Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.
Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected all vulnerable web applications and listed them below for reference:
If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.
Posted by uberVU - social comments on April 7, 2010 at 2:03 am
Social comments and analytics for this post…
This post was mentioned on Twitter by washalsec: new blogpost : Vuln Web Applications for learning http://bit.ly/bq7mKA…
Posted by Ausome1 on April 10, 2010 at 6:13 am
You forgot about http://enigmagroup.org they have over 160 vulnerable web applications on their site for learning. They also have help forums, mentor system, and IRC for live help with the missions.
Posted by Andre Gironda on April 11, 2010 at 9:29 am
Here is the site setup for Casaba Watcher — http://www.nottrusted.com/watcher/
Posted by Andre Gironda on April 11, 2010 at 9:31 am
Oh and Casaba x5s — http://www.nottrusted.com/x5s/
Posted by Googles nya “Twitter” är jättebuggigt… « Tom Aafloen bloggar om IT on May 6, 2010 at 2:28 am
[...] osäkra webbsystem som man kan öva på, t.ex. OWASP WebGoat, Foundstones HackMe-serie etc. Här finns en ganska färsk lista på 24 stycken för den som har för mycket tid [...]
Posted by Bruce Leban on May 11, 2010 at 11:15 am
Web Application Exploits and Defenses – tutorial aimed at general developers
http://jarlsberg.appspot.com
Posted by Earl Ventura on May 29, 2010 at 6:15 pm
Very awesome post! Honest..
Posted by utsav on October 14, 2010 at 5:27 pm
Here is one that is done by Microsoft. The funny thing is that it wasnt meant to be used for security testing
http://trade-spf.gdsdemo.com/
http://msdn.microsoft.com/en-us/netframework/bb499684.aspx
Posted by Aplicaciones Web vulnerables, para aprender | Laboratorio de Seguridad on November 17, 2010 at 8:18 pm
[...] Fuente: Security Thoughts [...]
Posted by David Rhoades on February 8, 2011 at 1:55 am
The Web Security Dojo project (http://dojo.mavensecurity.com) is preloaded with several web app targets (and tools) for an easy no-install environment to get you started with learning web app security testing. Targets installed on localhost include Damn Vulnerable Web App (DVWA), Gruyere, Hacme Casino, OWASP InsecureWebApp, OWASP WebGoat, and w3af’s Test Environment. Plus there are tools like an exclusive speed-enhanced Burp Suite Free (permission from the author), sqlmap, w3af, etc.
Posted by learnhowtoteachkids on March 21, 2011 at 7:31 pm
Great read hopefully they can fix these vulnerabilities soon.
Posted by Wasim Halani on March 22, 2011 at 11:19 am
Actually, these are deliberately vulnerable applications. They are used to teach security issues related to web applications. So the developers won’t be fixing the issues
Posted by hackademic Team on April 27, 2011 at 10:31 pm
The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controlable and safe environment. On the left menu you can see all attack scenarios that are currently available. You can start by picking one!
The URL for the Hackademic challenges is: http://www.hackademic.eu
This is a customized version of the OWASP Hackademic Challenges only for OWASP Appsec Europe 2011
The competition starts on 21st April and will run for 4 weeks until 15th May.
Each week a series of challenges are going to be released according to the schedule below:
Week 1 (21st April)
Week 2 (28th April)
Week 3 (5th May)
Week 4 (12th May)
http://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
Posted by a on May 1, 2011 at 11:29 pm
you forgot Sony on this list.
Posted by Wasim Halani on May 4, 2011 at 9:31 pm
Haha,
Yes, it should be pretty high on the list here.
Posted by 自己动手搭建缺陷Web App « 猪在笑 on May 5, 2011 at 8:42 pm
[...] Google的第一条搜索结果总会给我们带来惊喜,这次搜索也不例外,本文也就是对这篇文章作了一些简单的加工和整理。 [...]
Posted by Santhosh Tuppad on May 12, 2011 at 5:52 pm
Good compilation, thanks!
Posted by Wasim Halani on May 12, 2011 at 6:46 pm
Glad you like it.
Posted by PenTesting Web Apps » Kirwin Computing on May 30, 2011 at 1:33 am
[...] One of the projects I will be working on this summer is developing a “Break In Lab” for students to test their hacking skills. As such finding well supported platforms to perform pen-tests on is a must. Here is a list compiled by http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/. [...]
Posted by go4webapp on August 29, 2011 at 12:04 pm
Great read hopefully they can fix these vulnerabilities soon
Posted by NightLion | Prep for the CEH v7 exam: Tune your Web Hacking Skills with these Live Hackable Simulation Environments on October 12, 2011 at 5:40 am
[...] View the website here. Related posts [...]
Posted by Net Secure » Frameworks para estudiar Pentesting on November 2, 2011 at 1:03 am
[...] Como de este tipo (los webs) hay muchos, aquí hay una buena lista. [...]
Posted by ptrac3 on December 13, 2011 at 1:40 am
intersting list , thank you
Posted by Invar on March 3, 2012 at 3:10 am
Top 10 vulnerable applications on your network
http://rocketviews.com/watch?416aO901fuUagic
Posted by Re: [WEB SECURITY] vulnerable web application needed for testing | Net Cleaner on March 19, 2012 at 11:22 pm
[...] Theres a very comprehensive list here: http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ [...]
Posted by Quarp on March 26, 2012 at 10:54 pm
if you are looking for a nice starting place OWASP Broken Web Apps VM has a bunch of these all in one distro — https://code.google.com/p/owaspbwa/wiki/ProjectSummary
Posted by Nessus: Web Application Scanning | securitytoolkit on April 22, 2012 at 4:12 am
[...] how. This page has a list of vulnerable web applications that can be used for learning purposes http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/. Also, check out the Maven Security Dojo http://www.mavensecurity.com/web_security_dojo/. The [...]
Posted by Steve Steiner on May 1, 2012 at 11:27 pm
Fantastic list of resources. The Accunetix links seem to be broken.
Posted by Vulnerable Web Applications for learning | msg1len Official Website on July 2, 2012 at 6:45 pm
[...] Original Post Share this:TwitterFacebookLike this:LikeBe the first to like this. This entry was posted in Archive. Bookmark the permalink. [...]
Posted by Mohamed Ramadan on July 17, 2012 at 9:26 pm
http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/
Posted by Shepherd on October 10, 2012 at 5:09 am
OWASP Security Shepherd
Posted by Examples « Selective Hardening on February 6, 2013 at 4:32 am
[...] http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ [...]
Posted by Abe on March 4, 2013 at 3:21 am
The “Damn Vulnerable Web App” is my favourite
Posted by Mistico on March 20, 2013 at 8:51 am
OWASP Bricks is also a nice one –
http://sechow.com/bricks
https://www.owasp.org/index.php/OWASP_Bricks