Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Where can I find a deliberately insecure open source web application? [closed]

Tags:

security

web-applications

open-source

As a developer, I've learned that I usually gain a better understanding of best/worst practices through experience. The area of web application security isn't really somewhere where my organization can afford to let developers learn through trial and error.

So looking for a hands-on approach to knowledge sharing of best practices in web application security, I was thinking that it would be useful to have an open source application that was deliberately built to be insecure in order to help teach junior developers about application security.

Does anyone out there know where to find something like this?

like image 526
Phil Laliberte Avatar asked Dec 13 '08 15:12

Phil Laliberte

People also ask

Which of the following is a web application that is made purposely vulnerable?

Metasploitable 2 – Metasploitable 2 is the most common vulnerable web application amongst security researchers. Security enthusiasts can use high-end tools like Metasploit and Nmap to test this application. This vulnerable application is mainly used for network testing.

What is a vulnerable website?

A website vulnerability is a software code flaw/ bug, system misconfiguration, or some other weakness in the website/ web application or its components and processes. Web application vulnerabilities enable attackers to gain unauthorized access to systems/ processes/mission-critical assets of the organization.

Why are Web applications insecure?

Web applications are not that small. Due to the large size of these commercial applications, introducing vulnerabilities is easy. Since developers cannot keep the entire code base in their head, a change in one module can open up an attack vector in another part of the application.

Which tools will identify known vulnerabilities in public libraries used by your application?

SCA tools are most effective in finding common and popular libraries and components, particularly open-source pieces. They work by comparing known modules found in code to a list of known vulnerabilities.

1 Answers

There are online (hacking challenge / practice / fun ) and offline (you got the source code) apps:

Offline :

  • OWASP Webgoat
  • Foundstone Hackme Series
    • Hackme Bank
    • Hackme Travel
    • Hackme Casino
    • Hackme Books
  • WebMaven
  • SecuriBench
  • You can download VmWare Images of old vulnerable known CMSs, or just download them from repositories (try sourceforge or official old releases and find vulnerabilities from Securityfocus BID )

Online

More Realistic Demonstration

  • http://zero.webappsecurity.com
  • http://crackme.cenzic.com
  • http://testphp.acunetix.com
  • http://testasp.acunetix.com
  • http://testaspnet.acunetix.com
  • http://hackme.ntobjectives.com

This is an old list I grabbed from somewhere, some of them can be down right now.

Challenge sort of examples

  • http://hackergames.net/
  • http://www.hackthissite.org
  • http://www.ngsec.com
  • http://www.try2hack.nl
  • http://www.hackerslab.org
  • http://www.slyfx.com
  • http://www.mod-x.co.uk
  • http://hackme.elderson.net
  • http://mindlock.bestweb.net/join.php
  • http://www.cyberarmy.com/zebulun/
  • http://www.roothack.org/
  • http://hack.datafort.net/
  • http://hacknull.com/
  • http://wargames.unix.se/
  • http://www.osix.net/
  • http://www.h4ckerx.ne
  • http://www.bright-shadows.net/
  • http://www.0penhack.com/
  • http://scifi.pages.at/hackits/
  • http://lightning.prohosting.com/~thegame/
  • http://www.hackquest.de/
  • http://www.hack4u.nl
  • http://hackergames.net/
  • http://bigcontest.securityhack.net
  • http://www.hackerss.com
  • http://www.izhal.com
  • http://www.boinasnegras.com
  • http://ambience.digitalshell.net/~llamatron/
  • http://www.blind-dice.com
  • http://www.arcanum.co.nz
  • http://www.ralf-mengwasser.de
  • http://www.cyberarmy.com
  • http://hackme.elderson.net
  • http://www.slyfx.com
  • http://lightning.prohosting.com/thegame
  • http://digitalparadox.org
  • http://www.learntohack.org
  • http://x-avier.com
  • http://m4tr1x.wsn.at
  • http://www.hdcwargame.com
  • http://vortex.labs.pulltheplug.com
like image 121
dr. evil Avatar answered Oct 12 '22 02:10

dr. evil
Sign in to Comment

Related questions

How to secure Jetty to only allow access from loopback(localhost)
How to encrypt JWT security token?
Does it make security sense to hash password on client end
Should I trim spaces in a password field
Why does JPasswordField.getPassword() create a String with the password in it?
PHP and AJAX security question
Verify password hash in nodejs which was generated in php
How does ASN.1 encode an object identifier?
How do I access private methods and private data members via reflection?
Why people use `rel="noopener noreferrer"` instead of just `rel="noreferrer"`
why isn't it possible to steal an access token?
How can ASP.NET or ASP.NET MVC be protected from related domain cookie attacks?
Which parts of the client certificate to use when uniquely identifying users?
What's the purpose of the client secret in OAuth2?
Is it safe to call Type.GetType with an untrusted type name?
Are both csrf tokens and captcha needed?
Can I install self-signed drivers on 64-bit Windows without test mode if the self-signed CA root certificate is imported to the machine store?
Web services API Keys and Ajax - Securing the Key
How to overcome this security issue
Is it secure to send username and password in a Json object in the body of a post request?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!