Vulnerable Web Applications for learning

Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected  all vulnerable web applications and listed them below for reference:

Continue reading

Hakin9 – Best IT Security Magazine

Update 1 – 10 Aug,2009 : Whoa !! Just received my “FREE” copy of the ‘Best of Hakin9’. This blog post was an entry in their July competition. It’s been just 10 days and I return home from office to see the magazine on the table. That was awesome quick. Hat’s off to the Hakin9 team. The magazine content is also the nice. The topics I had been looking forward to especially Analyzing Malware (part 1-3) and Javascript De-obfuscation and many more have been included in this edition. Couldn’t ask for anything more. Thanks guys !!

I’ve been a long time fan of the magazine “Hakin9” For those who do not know what’s Hakin9, head over to their website for more information

In short, it’s an IT security magazine, with a strong focus on technical knowledge. Unlike other technical magazines, the content quality is amazing. It’s always informative and you end up learning quite a few things. Best of all the content is always very recent. For example, in the last issue (3/2009), they published articles on how to analyze malformed PDF and binaries. PDF based exploits are in the rage, now that Adobe has seen a few severe vulnerabilities.

Anyway, the current issue (4/2009) is out with the main article focusing on ERP security.

Hakin9 - 04/2009 - My ERP Got Hacked!

Other topics discussed are the recent Nokia’s ‘Silence’ malware, Automating malware analysis, creating self-signed certificate using OpenSSL and much more.
Visit for detailed information on the topics published.

Happy reading

Metasploit tuts+plugins collection

Unless you have been living under a rock, I am sure you would have heard of the Metasploit framework – the click-click-0wn tool.

It was initially developed by H.D. Moore and is currently in it’s version 3.3 of development. Metasploit offers a variety of features, notably it’s ability to inject any payload with any exploit. It also provides integrated tools (like meterpreter and vnc )which are quite useful in certain scenarios.

Looking at the complexity of the tool, one would think it would have an extensive documentation detailing each of it’s features and modules. But (un)fortunately, using metasploit depends on one’s creativity and hence no comprehensive documentation is available.

Victor DaViking at has come up with a nice idea of collecting all metasploit tutorials and plugins that individuals have written.
He has setup two pages :




This is a very nice initiative considering the vast implemetations of Metasploit framework. Here’s a message for everyone from Victor:

If you have any plugins/tutorials of your own, or know of any other resources to include, either submit them directly to the directory or e-mail me links and info so I can add them myself.

His email address is analogviking at yahoo dot com
Keep checking the website for regular updates.