While teaching web application security and penetration testing,
one of the most prevalent questions from the audience at the end of
every week is: "How and where can I (legally) put in practice all the knowledge and test all the different tools we have covered during the training (while preparing for the next real-world engagement)?"
Along the years I have been providing multiple references to the
attendees (including the option of testing real-world vulnerable
open-source web applications) and mentioned several times that I had a
pending blog post listing all them together... Today is the day! ;)...
and I will be able to refer people here in future training sessions.
This blog post provides an extensive and updated list (as of October 20,
2011) of vulnerable web applications you can test your web hacking
knowledge, pen-testing tools, skills, and kung-fu on, with an added
bonus... without going to jail :) The vulnerable web applications
have been classified in three categories: offline, VMs/ISOs, and
online. Each list has been ordered alphabetically.
Offline: The following list references downloadable vulnerable
web applications to play with that can be installed on a standard
operating system (Linux, Windows, Mac OS X, etc) using a standard web
platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).
- The BodgeIt Store (Java): http://code.google.com/p/bodgeit/ (download)
- OWASP Bricks (PHP): http://sechow.com/bricks/index.html (download & docs)
- The ButterFly Security Project (PHP): http://sourceforge.net/projects/thebutterflytmp/ (download)
- bWAPP - an extremely buggy web application! (PHP): http://www.itsecgames.com (download) (docs)
- Damn Vulnerable Web Application - DVWA (PHP): http://www.dvwa.co.uk (download)
- Damn Vulnerable Web Services - DVWS (PHP): http://dvws.secureideas.net (download)
- OWASP Hackademic Challenges Project (PHP): https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project (download)
- Google Gruyere (Python): http://google-gruyere.appspot.com (download)
- Hacme Bank (.NET): http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx (download)
- Hacme Books (Java): http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx (download)
- Hacme Casino (Ruby on Rails): http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx (download)
- Hacme Shipping (ColdFusion): http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx (download)
- Hacme Travel (C++): http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx (download)
- OWASP Insecure Web App Project (Java): https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project (download - orphaned)
- Mutillidae (PHP): http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 (download)
- OWASP .NET Goat (C#): https://owasp.codeplex.com (download)
- Peruggia (PHP): http://peruggia.sourceforge.net (download)
- Puzzlemall (Java): https://code.google.com/p/puzzlemall/ (download) (docs)
- Stanford Securibench (Java) & Micro: http://suif.stanford.edu/~livshits/securibench/ (download)
- SQLI-labs (PHP): https://github.com/Audi-1/sqli-labs (download) (blog)
- SQLol (PHP): https://github.com/SpiderLabs/SQLol (download)
- OWASP Vicnum Project (Perl & PHP): https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project (download)
- VulnApp (.NET): http://www.nth-dimension.org.uk/blog.php?id=88 (CVS download & vulns)
- WackoPicko (PHP): https://github.com/adamdoupe/WackoPicko (download) (whitepaper)
- OWASP WebGoat (Java): https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project (download) (guide)
- OWASP ZAP WAVE - Web Application Vulnerability Examples (Java): http://code.google.com/p/zaproxy/downloads/list
- Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): https://code.google.com/p/wavsep/ (download) (docs)
- WIVET - Web Input Vector Extractor Teaser: https://code.google.com/p/wivet/ (download) (tests)
- BadStore (ISO): http://www.badstore.net (download - registration required)
- Bee-Box (bWAPP VMware): http://sourceforge.net/projects/bwapp/files/bee-box/
- OWASP BWA - Broken Web Applications Project (VMware - list): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project (download)
- Drunk Admin Web Hacking Challenge (VMware): https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ (download)
- Exploit.co.il Vuln Web App (VMware): http://exploit.co.il/projects/vuln-web-app/ (download)
- GameOver (VMware): http://sourceforge.net/projects/null-gameover/ (download)
- Hackxor (VMware): http://hackxor.sourceforge.net/cgi-bin/index.pl (download) (hints&tips)
- Hacme Bank Prebuilt VM (VMware): http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ (download)
- Kioptrix4 (VMware & Hyper-V): http://www.kioptrix.com/blog/?p=604 (download)
- LAMPSecurity (VMware): http://sourceforge.net/projects/lampsecurity/ (download) (doc)
- Metasploitable (VMware): http://blog.metasploit.com/2010/05/introducing-metasploitable.html (download - torrent) (doc)
- Metasploitable 2 (VMware): https://community.rapid7.com/docs/DOC-1875 (download)
- Moth (VMware): http://www.bonsai-sec.com/en/research/moth.php (download)
- PentesterLab - The Exercises (ISO & PDF): https://www.pentesterlab.com/exercises/
- PHDays I-Bank (VMware): http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html (download)
- Samurai WTF (ISO - list): http://www.samurai-wtf.org (download)
- Sauron (Quemu) [Spanish]: http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html (solutions)
- UltimateLAMP (VMware - list): http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/ (download)
- Virtual Hacking Lab (ZIP): http://sourceforge.net/projects/virtualhacking/ (download)
- Web Security Dojo (VMware, VirtualBox - list): http://www.mavensecurity.com/web_security_dojo/ (download)
- Acunetix:
- http://testasp.vulnweb.com (Forum - ASP)
- http://testaspnet.vulnweb.com (Blog - .NET)
- http://testphp.vulnweb.com (Art shopping - PHP)
- Cenzic CrackMeBank: http://crackme.cenzic.com
- Google Gruyere (Python): http://google-gruyere.appspot.com/start
- Hacking-Lab (eg. OWASP Top 10): https://www.hacking-lab.com/events/registerform.html?eventid=245
- Hack.me (beta): https://hack.me
- HackThisSite (HTS - Basic & Realistic (web) Missions): http://www.hackthissite.org
- Hackxor online demo: http://hackxor.sourceforge.net/cgi-bin/index.pl#demo (algo/smurf)
- HP/SpiDynamics Free Bank Online: http://zero.webappsecurity.com (admin/admin)
- IBM/Watchfire AltoroMutual: http://demo.testfire.net (jsmith/Demo1234)
- NTOSpider Web Scanner Test Site: http://www.webscantest.com (testuser/testpass)
- OWASP Hackademic Challenges Project - Live (PHP - Joomla): http://hackademic1.teilar.gr
- Pentester Academy: http://pentesteracademylab.appspot.com
whoah this blog is fantastic i like studying your articles.
ReplyDeleteStay up the great work! You already know,
lots of persons are hunting round for this info, you can help them greatly.
My weblog: old dominion
Hi my loved one! I want to say that this
ReplyDeletepost is amazing, nice written and include approximately all significant infos.
I'd like to peer more posts like this .
Also visit my site - phoenix criminal attorneys
Updates About Wrestlingwrestle-mania
ReplyDeleteGreat Articlemesothelioma-lawsuit
Icc cricket World Cup 2019 UpdatesIcc cricket world cup 2019
World Cup 2019 UpdatesWorld cup 2019
ARTICLES Updates 2019Free Fb Hacks
Enduring Jail - Attend community gatherings. It's in every case great to attempt and vindicate yourself profoundly while you're in jail, which can include going to chapel.gurl shi ,gcurv
ReplyDeletePassive Income EducationPassive Income Education
ReplyDeleteIcc cricket World Cup 2019 UpdatesIcc cricket world cup 2019
Passive Income vs Non-Passive IncomePassive Income vs Non-Passive Income
ARTICLES Updates 2019Free Fb Hacks
How to buy and sell blogs and websites for passive profitsHow to buy and sell blogs and websites for passive profits
Contact (cyberfiles.hacker@gmail.com) if you want to get your job done urgently? Are you facing delay and unnecessary excuses and error on your job. Worry no more for the best in any hacking job. What do you want from hacking service. He can render it with swift response and no delay on your job 100% guarantee. Contact him at ( cyberfiles.hacker@gmail.com ) His service list is outline as follows 1. University grades changing 2. Social media; Facebook, Whatsapp, IG, Snapchat, iCloud, Email, Text messages, Call logs, Skype etc. 3. Bank accounts hack 6. Website crashed hack 7. Server crashed hack 8. Sales of Spyware and Keylogger software 9. Retrieval of lost file/documents 10. Erase criminal records hack 11. Databases hack 12. Sales of Dumps cards of all kinds 13. Untraceable IP 14. Individual Computers Hack 15. Money Transfer 16. Crediting
ReplyDeletekırklareli
ReplyDeletekırşehir
kütahya
maraş
nevşehir
B614H
Great article. Thanks for sharing.
ReplyDeletealso, check Linux course in Pune