Vulnerable Web Applications To learn Web Application Testing Skills

**Punter** · 07-11-2010, 05:10 PM

I have Often seen Beginners who will pursue their carrier in Application Security always have less Hands on experience in testing Web Applications below are the links Would help them to learn and Improve their skills in Application Security Testing.

Vulnerable Webapplications

1) Jarlsberg App
http://jarlsberg.appspot.com/start
2) OWASP Broken Web Applications project
http://code.google.com/p/owaspbwa/wiki/ProjectSummary
Intentionally Vulnerable Applications:
•OWASP WebGoat version 5.3-SNAPSHOT (Java)
•OWASP Vicnum version 1.4 (PHP/Perl)
•Mutillidae version 1.3 (PHP)
•Damn Vulnerable Web Application version 1.06 (PHP)
•Ghost (PHP)
•Peruggia version 1.2 (PHP)
•OWASP CSRFGuard Test Application version 2.2 (Java)
•OWASP AppSensor Demo Application (Java)
•Mandiant Struts Forms (Java/Struts)
•Simple ASP.NET Forms (ASP.NET/C#)
•Simple Form with DOM Cross Site Scripting (HTML/JavaScript)
Old Versions of Real Applications:
•WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
•phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
•Yazd version 1.0 (Java, released February 20, 2002)
3)Web Security Dojo
http://www.mavensecurity.com/web_security_dojo/
Targets include:
•OWASP’s WebGoat
•Damn Vulnerable Web App
•Hacme Casino
•OWASP InsecureWebApp
•simple training targets by Maven Security (including REST and JSON)
Tools:
•Burp Suite (free version)
•w3af
•OWASP Skavenger
•OWASP Dirbuster
•Paros
•Webscarab
•Ratproxy
•sqlmap
•helpful Firefox add-ons
4)SPI Dynamics (live) – http://zero.webappsecurity.com/
5)Cenzic (live) – http://crackme.cenzic.com/
6)Watchfire (live) – http://demo.testfire.net/
7)Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
8)PCTechtips Challenge (live) – http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/
9)The Butterfly Security Project – http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project
10)Hacme Casino – http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
11)Hacme Bank 2.0 – http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
12)Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
14)Hacme Books – http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
15)Hacme Travel – http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
16)Hacme Shipping – http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
17)OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator
18)Moth – http://www.bonsai-sec.com/en/research/moth.php
19)Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/
20)SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/
21)BadStore – http://www.badstore.net/
22)WebMaven/Buggy Bank – http://www.mavensecurity.com/webmaven

**that's_all** · 08-24-2010, 10:39 AM

and a list of trainings - http://yehg.net/lab/#training

**abhaythehero** · 12-08-2010, 09:54 PM

wow .. seen this thread first time .. was looking for such apps after 41.warrior told me
to refrain from practicing SQL injection on live targets

anyways just here is another one to practice XSS,XSRF etc. Have not tried it yet though[exams ahead

]

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

* How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
* How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

http://google-gruyere.appspot.com/

**Hocker** · 02-10-2011, 04:08 PM

hi thank for your sharing information...nice help about to Web Applications To learn Web Application Testing Skills

**ht2ht** · 08-18-2011, 09:22 AM

Very useful.
My big thanks to all here.

**amolnaik4** · 08-18-2011, 09:40 AM

2 more apps:

1. WackoPicko - used to test multiple web application scanners
2. The BodgeIt Store

**Snypter** · 10-05-2011, 01:36 AM

thanx for this share .. i am starting with WEBGOAT !

**Anthrax** · 10-24-2011, 05:30 PM

woah this one is really good! i'll read and try this one after i get 10 post lol

**b0nd** · 10-26-2011, 02:15 AM

Originally Posted by Anthrax

woah this one is really good! i'll read and try this one after i get 10 post lol

Hi Anthrax,
Is there any boundation you are facing with '10' posts count? I don't remember if we have intentionally put any such restriction.

Cheers!

**amolnaik4** · 11-03-2011, 12:21 PM

Holynix Level1 & Level2:

Similar to the de-ice pentest CDs and pWnOS, Holynix is an Linux vmware image that was deliberately built to have security holes for the purposes of penetration testing.

Link:Holynix - Browse Files at SourceForge.net

Just completed Level1...now on level2.

PS: Level1 is complete web based, level2 is having multiple services.

Cheers,
AMol NAik

Thread: Vulnerable Web Applications To learn Web Application Testing Skills

LinkBack

Thread Tools

Search Thread

Display