Vulnerable Web Applications for learning

Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected  all vulnerable web applications and listed them below for reference:

S.No. Vulnerable Application Platform
1 SPI Dynamics (live) ASP
2 Cenzic (live) PHP
3 Watchfire (live) ASPX
4 Acunetix 1 (live) PHP
5 Acunetix 2 (live) ASP
6 Acunetix 3 (live) ASP.Net
7 PCTechtips Challenge (live)
8 Damn Vulnerable Web Application PHP/MySQL
9 Mutillidae PHP
10 The Butterfly Security Project PHP
11 Hacme Casino Ruby on Rails
12 Hacme Bank 2.0 ASP.NET (2.0)
13 Updated HackmeBank ASP.NET (2.0)
14 Hacme Books J2EE
15 Hacme Travel C++ (application client-server)
16 Hacme Shipping ColdFusion MX 7, MySQL
17 OWASP WebGoat JAVA
18 OWASP Vicnum PHP, Perl
19 OWASP InsecureWebApp JAVA
20 OWASP SiteGenerator ASP.NET
21 Moth
22 Stanford SecuriBench JAVA
23 SecuriBench Micro JAVA
24 BadStore Perl(CGI)
25 WebMaven/Buggy Bank (very old)
26 EnigmaGroup (live)
27 XSS Encoding Skills – x5s (Casaba Watcher)
28 Google – Gruyere (live) (previously Jarlsberg)
29 Exploit- DB Multi-platform
30 The Bodgeit Store JSP
31 LampSecurity PHP
32 hackxor Perl(CGI)
33 OWASP – Hackademic PHP
34 Exploit.co.il-WA PHP

If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.

About these ads

34 responses to this post.

  1. Social comments and analytics for this post…

    This post was mentioned on Twitter by washalsec: new blogpost : Vuln Web Applications for learning http://bit.ly/bq7mKA

    Reply

  2. You forgot about http://enigmagroup.org they have over 160 vulnerable web applications on their site for learning. They also have help forums, mentor system, and IRC for live help with the missions.

    Reply

  3. Posted by Andre Gironda on April 11, 2010 at 9:29 am

    Here is the site setup for Casaba Watcher — http://www.nottrusted.com/watcher/

    Reply

  4. Posted by Andre Gironda on April 11, 2010 at 9:31 am

    Oh and Casaba x5s — http://www.nottrusted.com/x5s/

    Reply

  5. [...] osäkra webbsystem som man kan öva på, t.ex. OWASP WebGoat, Foundstones HackMe-serie etc. Här finns en ganska färsk lista på 24 stycken för den som har för mycket tid [...]

    Reply

  6. Posted by Bruce Leban on May 11, 2010 at 11:15 am

    Web Application Exploits and Defenses – tutorial aimed at general developers
    http://jarlsberg.appspot.com

    Reply

  7. Very awesome post! Honest..

    Reply

  8. Here is one that is done by Microsoft. The funny thing is that it wasnt meant to be used for security testing

    http://trade-spf.gdsdemo.com/

    http://msdn.microsoft.com/en-us/netframework/bb499684.aspx

    Reply

  9. The Web Security Dojo project (http://dojo.mavensecurity.com) is preloaded with several web app targets (and tools) for an easy no-install environment to get you started with learning web app security testing. Targets installed on localhost include Damn Vulnerable Web App (DVWA), Gruyere, Hacme Casino, OWASP InsecureWebApp, OWASP WebGoat, and w3af’s Test Environment. Plus there are tools like an exclusive speed-enhanced Burp Suite Free (permission from the author), sqlmap, w3af, etc.

    Reply

  10. Great read hopefully they can fix these vulnerabilities soon.

    Reply

    • Posted by Wasim Halani on March 22, 2011 at 11:19 am

      Actually, these are deliberately vulnerable applications. They are used to teach security issues related to web applications. So the developers won’t be fixing the issues :)

      Reply

  11. The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controlable and safe environment. On the left menu you can see all attack scenarios that are currently available. You can start by picking one!

    The URL for the Hackademic challenges is: http://www.hackademic.eu

    This is a customized version of the OWASP Hackademic Challenges only for OWASP Appsec Europe 2011

    The competition starts on 21st April and will run for 4 weeks until 15th May.

    Each week a series of challenges are going to be released according to the schedule below:

    Week 1 (21st April)
    Week 2 (28th April)
    Week 3 (5th May)
    Week 4 (12th May)

    http://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project

    Reply

  12. Posted by a on May 1, 2011 at 11:29 pm

    you forgot Sony on this list.

    Reply

  13. [...] Google的第一条搜索结果总会给我们带来惊喜,这次搜索也不例外,本文也就是对这篇文章作了一些简单的加工和整理。 [...]

    Reply

  14. Good compilation, thanks!

    Reply

  15. [...] One of the projects I will be working on this summer is developing a “Break In Lab” for students to test their hacking skills. As such finding well supported platforms to perform pen-tests on is a must. Here is a list compiled by http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/. [...]

    Reply

  16. Great read hopefully they can fix these vulnerabilities soon

    Reply

  17. [...] Como de este tipo (los webs) hay muchos, aquí hay una buena lista. [...]

    Reply

  18. intersting list , thank you

    Reply

  19. Posted by Invar on March 3, 2012 at 3:10 am

    Top 10 vulnerable applications on your network
    http://rocketviews.com/watch?416aO901fuUagic

    Reply

  20. Posted by Quarp on March 26, 2012 at 10:54 pm

    if you are looking for a nice starting place OWASP Broken Web Apps VM has a bunch of these all in one distro — https://code.google.com/p/owaspbwa/wiki/ProjectSummary

    Reply

  21. [...] how.  This page has a list of vulnerable web applications that can be used for learning purposes http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/.  Also, check out the Maven Security Dojo http://www.mavensecurity.com/web_security_dojo/.  The [...]

    Reply

  22. Posted by Steve Steiner on May 1, 2012 at 11:27 pm

    Fantastic list of resources. The Accunetix links seem to be broken.

    Reply

  23. [...] Original Post Share this:TwitterFacebookLike this:LikeBe the first to like this. This entry was posted in Archive. Bookmark the permalink. [...]

    Reply

  24. Posted by Shepherd on October 10, 2012 at 5:09 am

    OWASP Security Shepherd

    Reply

  25. The “Damn Vulnerable Web App” is my favourite :)

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 299 other followers

%d bloggers like this: