While teaching web application security and penetration testing, one of the most prevalent questions from the audience at the end of every week is: "How and where can I (legally) put in practice all the knowledge and test all the different tools we have covered during the training (while preparing for the next real-world engagement)?" Along the years I have been providing multiple references to the attendees (including the option of testing real-world vulnerable open-source web applications) and mentioned several times that I had a pending blog post listing all them together... Today is the day! ;)... and I will be able to refer people here in future training sessions.
This blog post provides an extensive and updated list (as of October 20, 2011) of vulnerable web applications you can test your web hacking knowledge, pen-testing tools, skills, and kung-fu on, with an added bonus... without going to jail :) The vulnerable web applications have been classified in three categories: offline, VMs/ISOs, and online. Each list has been ordered alphabetically.
Offline: The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).
- The BodgeIt Store (Java): http://code.google.com/p/bodgeit/ (download)
- The ButterFly Security Project (PHP): http://sourceforge.net/projects/thebutterflytmp/ (download)
- Damn Vulnerable Web Application - DVWA (PHP): http://www.dvwa.co.uk (download)
- OWASP Hackademic Challenges Project (PHP): https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project (download)
- Google Gruyere (Python): http://google-gruyere.appspot.com (download)
- Hacme Bank (.NET): http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx (download)
- Hacme Books (Java): http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx (download)
- Hacme Casino (Ruby on Rails): http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx (download)
- Hacme Shipping (ColdFusion): http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx (download)
- Hacme Travel (C++): http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx (download)
- OWASP Insecure Web App Project (Java): https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project (download - orphaned)
- Mutillidae (PHP): http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 (download)
- OWASP .NET Goat (C#): https://owasp.codeplex.com (download)
- Peruggia (PHP): http://peruggia.sourceforge.net (download)
- Puzzlemall (Java): https://code.google.com/p/puzzlemall/ (download) (docs)
- Stanford Securibench (Java) & Micro: http://suif.stanford.edu/~livshits/securibench/ (download)
- OWASP Vicnum Project (Perl & PHP): https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project (download)
- VulnApp (.NET): http://www.nth-dimension.org.uk/blog.php?id=88 (CVS download & vulns)
- WackoPicko (PHP): https://github.com/adamdoupe/WackoPicko (download) (whitepaper)
- OWASP WebGoat (Java): https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project (download) (guide)
- OWASP ZAP WAVE - Web Application Vulnerability Examples (Java): http://code.google.com/p/zaproxy/downloads/list
- Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): https://code.google.com/p/wavsep/ (download) (docs)
- BadStore (ISO): http://www.badstore.net (download - registration required)
- OWASP BWA - Broken Web Applications Project (VMware - list): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project (download)
- Exploit.co.il Vuln Web App (VMware): http://exploit.co.il/projects/vuln-web-app/ (download)
- Hackxor (VMware): http://hackxor.sourceforge.net/cgi-bin/index.pl (download) (hints&tips)
- LAMPSecurity (VMware): http://sourceforge.net/projects/lampsecurity/ (download) (doc)
- Metasploitable (VMware): http://blog.metasploit.com/2010/05/introducing-metasploitable.html (download - torrent) (doc)
- Moth (VMware): http://www.bonsai-sec.com/en/research/moth.php (download)
- Samurai WTF (ISO - list): http://www.samurai-wtf.org (download)
- Sauron (Quemu) [Spanish]: http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html (solutions)
- UltimateLAMP (VMware - list): http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/ (download)
- Web Security Dojo (VMware, VirtualBox - list): http://www.mavensecurity.com/web_security_dojo/ (download)
- Acunetix:
- http://testasp.vulnweb.com (Forum - ASP)
- http://testaspnet.vulnweb.com (Blog - .NET)
- http://testphp.vulnweb.com (Art shopping - PHP)
- Cenzic CrackMeBank: http://crackme.cenzic.com
- Google Gruyere (Python): http://google-gruyere.appspot.com/start
- HackThisSite (HTS - Basic & Realistic (web) Missions): http://www.hackthissite.org
- HP/SpiDynamics Free Bank Online: http://zero.webappsecurity.com (admin/admin)
- IBM/Watchfire AltoroMutual: http://demo.testfire.net (jsmith/Demo1234)
- NTOSpider Web Scanner Test Site: http://www.webscantest.com (testuser/testpass)
- OWASP Hackademic Challenges Project - Live (PHP - Joomla): http://hackademic1.teilar.gr
Shameless plug: I will be teaching the 6-day SANS SEC542 training, "Web App Penetration Testing and Ethical Hacking", in Spanish (March 12-17, 2012, in Madrid - Spain) and English (May 7-12, 2012, in Amsterdam - The Netherlands).
Updates: (2011-10-31) Added VulnApp (.NET) & Sauron (Quemu).
NOTE: WAVE and Wapsec main goal is to evaluate the features, quality, and accuracy of automatic web application vulnerability scanners.
Updates: (2011-10-31) Added VulnApp (.NET) & Sauron (Quemu).
NOTE: WAVE and Wapsec main goal is to evaluate the features, quality, and accuracy of automatic web application vulnerability scanners.
Image source: http://www.headhacker.net/wp-content/uploads/2010/04/get-out-of-jail.jpg
Posts
2 comments:
I miss the game "Sauron"
In any case, good compilation!
Miguel, added. Thanks!
Post a Comment