There are various vulnerable web applications out there to hone your skills or test the latest web vulnerability scanner you downloaded, one such package would be Damn Vulnerable Web App – Learn & Practise Web Hacking.
There are others such as:
- Vicnum – Lightweight Vulnerable Web Application
- Web Security Dojo – Training Environment For Web Application Security
Another I learned of recently is WackoPicko, it’s basically a website that contains known vulnerabilities and was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners [PDF].
To Install From Source
Download the source package as below, then import the WackoPicko database into MySQL using a command like the following:
1 |
mysql -u -p < current.sql |
This will create the MySQL user WackoPicko with the password webvuln!@# as well as create the WackoPicko table. The final step is to enable read/write access to the upload directory of WackoPicko for the webserver user. An easy way to do this is:
1 |
chmod 777 -R upload |
Known Issues
- The search bar doesn’t appear in Internet Explorer.
- There are some onions hanging around (particularly in the upload folder) but I kept them there to preserve parity with the version used during the tests.
- WackoPicko was developed with the assumption that is was running as the root application as the URL and won’t work running as a directory.
You can download WackoPicko here:
Source: WackoPicko.zip
Pre-Built Image: WackoPicko.iso
Or read more here.