Vulnerable Web Applications for learning

02 Jul

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected  all vulnerable web applications and listed them below for reference:

S.No. Vulnerable Application Platform
1 SPI Dynamics (live) ASP
2 Cenzic (live) PHP
3 Watchfire (live) ASPX
4 Acunetix 1 (live) PHP
5 Acunetix 2 (live) ASP
6 Acunetix 3 (live) ASP.Net
7 PCTechtips Challenge (live)
8 Damn Vulnerable Web Application PHP/MySQL
9 Mutillidae PHP
10 The Butterfly Security Project PHP
11 Hacme Casino Ruby on Rails
12 Hacme Bank 2.0 ASP.NET (2.0)
13 Updated HackmeBank ASP.NET (2.0)
14 Hacme Books J2EE
15 Hacme Travel C++ (application client-server)
16 Hacme Shipping ColdFusion MX 7, MySQL
18 OWASP Vicnum PHP, Perl
19 OWASP InsecureWebApp JAVA
20 OWASP SiteGenerator ASP.NET
21 Moth
22 Stanford SecuriBench JAVA
23 SecuriBench Micro JAVA
24 BadStore Perl(CGI)
25 WebMaven/Buggy Bank (very old)
26 EnigmaGroup (live)
27 XSS Encoding Skills – x5s (Casaba Watcher)
28 Google – Gruyere (live) (previously Jarlsberg)
29 Exploit- DB Multi-platform
30 The Bodgeit Store JSP
31 LampSecurity PHP
32 hackxor Perl(CGI)
33 OWASP – Hackademic PHP
34 PHP

If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.

Original Post

Leave a comment

Posted by on July 2, 2012 in Archive


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: