Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.
Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected all vulnerable web applications and listed them below for reference:
I’ve been a long time fan of the magazine “Hakin9” http://www.hakin9.org/en. For those who do not know what’s Hakin9, head over to their website for more information
In short, it’s an IT security magazine, with a strong focus on technical knowledge. Unlike other technical magazines, the content quality is amazing. It’s always informative and you end up learning quite a few things. Best of all the content is always very recent. For example, in the last issue (3/2009), they published articles on how to analyze malformed PDF and binaries. PDF based exploits are in the rage, now that Adobe has seen a few severe vulnerabilities.
Anyway, the current issue (4/2009) is out with the main article focusing on ERP security.
Other topics discussed are the recent Nokia’s ‘Silence’ malware, Automating malware analysis, creating self-signed certificate using OpenSSL and much more.
Visit http://hakin9.org/prt/view/about-the-mag/issue/1052.html for detailed information on the topics published.
Unless you have been living under a rock, I am sure you would have heard of the Metasploit framework – the click-click-0wn tool.
It was initially developed by H.D. Moore and is currently in it’s version 3.3 of development. Metasploit offers a variety of features, notably it’s ability to inject any payload with any exploit. It also provides integrated tools (like meterpreter and vnc )which are quite useful in certain scenarios.
Looking at the complexity of the tool, one would think it would have an extensive documentation detailing each of it’s features and modules. But (un)fortunately, using metasploit depends on one’s creativity and hence no comprehensive documentation is available.
Victor DaViking at PenetrationTests.com has come up with a nice idea of collecting all metasploit tutorials and plugins that individuals have written.
He has setup two pages :
This is a very nice initiative considering the vast implemetations of Metasploit framework. Here’s a message for everyone from Victor:
If you have any plugins/tutorials of your own, or know of any other resources to include, either submit them directly to the directory or e-mail me links and info so I can add them myself.
His email address is analogviking at yahoo dot com
Keep checking the website for regular updates.