Select Page

In this post I am listing a set of vulnerable web applications publicly made available for the purpose of security testing and training.

  1. Google Gruyere for Web Application Exploits and Defences: A Python application with lots of bugs deliberately setup for web application security training. This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.). Specifically, you’ll learn the following:
  2. How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
    How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

  3. SPI Dynamics (live): This is primarily setup for showcasing the capabilities of WebInspect web application security scanner. The application simulates a vulnerable online banking Web Application. The platform is ASP
  4. Testfire (live): Testfire is an ASP.Net based online banking application for web application security testing. It is setup primarily to demonstrate the capabilities of WatchFire, now IBM, web application security products.
  5. Acunetix: Acunetix provides a set of web application security products and they have setup three test sites for performing web application security testing. Acunetix PHP, Acunetix ASP & Acunetix ASPX are the three sites which is used for demonstrating the web application security tools capabilities of Acunetix products.
  6. Crack me Bank / Cenzic: Another vulnerable online Banking application for web application security testing. It is a PHP based live script running on a webserver.
  7. Foundstone SASS tools: Foundstone, a McAfee company, has a range of tools for web application security. For web application security testing, Hacme Bank, Hacme Casino, Hacme Shopping etc are some of the interesting tools which can be downloaded and installed on your local machine. These tools provide good insights about secure software development as well as secure coding
  8. OWASP WebGoat: OWASP is a leader in providing public information about the web application security process. OWASP has a number of streams and products to enhance the Web Application Security posture of any organization. The resources at OWASP provides a great amount of knowledge for any web application security enthusiast.
  9. OWASP SiteGenerator:  OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, Javascript, Flash, Java, etc…).
  10. Stanford SecuriBench: It is an old application based on J2EE, however, still kept active for anyone who are interested to test this out. It should be considered that many of the attack vectors would have been already changed and/fixed. SecuriBench Micro is a series of small test cases designed to exercise different parts of a static security analyser. Each test case in Securibench Micro comes with an answer, which simplifies the comparison process.
  11. BadStore: is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Badstore demonstration software is designed to show you common hacking techniques

    These are demo tools and should not be made part of the production systems. Use all these tools at your own risk Smile  Hope this list of web applications will help you or your team build web application security capabilities.