Penetration testing

Top 5 (deliberately) vulnerable web applications to practice your skills on

Shubham Vashist
July 11, 2018 by
Shubham Vashist

The OWASP Top 10 includes the top 10 vulnerabilities which are followed worldwide by security researchers and developers. You must have heard or used lots of tools for penetration testing, but to use those tools, you must have a vulnerable web application.

To enter the world of security, you must have hands-on experience finding bugs and vulnerabilities in a web application. Practicing your skills always help you in your career and professional growth. If you are a beginner, then you must test your skills before entering the professional world: it allows you to understand the procedures and methods of securing web apps. If you are a teacher, then you can show your students how things get done: this will help you to evaluate yourself where you stand and which areas you need to improve more.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In short, you must practice your skills before facing real-world security scenarios. Practice will count as an experience that is eventually going to benefit you in the long run.

I am going to discuss top five broken or vulnerable web applications which you can use to test or practice your skills, and and which you can easily host at localhost.

1. DVWA – It stands for Damn Vulnerable Web App. It is based on PHP and runs on MySQL database server, which is indeed damn vulnerable. It has three levels of security: Low, Medium, and High. Each level of security demands different skills. Developers have decided to share its source code, too, so that security researchers can see what is going on at the backend.

DVWA has vulnerabilities like XSS, CSRF, SQL injection, file injection, upload flaws and more, which is great for researchers to learn and help others learn about these flaws. Researchers can also use their various tools to capture packets, brute force, and other such tactics on DVWA.

One should try to exploit this application completely. You can easily reset database if you want to start it over again. You can simply download DVWA from here.

Figure 1: DVWA

2. Badstore: Badstore is one of the most vulnerable web application on which security researchers can practice their skills. It has vulnerabilities like cross-site scripting (XSS), SQL injection, clickjacking, password hash (MD5 decoding) and, if you're good at penetration testing, you may find the robot.txt file and use it for further exploits.

You need to download VM (Virtual Machine) to use this application, and run it on VMware Workstation. After installing this application on VMware workstation, run the *ipconfig* command so that you come to know the IP address on which it is running. Now open your favorite browser and enter that same IP in the address bar. You will see that the Badstore Webpage is now displayed on your screen. It's time to play! Download it here.

Figure 2: Badstore

3. Metasploitable 2 – Metasploitable 2 is the most common vulnerable web application amongst security researchers. Security enthusiasts can use high-end tools like Metasploit and Nmap to test this application.

This vulnerable application is mainly used for network testing. It was designed after the popular tool Metasploit, which is used by security researchers to find security breaches. You may even find a shell for this application. It has built-in TWiki, phpMyAdmin, WebDAV, and DVWA.

You may not find the GUI of this application, but you can still exploit it by using various tools in the terminal or command line. You can scan its ports, services, service version and lots more. This will help you to evaluate your skills learn the Metasploit tool.

You will have to download VM (Virtual Machine) for this application, run it on VMWare Workstation, and determine its IP by entering command *ipconfig* or *ifconfig* into its terminal. Download it here.

Figure 3: Metasploitable 2

4. Web Security Dojo – WSD is a VM which holds many tools (like Burp Suite, w3af, Ratproxy and SQLmap.) and target machines (WebGoat and Hacme Casino, among others) in itself. It is an open-source training environment based on Xubuntu 12.04. It also holds training materials and user guides for some targets.

To use it, you don't need to run other tools, just this VM. You first need to install and run VirtualBox 5 (or later), or you can also run it on VMware. After that, import the ova file to VirtualBox/VMware and there you go. It will feel like any other Ubuntu OS.

This VM is great for beginners to self-study and learn, for professionals and for teachers to teach their students about vulnerabilities. Download it here.

Figure 4: Web Security Dojo

5. Mutillidae II – An open-source and free application developed by OWASP itself, Mutillidae II contains various vulnerabilities and hints to help the user to exploit them. Many security enthusiasts have used it because it provides easy-to-use web hacking environment. If penetration testing or hacking is your hobby, then this web application is for you to brush up your skills.

It has vulnerabilities to test like XSS, SQL injection, HTML injection, clickjacking, authentication bypass and many other vulnerabilities. It also has subcategories in its vulnerabilities section which provides further options.

You will need to install XAMPP onto your machine, but you will get XAMPP with Mutillidae. The user can even switch between secure and insecure modes. Mutillidae comprises everything you need and provides a complete lab environment.

One specialty of Mutillidae is that whenever you've messed up, there is "setup" button by which the system can be restored to default. It also provides a data capture page that captures data in the database and file. It really helps you to gain confidence in pentesting. You must try this application! Download it here.

Figure 5: Mutillidae

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Some Other Useful Vulnerable Web Applications

  1. Juice Shop
  2. Zero Bank
  3. bWAPP
  4. WebGoat
  5. Hackxor
  6.  XXE
  7. Why Practice on Broken Web Apps?

    1. You will get to know your hacking skills and know where you stand in the security world.
    2. Before entering the professional world of information security, you must have hands-on experience with vulnerable applications.
    3. It helps to nourish your skills.
    4. It also helps you to understand and practice your weak areas.
    5. It's good to spread knowledge. You can use these web applications to demonstrate the common web application vulnerabilities to others.
    6. Sources

      OWASP Vulnerable Web Applications Directory Project, OWASP

      Shubham Vashist
      Shubham Vashist

      Shubham Vashist, from India, is an enthusiastic Information Security Researcher & Web application Security Tester. Having earned a Computer Science and Engineering degree, he has gained experience by learning, practicing and reporting loopholes to application vendors. His passion is to secure applications from attackers and make them reliable.