Hacker’s playground 10 vulnerable web applications to practice hacking

If you want to be a hacker, the entire websites conspire you to achieve it. This is the new version of quote for those who wish to become hackers. These websites are vulnerable and anyone can try the hacking techniques. We are introducing such web applications.

  • WackoPicko – It is a vulnerable web application written by Adam Doupé. It contains known and common vulnerabilities for you to harness your web penetration skills and knowledge like XSS vulnerabilities, SQL injections, command-line injections, sessionID vulnerabilities, file inclusions, parameters manipulation, Reflected XSS Behind JavaScript, Logic Flaw, Reflected XSS Behind a Flash Form, and Weak usernames or passwords. It was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners. WackoPicko has been developed as a real web application with following features:
    •  Authentication: WackoPicko provides personalized content to registered users.
    • Upload Pictures: When a photo is uploaded to WackoPicko by a registered user, other users can comment on it, as well as purchase the right to a high-quality version.
    • Comment On Pictures: Once a picture is uploaded into WackoPicko, all registered users can comment on the photo by filling out a form.
    • Purchase Pictures: A registered user on WackoPicko can purchase the high-quality version of a picture.
    • Search: The search feature offers the possibility to filter pictures by looking for strings in the tags of the images
    • Guestbook: A guestbook page provides a way to receive feedback from all visitors to the WackoPicko website.
    • Admin Area: WackoPicko has a special area for administrators only, which enables the creation of new users.
  • Exploit KB  Vulnerable Web App – This is one of the most famous vulnerable web app designed as a learning platform to test various SQL injection Techniques and it is a functional website with a content management system based on FCKeditor. This web application is also included in the BackTrack Linux 5r2-PenTesting Edition lab.
  • The BodgeIt Store –This is an open source and vulnerable web application which is currently aimed at people who are new to web penetration testing. It is easy to install and requires java and a servlet engine, e.g. Tomcat. It includes vulnerabilities like Cross Site Scripting, SQL injection, Hidden (but unprotected) content, Debug Code, Cross Site Request Forgery, Insecure Object References, and Application logic vulnerabilities.
  • Hackxor hackxor11_0It is a web application hacking game developed by albino. It is a game where players must locate and exploit vulnerabilities to progress through the story wherein you play as a black hat hacker hired to track down another hacker by any means possible. It contains scripts that are vulnerable to Cross Site Scripting(XSS), Cross Site Request Forgery(CSRF), Structured Query Language Injection (SQLi), Remote Command Injection(RCE), and much more. It’s also a web application running on Fedora 14. Players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism & difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc
    It has following Features:

    •  Client attack simulation using HtmlUnit; no alert(‘XSS’) here.
    •  Smooth difficulty gradient from moderately easy to fiendishly tricky.
    •  Realistic vulnerabilities modeled from Google, Mozilla, etc
    •  Open-ended play; progress by any means possible.
  • SQLol – This is a configurable SQL injection testbed which allows you to exploit SQLI (Structured Query Language Injection) flaws, but furthermore allows a large amount of control over the manifestation of the flaw. This application was released  at Austin Hackers Association meeting 0x3f by Daniel “unicorn Furnace” Crowley of Trustwave Holdings, Inc. – Spider Labs. SQLol comes with a set of challenges which task you with performing some flavor of SQL injection and have pre-configured settings.
  • Mutillidae – It is a free, open source, the deliberately vulnerable web application providing a target for web-security enthusiast.It was developed by Adrian “Irongeek” Crenshaw and Jeremy “weaponized” Druin. It is designed to be exploitable and vulnerable and ideal for practicing your skills like SQL injection, cross-site scripting, HTML injection, Javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more based on OWASP (Open Web Application Security) top 10 Web Vulnerabilities Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software.
  • DVWA (Damn Vulnerable Web Application) dvwaThis vulnerable PHP/MySQL web application is one of the famous web applications used for or testing your skills in web penetration testing and your knowledge in manual SQL Injection, XSS, Blind SQL Injection, etc. DVWA is developed by Ryan Dewhurst and is part of Random Storm Open Source project.
    As the name suggests DVWA has many web application vulnerabilities which affect it. Every vulnerability has three different security levels, low, medium and high. The security levels give a challenge to the ‘attacker’ and also shows how each vulnerability can be counter measured by secure coding.
  • WebGoatwebgoat-dom-injection-700x407This is an OWASP project and a deliberately insecure J2EE web application designed to teach web application security lessons and concepts. What’s cool about this web application is that it lets users demonstrate their understanding of a security issue by exploiting a real vulnerability in the application in each lesson.
  • OWASP Hackademic Challenges Project – It is another OWASP Project that helps you test your knowledge on web application security. You can use it to attack web applications in a realistic but also controllable and safe environment. Currently, there are 10 web application security scenarios available for you to hack.The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker’s perspective.
  • XSSeducation sql-injection2It is a set of Cross Site Scripting attack challenges for people just learning about XSS to people who just want a good place to practice their already awesome skills. Various realistic challenges have been included for practice and it is still under development by AJ00200 but can already be downloaded.


Leave a Reply

Share This

Sharing is Caring

Share this post with your friends!