Where can I find a deliberately insecure open source web application?
Solution 1
There are online (hacking challenge / practice / fun ) and offline (you got the source code) apps:
Offline :
- OWASP Webgoat
-
Foundstone Hackme Series
- Hackme Bank
- Hackme Travel
- Hackme Casino
- Hackme Books
- WebMaven
- SecuriBench
- You can download VmWare Images of old vulnerable known CMSs, or just download them from repositories (try sourceforge or official old releases and find vulnerabilities from Securityfocus BID )
Online
More Realistic Demonstration
- http://zero.webappsecurity.com
- http://crackme.cenzic.com
- http://testphp.acunetix.com
- http://testasp.acunetix.com
- http://testaspnet.acunetix.com
- http://hackme.ntobjectives.com
This is an old list I grabbed from somewhere, some of them can be down right now.
Challenge sort of examples
- http://hackergames.net/
- http://www.hackthissite.org
- http://www.ngsec.com
- http://www.try2hack.nl
- http://www.hackerslab.org
- http://www.slyfx.com
- http://www.mod-x.co.uk
- http://hackme.elderson.net
- http://mindlock.bestweb.net/join.php
- http://www.cyberarmy.com/zebulun/
- http://www.roothack.org/
- http://hack.datafort.net/
- http://hacknull.com/
- http://wargames.unix.se/
- http://www.osix.net/
- http://www.h4ckerx.ne
- http://www.bright-shadows.net/
- http://www.0penhack.com/
- http://scifi.pages.at/hackits/
- http://lightning.prohosting.com/~thegame/
- http://www.hackquest.de/
- http://www.hack4u.nl
- http://hackergames.net/
- http://bigcontest.securityhack.net
- http://www.hackerss.com
- http://www.izhal.com
- http://www.boinasnegras.com
- http://ambience.digitalshell.net/~llamatron/
- http://www.blind-dice.com
- http://www.arcanum.co.nz
- http://www.ralf-mengwasser.de
- http://www.cyberarmy.com
- http://hackme.elderson.net
- http://www.slyfx.com
- http://lightning.prohosting.com/thegame
- http://digitalparadox.org
- http://www.learntohack.org
- http://x-avier.com
- http://m4tr1x.wsn.at
- http://www.hdcwargame.com
- http://vortex.labs.pulltheplug.com
Solution 2
Check out WebGoat. It's an application riddled with vulnerabilities from the OWASP list, designed as a learning resource for web application developers. The application is a tutorial that walks developers through the vulnerabilities it contains, with tests for each lesson.
Solution 3
You might want to try https://hack.me
It is a community driven project where all kinds of vulnerable web applications are hosted and shared. You can run them in a new sandbox, safely without downloading/configuring any server.
I'm the project founder but since it's a completely free project I thought this would be worth saying in addition to the great other resources mentioned.
Solution 4
There was a website that was built to have insecurities in it, and the object was to hack it. I can't remember its name. I'm googling around for it. Will edit as I find it.
Found it: The name is hackthissite.org.
Solution 5
there is also...Damn Vulnerable Web App (DVWA) ...
here...dvwa.co.uk
Phil Laliberte
Updated on June 14, 2022Comments
-
Phil Laliberte almost 2 years
As a developer, I've learned that I usually gain a better understanding of best/worst practices through experience. The area of web application security isn't really somewhere where my organization can afford to let developers learn through trial and error.
So looking for a hands-on approach to knowledge sharing of best practices in web application security, I was thinking that it would be useful to have an open source application that was deliberately built to be insecure in order to help teach junior developers about application security.
Does anyone out there know where to find something like this?
-
Athena over 15 yearsThank you as well for this link! I just realized that I've had that in my bookmarks list, marked as something to explore, but never actually got around to doing so! (I guess I know where my next few weekends are going to go :-))
-
h3xStream almost 14 yearsdvwa.co.uk (the link was down without the "www.")
