Hey there web pentesting enthusiasts! For today’s post, I decided to share my very own lists of common vulnerable web applications that are built by man and tested by nature for web penetration testing and hacking:
DVWA (Dam Vulnerable Web Application) - this vulnerable PHP/MySQL web application is one of the famous web applications used for or testing your skills in web penetration testing and your knowledge in manual SQL Injection, XSS, Blind SQL Injection, etc. DVWA is developed by Ryan Dewhurst a.k.a ethicalhack3r and is part of RandomStorm OpenSource project. Link: http://www.dvwa.co.uk
Mutillidae - is a free and open source web application for website penetration testing and hacking which was developed by Adrian “Irongeek” Crenshaw and Jeremy “webpwnized” Druin. It is designed to be exploitable and vulnerable and ideal for practicing your Web Fu skills like SQL injection, cross site scripting, HTML injection, Javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more based on OWASP (Open Web Application Security) Top 10 Web VulnerabiltiesLink: http://sourceforge.net/projects/mutillidae
SQLol - is a configurable SQL injection testbed which allows you to exploit SQLI (Structured Query Language Injection) flaws, but furthermore allows a large amount of control over the manifestation of the flaw. This application was released at at Austin Hackers Association meeting 0x3f by Daniel “unicornFurnace” Crowley of Trustwave Holdings, Inc. – Spider Labs.Link: https://github.com/SpiderLabs/SQLol
Hackxor - a web application hacking game developed by albino. It is a game where players must locate and exploit vulnerabilities to progress through the story wherein you play as a blackhat hacker hired to track down another hacker by any means possible. It contains scripts that are vulnerable to Cross Site Scripting(XSS), Cross Site Request Forgery(CSRF), Structured Query Language Injection (SQLi), Remote Command Injection(RCE), and many more. It’s also a web application running on Fedora 14.Link: http://sourceforge.net/projects/hackxor
The BodgeIt Store - is an open source and vulnerable web application which is currently aimed at people who are new to web penetration testing. It is easy to install and requires requires java and a servlet engine, e.g. Tomcat. It includes vulnerabilities like Cross Site Scripting, SQL injection, Hidden (but unprotected) content, Debug Code, Cross Site Request Forgery, Insecure Object References, and Application logic vulnerabilities.Link: http://code.google.com/p/bodgeit
Exploit KB / exploit.co.il Vulnerable Web App - is one of the most famous vulnerable web app designed as a learning platform to test various SQL injection Techniques and it is a functional web site with a content management system based on fckeditor. This web application is also included in the BackTrack Linux 5r2-PenTesting Edition lab.Link: http://exploit.co.il/projects/vuln-web-app
WackoPicko - is a vulnerable web application written by Adam DoupĂ©. It contains known and common vulnerabilities for you to harness your web penetration skills and knowledge like XSS vulnerabilities, SQL injections, command-line injections, sessionID vulnerabilities, file inclusions, parameters manipulation, Reflected XSS Behind JavaScript, Logic Flaw, Reflected XSS Behind a Flash Form, and Weak usernames or passwords. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners.Link: https://github.com/adamdoupe/WackoPicko
WebGoat -is an OWASP project and a deliberately insecure J2EE web application designed to teach web application security lessons and concepts. What’s cool about this web application is that it lets users demonstrate their understanding of a security issue by exploiting a real vulnerability in the application in each lesson.Link: http://code.google.com/p/webgoat
OWASP Hackademic Challenges Project - is another OWASP Project that helps you test your knowledge on web application security. You can use it to attack web applications in a realistic but also controlable and safe environment. Currently, there are 10 web application security scenarios available for you to hack.Link: https://code.google.com/p/owasp-hackademic-challenges
XSSeducation – is a set of Cross Site Scripting attack challenges for people just learning about XSS to people who just want a good place to practice their already awesome skills. Various realistic challenges have been included for practice and it is still under development by AJ00200 but can already be dowloaded.Link: http://wiki.aj00200.org/wiki/XSSeducation
©2012, copyright BLACK BURN
©2012, copyright BLACK BURN
0 comments:
Post a Comment