1
Bricks
Our first OWASP
project on the list (but certainly not the last!), Bricks is a
deliberately vulnerable web app built on PHP and using a MySQL database,
where each "brick" contains a security vulnerability to be mitigated.
The project provides a platform for learning and teaching AppSec as well
as a way to test web app scanners.
There are three types of 'bricks': login pages, file upload pages and content pages, each with different types of vulnerabilities, common for the area of the application.
Read more about OWASP Bricks on its project page, maintained by Abhi M Balakrishnan.
There are three types of 'bricks': login pages, file upload pages and content pages, each with different types of vulnerabilities, common for the area of the application.
Read more about OWASP Bricks on its project page, maintained by Abhi M Balakrishnan.
2
bWAPP
bWAPP, which stands
for Buggy Web Application, is "a free and open source deliberately
insecure web application" created by Malik Messelem, @MME_IT.
Vulnerabilities to keep an eye out for include over 100 common issues derived from the OWASP Top 10.
bWAPP is built in PHP and uses MySQL. Download the project here. For more advanced users, bWAPP also offers what Malik calls a bee-box, a custom Linux VM that comes pre-installed with bWAPP. .
Vulnerabilities to keep an eye out for include over 100 common issues derived from the OWASP Top 10.
bWAPP is built in PHP and uses MySQL. Download the project here. For more advanced users, bWAPP also offers what Malik calls a bee-box, a custom Linux VM that comes pre-installed with bWAPP. .
Recently re-released as a free download by InfoSec Engineer @prateekg147,
DVIA was built as an especially insecure mobile app for iOS 7 and
above. For mobile app developers the platform is especially helpful,
because while there are numerous sites to practice hacking web
applications, mobile apps that can be legally hacked are much harder to
come by!
Get going with DVIA by watching this YouTube video and reading the 'Getting Started' guide.
Get going with DVIA by watching this YouTube video and reading the 'Getting Started' guide.
This web security
platform was built with both more experienced security professionals as
well as developers and students in mind. The site was created with the
help of @ethicalhack3r, Ryan Dewhurst, whose also given the open source SCA tool DevBug
to the community. Built in PHP/MySQL, vulnerabilities to look out for
in DVWA include everything from SQL injection and cross-site scripting
to captcha bypassing and malicious file execution.
Get started with DVWA here or through GitHub, and check out this YouTube video for help with installation.
Get started with DVWA here or through GitHub, and check out this YouTube video for help with installation.
Developers and
security professionals building on the Android platform have the chance
to act as attackers through the ExploitMe Mobile Android Labs. Focusing
on 8 specific vulnerabilities commonly found in Android applications,
the labs, developed by Security Compass help those interested in
becoming more secure Android developers and defenders.
Lab lessons include:
BONUS: There are also ExploitMe Mobile iPhone Labs with fewer labs than their Android version.
Lab lessons include:
- Parameter manipulation of mobile traffic
- Encryption of traffic
- Password lock screens
- File system access permissions
- Insecure storage of files
- Insecure logging
BONUS: There are also ExploitMe Mobile iPhone Labs with fewer labs than their Android version.
Alright, this one
isn't exactly a vulnerable web app - but it's another engaging way of
learning to spot application security vulnerabilities, so we thought
we'd throw it in. Call it shameless self-promotion, but we've received
amazing feedback from security pros and developers alike, so we're happy
to share it with you, too! The game is designed to test your AppSec
skills and each question offers a chunk of code which may or may not
have a security vulnerability - it's up to you to figure it out before
the clock runs out. A leaderboard makes Game of Hacks just that much
more enticing.
Follow Game of Hacks on Twitter for updates and play the game here.
Follow Game of Hacks on Twitter for updates and play the game here.
This 'cheesy'
vulnerable site is full of holes and aimed for those just starting to
learn application security. The goal of the labs are threefold:
Written in Python, Gruyere offers opportunities for both black box and white box testing so "hackers" have the chance to play on both sides of the fence.
Get started here: http://google-gruyere.appspot.com/
- Learn how hackers find security vulnerabilities
- Learn how hackers exploit web applications
- Learn how to stop hackers from finding and exploiting vulnerabilities
Written in Python, Gruyere offers opportunities for both black box and white box testing so "hackers" have the chance to play on both sides of the fence.
Get started here: http://google-gruyere.appspot.com/
8
iGoat
iGoat is a mobile
environment built especially for iOS developers and based off the OWASP
WebGoat project, which we'll talk about later.
Developers work through lessons while learning with iGoat, laid out with a short introduction to each vulnerability, a chance to exploit it to verify the issue's presence, a short description of the remediations appropriate for the issue and the chance to fix the issue and "rebuild" the iGoat program.
The project's OWASP site, managed by Kenneth R Van Wyk, @krvw, can be found here.
Developers work through lessons while learning with iGoat, laid out with a short introduction to each vulnerability, a chance to exploit it to verify the issue's presence, a short description of the remediations appropriate for the issue and the chance to fix the issue and "rebuild" the iGoat program.
The project's OWASP site, managed by Kenneth R Van Wyk, @krvw, can be found here.
An OWASP project,
InsecureWebApp is exactly as described and is perfect for teaching an
improving secure coding and design skills. According to the project
site, the aim of InsecureWebApp is threefold:
"1) Demonstrate how dangerous application vulnerabilities can be
2) Close the gap between the theory of web application security and the actual code that we design and build
3) Learn how these vulnerabilities can be fixed."
Built for those already familiar with basic application security theory, InsecureWebApp is great for security-minded developers and students and starters in security.
Read more about the project and find the download link here.
"1) Demonstrate how dangerous application vulnerabilities can be
2) Close the gap between the theory of web application security and the actual code that we design and build
3) Learn how these vulnerabilities can be fixed."
Built for those already familiar with basic application security theory, InsecureWebApp is great for security-minded developers and students and starters in security.
Read more about the project and find the download link here.
Foundstone, a
practice within McAfee's Professional Services, launched a series of
sites in 2006 aimed for pen testers and security professionals looking
to increase their InfoSec chops. Each simulated app offers a
"real-world" experience, built with "real-world" vulnerabilities. From
mobile bank apps to apps designed to take reservations, these projects
cover a wide array of security issues to help any security-minded
professional stay ahead of the hackers.
The group of sites include:
The group of sites include:
11
Mutillidae
Yet another OWASP project on our list, Mutillidae is
another deliberately vulnerable web application built for Linux and
Windows. This project is actually a set of PHP scripts containing all
the OWASP Top Ten vulnerabilities and more and is armed with hints to
help users get started.
Get started with Mutillidae here, and be sure to check out the projects dedicated YouTube channel and Twitter account, run by Mutillidae's second-generation developer, Jeremy Druin.
Get started with Mutillidae here, and be sure to check out the projects dedicated YouTube channel and Twitter account, run by Mutillidae's second-generation developer, Jeremy Druin.
Striving to "herd the
lost sheep of the technological world back to the safe and sound ways
of secure practices," Security Shepherd is geared towards anyone with an
affinity towards making our software more secure.
Armed with lessons and challenges, users have the option to either learn more in depth about vulnerabilities or be tasked at finding them in a very vulnerable web app. Security Shepherd can also be used as the basis for a CTF game, which makes it great for having fun while learning about vital application security principles.
Read more about the project on OWASP or go straight to the download page at SourceForge.
Armed with lessons and challenges, users have the option to either learn more in depth about vulnerabilities or be tasked at finding them in a very vulnerable web app. Security Shepherd can also be used as the basis for a CTF game, which makes it great for having fun while learning about vital application security principles.
Read more about the project on OWASP or go straight to the download page at SourceForge.
The Butterfly
Security Project was designed :to "give insight into common web
application and PHP vulnerabilities and how they are created during the
development process," says the team behind the project, Pentest Application Security Specialists.
What's unique about this project is that it offers both an insecure version of the app as well as a secure version, meant to mitigate the vulnerabilities found in the insecure version. This makes the Butterfly Project perfect for anyone looking to play the dual roles of defender/attacker.
Download the Butterfly Project for Linux here.
What's unique about this project is that it offers both an insecure version of the app as well as a secure version, meant to mitigate the vulnerabilities found in the insecure version. This makes the Butterfly Project perfect for anyone looking to play the dual roles of defender/attacker.
Download the Butterfly Project for Linux here.
14
Vicnum
An OWASP project,
Vicnum is a series of basic and obviously web apps based on games
"commonly used to kill time." Because of their simple frameworks, the
applications can be tailored for different needs, making Vicnum a great
choice for security managers looking to help teach developers AppSec in a
fun way.
The goal of Vicnum is "to strengthen the security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app, the site says. "And of course it's OK to have a little fun."
Check out the site, developed by Mordecai Kraushar here to find the games and available CTFs for download.
The goal of Vicnum is "to strengthen the security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app, the site says. "And of course it's OK to have a little fun."
Check out the site, developed by Mordecai Kraushar here to find the games and available CTFs for download.
15
WebGoat
Installs are available for Windows, OSX Tiger and Linux and has seperate downloads for J2EE and .NET environments. There is an "easy-run" version as well as a "source distribution" version that allows users to modify the source code.
Check out the OWASP project page here or the GitHub page to get started with WebGoat.
For help with the lessons, take a look at this series of videos available for download
This artical was originally posted at https://www.checkmarx.com/2015/04/16/15-vulnerable-sites-to-legally-practice-your-hacking-skills/