Deliberately Insecure Web Applications For Learning Web App Security
Over the last few months I've been teaching free classes for the ISSA Kentuckiana chapter in Louisville Kentucky. After doing one on Nmap and another on Sniffers, I talked it over with my buddies Brian and Jeff and decided that the next one should be on web application vulnerabilities. Now the question becomes what to test against in a classroom environment? To tell the truth, I'm not as up on web application security as I think I need to be to teach the class yet, and I don't want to have to develop my own insecure code just to have something to test against in the lab. I could look through BugTraq for good candidates and install old venerable versions of apps like phpBB but I did not think that would be the clearest way to illustrate some concepts. What I wanted was a "one stop shop" for a bunch of common vulnerabilities. It also occurred to me to use one of the many online wargame/hacker challenge sites, but there are a few major problems with that approach:
1. Often the places I teach at won't let me have unfettered access to the
global Internet during class.
2. Some of the challenges are not really all that realistic.
3. If the ISP was monitoring the traffic for misuse with an IDS they may write
me angry letters, even if I have permissions from the target.
What I needed were deliberately insecure web application designed for learning. With a little Googling I found quite a few. I plan to update this page as I have more time to test them, and I'd be glad to hear your comments and suggestions for additions to the list. While there may not be a deliberately insecure web application for your specific development environment, most common application vulnerabilities show a lot of platform overlap so they should still be useful in teaching you what to avoid when you code your applications.
BadStore
Link: http://www.badstore.net/
Platform: Perl, Apache and MySQL
Install: Meant to run by booting a Live CD, but I'd recommend using my
Live CD VMX
Notes: Easy to set up, and it's nice that you can run it from a VM with a little
work. Just make sure you set the VM to use the IP addresses that are only
available from the local host OS (NAT or Host-only).
Damn Vulnerable Web App
Link:
http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on.
Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me and told be
about a project he started a few months before mine. His is also PHP/MySQL
based, and looks prettier than mine. :) I've yet to play with it much, but I may
be using some of his code in the near future to expand Mutillidae.
Gruyere
Link:
http://google-gruyere.appspot.com/
Platform: Google app engine or locally with Python
Install: You don't have to install it, you could just run it from
http://google-gruyere.appspot.com/start but instructions for running it
locally are on the project's website.
Notes: None yet, I've not played with it much.
Hacme Series from Foundstone
Foundstone has put out a whole series of venerable web applications you can learn from and test your skills against. Some are harder to install than others since a few are quite old by web standards and the installers require outdated MSSQL services that don't work the same way as the more up-to-date ones. Still, with a little work you should be able to get them installed on a modern system. I can't guarantee all of them are designed to only listen to the local loopback, so if you decide to run them on a production network I highly recommend you use a VM set to use the IP addresses that are only available from the local host OS (NAT or Host-only). One of the great things about the Hackme series is the diverse programming platforms they are written in. As I said in the intro paragraph, most web development platforms have similar common vulnerabilities, but it's nice to know what to look out for on your specific environment. Most of them I have limited install note on, but I'm working on testing them out.
Hacme Travel
Link: http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Platform: Windows XP, MSDE 2000 Release A, Microsoft .NET Framework v1.1, C++
Install:
Notes:Hacme Bank
Link: http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Platform: Windows, IIS, .Net 1.1
Install:
Notes:Hacme Shipping
Link: http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Platform: Windows XP, Microsoft IIS, Adobe ColdFusion MX Server 7.0 for Windows, MySQL (4.x or 5.x with strict mode disabled)
Install:
Notes:Hacme Casino
Link: http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Platform: Ruby on Rails
Install: Installer that sets up a built in WEBrick server
Notes:Hacme Books
Link: http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
Platform: J2EE application, Java Development Kit
Install:
Notes:
Foundstone also hosts video solutions for Hacme Travel v1.0 and Hacme Bank v2.0.
Moth
Link:
http://www.bonsai-sec.com/en/research/moth.php
Platform: Linux VMWare image
Install: Just download the VM and open it in VMWare player
Notes: I've yet to messed with it much, but from the sound of it it looks like and easy test
platform to get up and running. Unfortunately, the version I tested is over 5GB
uncompressed, and their web site needs more of a description of what is included
in the 396MB download. The readme you get after the download sheds some light on
this, it seems to include vulnerable versions of the following packages:
Nanbiquara 2.0 (PHP + MySQL)
Riotpix .61p (PHP + MySQL)
Vanilla 1.1.4 (PHP + MySQL)
Wordpress 2.6.5 (PHP + MySQL)
Yazd war 3.0r (Tomcat 6 + MySQ)
I like the idea of being able to access the script thee different ways (directly, through mod_security or through PHP-IDS) and seeing the different results, but they need to work on getting the install smaller.
Mutillidae
Link:
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install Apache/PHP/MySQL on. I have
personally tested it in
XAMPP under Windows and Linux.
Notes: Mutillidae is my personal project to implement the
OWASP Top 10 Vulnerabilities. It's designed to be easy to follow and geared
towards a classroom environment. Think of it as a noob's WebGoat.
Stanford SecuriBench
Link:
http://suif.stanford.edu/~livshits/securibench/
Platform: J2EE application, Java Development Kit
Install: Looks like it's another "by hand" install.
Notes: Includes a bunch of venerable J2EE web apps, such as: jboard 0.30,
blueblog 1.0, webgoat 0.9, blojsom 1.9.6, personalblog 1.2.6, snipsnap
1.0-BETA-1, road2hibernate 2.1.4, pebble 1.6-beta1 and roller 0.9.9 .
Vicnum
Link:
http://sourceforge.net/projects/vicnum/
http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project
Platform: PHP and Perl
Install: Should work on any box you can install Apache/PHP/MySQL on. Try it with
XAMPP.
Notes: Mordecai Kraushar sent me an email about his project. The more the
merrier. Here is how it is described: "A web application showing common
vulnerabilities such as cross site scripting and session management issues.
Helpful to IT auditors honing web security skills and to those setting up
'capture the flag' exercises. For the VM login as root/vicnum"
WebGoat
Link:
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Platform: J2EE web application
Install: Self contained Tomcat server you can run from a directory under Windows
or Linux
Notes: Love the fact it's so self contained and easy to run. By default it only
listens on the loopback address, so you can run it from your workstation a
production network with little worries.
WebMaven (AKA: Buggy Bank)
Link:
http://www.mavensecurity.com/WebMaven.php
Platform: Perl CGI scripts
Install: You have to install this on a box with a web server and Perl CGI
support. The creators recommend Xitami for
the sake of ease. Makes sure that you don't put the server on a production
network.
Notes: I've not played with this one much. The website for WebMaven says it was
the basis for WebGoat v1.
Other Resources
The Heorot forum also has a collection of Live CDs you can use as targets in learning pen-testing. If you are interested in trying out exploits against binaries, check out some of the out-of-date apps available at http://oldapps.com . They are not necessarily web app focused, but they may still be useful to you.
If you have more suggestions for deliberately insecure web apps I can add to the page, please contact me.
Change log:
09/23/2009: Added information on Vicnum and oldapps.com.
05/02/2009: Added Moth to the list.
03/02/2009: Added Mutillidae and Damn Vulnerable Web App to the list.
12/22/2008: First posted.