao and SQLol by Daniel Crowley can also have a place on the list.
https://github.com/SpiderLabs/SQLol
https://github.com/SpiderLabs/XMLmao

Here is another nice Web Pentest Learning Platform from the null team.



Name : Game Over
Category : Web Pentest Learning Platform
File Type : VM image/iso

Author : Jovin Lobo
Mentor : Murtuja Bharmal

Download URL : GameOver - Browse Files at SourceForge.net

Default Credentials : [username:root / password:gameover]

Description :
Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work. It is collection of various vulnerable web applications, designed for the purpose of learning web penetration testing.

GameOver has been broken down into two sections.
Section 1 consists of special web applications that are designed especially to teach the basics of Web Security. This seciton will cover
XSS
CSRF
RFI & LFI
BruteForce Authentication
Directory/Path traversal
Command execution
SQL injection

Section 2 is a collection of dileberately insecure Web applications. This section provides a legal platform to test your skills and to try and exploit the vulnerabilities and sharpen your skills before you pentest live sites. We would advice newbies to try and exploit these web applications. These applications provide real life environments and will boost their confidence.

--------------------------------------------------------------------------------------------------------------------------------------------------------

Download the iso.

Make a virtual machine and give the option where it asks for CD/DVD as the path to the .iso file.

Ensure in settings that the virtual machine is in bridged mode.

Start the machine and go for Live option.

Login via the credentials given above.

Note the ip by ifconfig command

Enter the ip in your host machine browser and connect.

Start the pwnage \m/

OWASP WebGoat .Net

Open Web Application Security Project: OWASP WebGoat .NET Released!

Pentesting scene:

For network pentesters

21LTR - Pentesting Scenes

With OWASP 1-Liner you can demo what application security is about, both in terms of attacks and countermeasures.

OWASP 1-Liner is a deliberately vulnerable Java and JavaScript-based chat application. You install and run 1-Liner locally and it runs in two versions simultaneously – vulnerable and securish. The vulnerable version is intended for attack demos and the securish version is intended for demoing countermeasures.

Demos currently supported include XSS (with BeEF), CSRF against RESTful services, clickjacking, double submit anti-CSRF bypass, and multi-step CSRF.

OWASP 1-Liner

OWASP Security Shepherd

Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well. Security Shepherds vulnerabilities are not simulated, and are instead delievered through hardened real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the OWASP Zed Attack Proxy Project and portable browsers already configured for proxy use.
Topic Coverage

The Security Shepherd project covers the following web application security topics;

• SQL Injection
• Cross Site Scripting
• Broken Authetication and Session Management
• Cross Site Rrequest Forgery
• Insecure Direct Object Reference
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Unvalidated Redirects and Forwards
• Insufficient Transport Layer Security

Download