There are various vulnerable web applications out there to hone your skills or test the latest web vulnerability scanner you downloaded, one such package would be Damn Vulnerable Web App – Learn & Practise Web Hacking.
There are others such as:
- Vicnum – Lightweight Vulnerable Web Application
- Web Security Dojo – Training Environment For Web Application Security
Another I learned of recently is WackoPicko, it’s basically a website that contains known vulnerabilities and was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners [PDF].
To Install From Source
Download the source package as below, then import the WackoPicko database into MySQL using a command like the following:
mysql -u -p < current.sql
This will create the MySQL user WackoPicko with the password webvuln!@# as well as create the WackoPicko table. The final step is to enable read/write access to the upload directory of WackoPicko for the webserver user. An easy way to do this is:
chmod 777 -R upload
- The search bar doesn’t appear in Internet Explorer.
- There are some onions hanging around (particularly in the upload folder) but I kept them there to preserve parity with the version used during the tests.
- WackoPicko was developed with the assumption that is was running as the root application as the URL and won’t work running as a directory.
You can download WackoPicko here:
Or read more here.
- Fitbit Vulnerability Means Your Tracker Could Spread Malware
- OWASP WebGoat – Deliberately Insecure Web Application
- WinRAR Vulnerability Is Complete Bullshit
- BodgeIt Store – Vulnerable Web Application For Penetration Testing
- Metasploitable – Test Your Metasploit Against A Vulnerable Host
- Hack.me – Build, Host & Share Vulnerable Web Application Code
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 232,343 views
- AJAX: Is your application secure enough? - 119,744 views
- eEye Launches 0-Day Exploit Tracker - 85,317 views