There are many ways for a tester to improve his testing skills. But nothing beats an actual hands-on experience. If you are learning security testing, you may want to get your hands dirty on actual web application. Therefore in this article, we have listed down some online and live vulnerable web applications available on the Internet to play with.
Damn Vulnerable Web Application (DVWA):
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid learning web application security in a class room environment.
Hackazon is an online storefront that reflects the technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.
Google’s ‘Firing Range’ is a step towards securing web applications against hacking. Released in November 2014, it is an open source Java application built on Google App Engine which provides a test ground for testing the effectiveness of security test tools. And it contains a wide range of XSS (Cross Site Scripting) and other web vulnerabilities.
Hack This Site:
Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. It contains basic and realistic web missions for testers to complete.
WebGoat is an OWASP project and a deliberately insecure J2EE web application designed to teach web application security lessons and concepts. It lets users demonstrate their understanding of a security issue by exploiting a real vulnerability in the application.
We hope the above coverage of vulnerable web applications would prove useful to security testers. Let us know your views on this.