Hacking Vulnerable Web Applications Without Going To Jail

(LAST UPDATE: 2013-10-20)

Shameless plug: I will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in Abu Dhabi, UAE (Apr 26, 2014 - May 1, 2014) and Berlin, Germany (Jun 16-21, 2014).

LAST UPDATE: Since October 18, 2013, this list of vulnerable web applications has been moved to a new OWASP project: "OWASP Vulnerable Web Applications Directory (VWAD) Project".

While teaching web application security and penetration testing, one of the most prevalent questions from the audience at the end of every week is: "How and where can I (legally) put in practice all the knowledge and test all the different tools we have covered during the training (while preparing for the next real-world engagement)?" Along the years I have been providing multiple references to the attendees (including the option of testing real-world vulnerable open-source web applications) and mentioned several times that I had a pending blog post listing all them together... Today is the day! ;)... and I will be able to refer people here in future training sessions.

This blog post provides an extensive and updated list (as of October 20, 2011) of vulnerable web applications you can test your web hacking knowledge, pen-testing tools, skills, and kung-fu on, with an added bonus... without going to jail :) The vulnerable web applications have been classified in three categories: offline, VMs/ISOs, and online. Each list has been ordered alphabetically.

Offline: The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).

• The BodgeIt Store (Java): http://code.google.com/p/bodgeit/ (download)
• OWASP Bricks (PHP): http://sechow.com/bricks/index.html (download & docs)
• The ButterFly Security Project (PHP): http://sourceforge.net/projects/thebutterflytmp/ (download)
• bWAPP - an extremely buggy web application! (PHP): http://www.itsecgames.com (download) (docs)
• Damn Vulnerable Web Application - DVWA (PHP): http://www.dvwa.co.uk (download)
• Damn Vulnerable Web Services - DVWS (PHP): http://dvws.secureideas.net (download)
• OWASP Hackademic Challenges Project (PHP): https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project (download)
• Google Gruyere (Python): http://google-gruyere.appspot.com (download)
• Hacme Bank (.NET): http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx (download)
• Hacme Books (Java): http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx (download)
• Hacme Casino (Ruby on Rails): http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx (download)
• Hacme Shipping (ColdFusion): http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx (download)
• Hacme Travel (C++): http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx (download)
• OWASP Insecure Web App Project (Java): https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project (download - orphaned)
• Mutillidae (PHP): http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 (download)
• OWASP .NET Goat (C#): https://owasp.codeplex.com (download)
• Peruggia (PHP): http://peruggia.sourceforge.net (download)
• Puzzlemall (Java): https://code.google.com/p/puzzlemall/ (download) (docs)
• Stanford Securibench (Java) & Micro: http://suif.stanford.edu/~livshits/securibench/ (download)
• SQLI-labs (PHP): https://github.com/Audi-1/sqli-labs (download) (blog)
• SQLol (PHP): https://github.com/SpiderLabs/SQLol (download)
• OWASP Vicnum Project (Perl & PHP): https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project (download)
• VulnApp (.NET): http://www.nth-dimension.org.uk/blog.php?id=88 (CVS download & vulns)
• WackoPicko (PHP): https://github.com/adamdoupe/WackoPicko (download) (whitepaper)
• OWASP WebGoat (Java): https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project (download) (guide)
• OWASP ZAP WAVE - Web Application Vulnerability Examples (Java): http://code.google.com/p/zaproxy/downloads/list
• Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): https://code.google.com/p/wavsep/ (download) (docs)
• WIVET - Web Input Vector Extractor Teaser: https://code.google.com/p/wivet/ (download) (tests)

Virtual Machines (VMs) or ISO images: The following list references preinstalled and ready to use virtual machines (VMs) or ISO images that contain one or multiple vulnerable web applications to play with.

• BadStore (ISO): http://www.badstore.net (download - registration required)
• Bee-Box (bWAPP VMware): http://sourceforge.net/projects/bwapp/files/bee-box/
• OWASP BWA - Broken Web Applications Project (VMware - list): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project (download)
• Drunk Admin Web Hacking Challenge (VMware): https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ (download)
• Exploit.co.il Vuln Web App (VMware): http://exploit.co.il/projects/vuln-web-app/ (download)
• GameOver (VMware): http://sourceforge.net/projects/null-gameover/ (download)
• Hackxor (VMware): http://hackxor.sourceforge.net/cgi-bin/index.pl (download) (hints&tips)
• Hacme Bank Prebuilt VM (VMware): http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ (download)
• Kioptrix4 (VMware & Hyper-V): http://www.kioptrix.com/blog/?p=604 (download)
• LAMPSecurity (VMware): http://sourceforge.net/projects/lampsecurity/ (download) (doc)
• Metasploitable (VMware): http://blog.metasploit.com/2010/05/introducing-metasploitable.html (download - torrent) (doc)
• Metasploitable 2 (VMware):  https://community.rapid7.com/docs/DOC-1875 (download)
• Moth (VMware): http://www.bonsai-sec.com/en/research/moth.php (download)
• PentesterLab - The Exercises (ISO & PDF): https://www.pentesterlab.com/exercises/ 
• PHDays I-Bank (VMware):  http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html (download)
• Samurai WTF (ISO - list): http://www.samurai-wtf.org (download)
• Sauron (Quemu) [Spanish]: http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html (solutions)
• UltimateLAMP (VMware - list): http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/ (download)
• Virtual Hacking Lab (ZIP): http://sourceforge.net/projects/virtualhacking/ (download)
• Web Security Dojo (VMware, VirtualBox - list): http://www.mavensecurity.com/web_security_dojo/ (download)

Online/Live: The following list references online and live vulnerable web applications available on the Internet to play with.

• Acunetix:
• http://testasp.vulnweb.com (Forum - ASP)
• http://testaspnet.vulnweb.com (Blog - .NET)
• http://testphp.vulnweb.com (Art shopping - PHP)
• Cenzic CrackMeBank: http://crackme.cenzic.com
• Google Gruyere (Python): http://google-gruyere.appspot.com/start
• Hacking-Lab (eg. OWASP Top 10): https://www.hacking-lab.com/events/registerform.html?eventid=245
• Hack.me (beta): https://hack.me
• HackThisSite (HTS - Basic & Realistic (web) Missions): http://www.hackthissite.org
• Hackxor online demo: http://hackxor.sourceforge.net/cgi-bin/index.pl#demo (algo/smurf)
• HP/SpiDynamics Free Bank Online: http://zero.webappsecurity.com (admin/admin)
• IBM/Watchfire AltoroMutual: http://demo.testfire.net (jsmith/Demo1234)
• NTOSpider Web Scanner Test Site: http://www.webscantest.com (testuser/testpass)
• OWASP Hackademic Challenges Project - Live (PHP - Joomla): http://hackademic1.teilar.gr
• Pentester Academy: http://pentesteracademylab.appspot.com

For completeness, there have been some other similar lists published in the past that I'm aware of, and also some "in-the-cloud" commercial training lab options are getting popular (let's call them "pay-per-hack" :-). Enjoy all these different web vulnerable environments and sharp your web app pen-testing skills and tools practicing with them!

Updates: (Thanks to everybody that sent me new vulnerable web-apps)
2011-10-31: Added VulnApp (.NET) & Sauron (Quemu).
2012-06-17: Added Metasploitable 2, Positive Hack Days (PHDays) I-Bank, and Hacme Bank Prebuilt VM.
2012-07-23: Added GameOver, Virtual Hacking Lab, and Hacking-Lab.
2012-12-19: Added SQLol, SQLI-labs, and WIVET.
2012-12-27: Hack.me (beta).
2013-01-21: bWAPP.
2013-01-31: Drunk Admin Web Hacking Challenge, Hackxor online demo, Kioptrix4, and check The Hacker Games (VM) - some new additions via vulnhub.com.
2013-03-15: DVWS.
2013-09-09: Added PentesterLab and OWASP Bricks (thanks to m0wgli).
2013-10-08: Added Pentester Academy (thanks to m0wgli) and Bee-Box, and updated bWAPP homepage.
2013-10-20: List moved to OWASP VWAD project.

NOTE: WAVE and Wapsec main goal is to evaluate the features, quality, and accuracy of automatic web application vulnerability scanners. WIVET main goal is to statistically analyze web link extractors.

Image source: http://www.headhacker.net/wp-content/uploads/2010/04/get-out-of-jail.jpg

TLSSLed v1.2

TLSSLed v1.2 has been released and can be downloaded, as usual, from Taddong's lab.

This new version incorporates feedback from several people, as well as new features, including support for Mac OS X (TLSSLed should now run in both Linux and Mac OS X; check how to build sslscan on Mac OS X first), an initial check to verify if the target service speaks SSL/TLS (finishing its execution if it does not), a few other optimizations and error checks, and new tests for TLS v1.1 and v1.2.

The latter feature has been added as a result of the recent BEAST vulnerability and research, CVE-2011-3389. In order to be able to check for TLS v1.1 and v1.2 you need to use openssl-1.0.1-stable, available from the openssl snapshot repository. TLSSLed identifies if the target service supports TLS v1.1 and v1.2, if it does not, or if your local openssl version does not support these TLS versions.

This new test simply checks if the target service supports these two TLS versions, however, this does not mean the implementation is secure from a BEAST perspective, as lots of other factors can influence this, such as:

• The implementation could downgrade from TLS v1.1 or v1.2 to TLS v1.0 or SSLv3 if these versions are also supported by the server and a client requests it.
• The implementation can use RC4 instead of AES CBC to mitigate this vulnerability.
• Certain SSL/TLS implementations might not be vulnerable to BEAST, such as openssl since version 0.9.6d, as they already added empty plaintext fragments (problem #2) - if SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not set.

The first two scenarios can be easily verified through the new "Testing for SSLv3 and TLSv1 support first ..." test. If you know how to remotely check for the third scenario using the openssl binary, I would love to hear about it and implement that inside the tool... Therefore, a careful and thorough brain-based analysis is still required :)

The output below shows this new feature against "tls.woodgrovebank.com", an SSL/TLS public Interop Test Server from Microsoft, using openssl 1.0.1-dev:

$ ./TLSSLed.sh tls.woodgrovebank.com 443 ------------------------------------------------------ TLSSLed - (1.2) based on sslscan and openssl by Raul Siles (www.taddong.com) ------------------------------------------------------ + openssl version: OpenSSL 1.0.1-dev xx XXX xxxx + sslscan version 1.8.2 ------------------------------------------------------ [-] Analyzing SSL/TLS on tls.woodgrovebank.com:443 .. [*] The target service tls.woodgrovebank.com:443 seems to speak SSL/TLS... [-] Running sslscan on tls.woodgrovebank.com:443... [*] Testing for SSLv2 ... Accepted SSLv2 168 bits DES-CBC3-MD5 Accepted SSLv2 128 bits RC4-MD5 [*] Testing for NULL cipher ... [*] Testing for weak ciphers (based on key length) ... [*] Testing for strong ciphers (AES) ... Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA [*] Testing for MD5 signed certificate ... [*] Testing for certificate public key length ... RSA Public Key: (2048 bit) [*] Testing for certificate subject ... Subject: /C=US/ST=WA/L=Redmond/O=Microsoft/CN=tls.woodgrovebank.com [*] Testing for certificate CA issuer ... Issuer: /CN=RSACERTSRV [*] Testing for certificate validity period ... Today: Wed Oct 12 00:50:07 UTC 2011 Not valid before: Feb 14 22:52:50 2011 GMT Not valid after: Feb 14 23:02:50 2012 GMT [*] Checking preferred server ciphers ... Prefered Server Cipher(s): SSLv2 168 bits DES-CBC3-MD5 SSLv3 128 bits RC4-SHA TLSv1 128 bits AES128-SHA [-] Testing for SSLv3/TLSv1 renegotiation vuln. (CVE-2009-3555) ... [*] Testing for secure renegotiation ... Secure Renegotiation IS supported [-] Testing for TLS v1.1 and v1.2 (CVE-2011-3389 aka BEAST) ... [*] Testing for SSLv3 and TLSv1 first ... Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 [*] Testing for TLS v1.1 support ... TLS v1.1 IS supported [*] Testing for TLS v1.2 support ... TLS v1.2 IS supported [-] Testing for SSL/TLS security headers ... [*] Testing for Strict-Transport-Security (STS) header ... [*] Testing for cookies with the secure flag ... [*] Testing for cookies without the secure flag ... [-] New files created: -rw-r--r-- 1 root root 5684 2011-10-18 20:50 sslscan_tls...com:443_2011-10-18_20:49:23.log -rw-r--r-- 1 root root 2675 2011-10-18 20:50 openssl_HEAD_tls...com:443_2011-10-18_20:49:23.log -rw-r--r-- 1 root root 2408 2011-10-18 20:49 openssl_RENEG_tls...com:443_2011-10-18_20:49:23.log -rw-r--r-- 1 root root 540 2011-10-18 20:49 openssl_RENEG_tls...com:443_2011-10-18_20:49:23.err -rw-r--r-- 1 root root 523 2011-10-18 20:50 openssl_HEAD_tls...com:443_2011-10-18_20:49:23.err [-] done

If the target service does not support TLS v1.1 or v1.2 it will say "... IS NOT supported" instead. If your local openssl version does not support TLS v1.1 and v1.2, you will get the following output:

$ ./TLSSLed.sh www.example.com 443 ... [-] Testing for TLS v1.1 and v1.2 (CVE-2011-3389 aka BEAST) ... ... [*] Testing for TLS v1.1 support ... The local openssl version does NOT support TLS v1.1 [*] Testing for TLS v1.2 support ... The local openssl version does NOT support TLS v1.2 ...

Some people suggested new additions to TLSSLed based on adding checks from other already available SSL/TLS related tools, such as openssl-blacklist or ssl-cipher-check.pl. After a careful thought and detailed analysis process, TLSSLed will remain loyal to its original spirit and design, trying to keep to a minimum the prerequisites to run it (just openssl and sslscan since version 1.0). Therefore, the goal is not to make use of any additional tools from within TLSSLed except openssl and sslscan, unless there is a very critical security test that cannot be accomplished with these two. However, I'm open to implementing other missing tests using these two tools.

One of the future releases will include an associated user guide that briefly explains the different TLSSLed results and their meaning, so that you can easily understand the security implications of the findings reported by the tool without been well versed on SSL/TLS (HTTPS).

Remember, the tool is open to comments, suggestions, improvements, and new tests from the community. Do not hesitate to contact me with ideas! Thanks to Abraham Aranguren and others that want to remain anonymous for their feedback!