CISO

Enterprise Information Security

10 Vulnerable web applications for security testing

by 3 Comments

In this post I am listing a set of vulnerable web applications publicly made available for the purpose of security testing and training.

  1. Google Gruyere for Web Application Exploits and Defences: A Python application with lots of bugs deliberately setup for web application security training. This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.). Specifically, you’ll learn the following:

    2. How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
    How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

  2. SPI Dynamics (live): This is primarily setup for showcasing the capabilities of WebInspect web application security scanner. The application simulates a vulnerable online banking Web Application. The platform is ASP
  3. Testfire (live): Testfire is an ASP.Net based online banking application for web application security testing. It is setup primarily to demonstrate the capabilities of WatchFire, now IBM, web application security products.
  4. Acunetix: Acunetix provides a set of web application security products and they have setup three test sites for performing web application security testing. Acunetix PHP, Acunetix ASP & Acunetix ASPX are the three sites which is used for demonstrating the web application security tools capabilities of Acunetix products.
  5. Crack me Bank / Cenzic: Another vulnerable online Banking application for web application security testing. It is a PHP based live script running on a webserver.
  6. Foundstone SASS tools: Foundstone, a McAfee company, has a range of tools for web application security. For web application security testing, Hacme Bank, Hacme Casino, Hacme Shopping etc are some of the interesting tools which can be downloaded and installed on your local machine. These tools provide good insights about secure software development as well as secure coding
  7. OWASP WebGoat: OWASP is a leader in providing public information about the web application security process. OWASP has a number of streams and products to enhance the Web Application Security posture of any organization. The resources at OWASP provides a great amount of knowledge for any web application security enthusiast.
  8. OWASP SiteGenerator:  OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, Javascript, Flash, Java, etc…).
  9. Stanford SecuriBench: It is an old application based on J2EE, however, still kept active for anyone who are interested to test this out. It should be considered that many of the attack vectors would have been already changed and/fixed. SecuriBench Micro is a series of small test cases designed to exercise different parts of a static security analyser. Each test case in Securibench Micro comes with an answer, which simplifies the comparison process.
  10. BadStore: Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Badstore demonstration software is designed to show you common hacking techniques

    These are demo tools and should not be made part of the production systems. Use all these tools at your own risk Smile  Hope this list of web applications will help you or your team build web application security capabilities.

Burp Tools for Web Application Security

by Leave a Comment

Web Application Security testing is a specialized process in security testing and Burp Suite of tools provides a set of tools which work together to support the end to end security testing process. It allows a security tester from initial mapping and analysis of an application’s attack surface through to finding and exploiting security vulnerabilities

Burp Suite supports both manual and automated security testing. The key components within the Burp Suite includes the following:

    • An intercepting proxy, which lets you inspect and modify traffic between your browser and the target application.
    • An application-aware spider, for crawling content and functionality.
    • An advanced web application scanner, for automating the detection of numerous types of vulnerability.
    • An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
    • A repeater tool, for manipulating and resending individual requests.
    • A sequencer tool, for testing the randomness of session tokens.
    • The ability to save your work and resume working later.
    • Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

    Try it yourself to how the tool is shaped up in performing the web application security testing.

To download Burp Suite click here. It comes in two versions, one free and the other one commercial. Choose the version based on your Web Application Security testing needs