Keeping Up With The Hackers: Where To Practice Your Web Hacking Skills

Feb 13, 2014 By Sarah Vonnegut

This guest post is by application security professional Dave Ferguson. Keep up with Dave’s posts on his blog!

There’s a shortage of application security experts.  Hackers seem to continually have the upper hand over those trying to defend applications against threats.  One reason is that software has become so prevalent; This trend will only continue (we’ll need even more software if we’re going to enable The Internet of Things).  The bottom line is that we’re writing code faster than we can secure it.

If you’re someone who’s trying to enter the application security field, first start with the basics.  Learn about common vulnerabilities and how hackers exploit them.  You can’t become a true expert just by reading about them.  To really understand application attacks at a deep technical level (and be able to explain them to others – the benchmark of actually knowing something), you have to see them in action and experience them first hand.

Looking back, I was fortunate.  I had the opportunity to penetration test hundreds of different applications in my role as an application security consultant.  Our corporate clients gave me free reign to hack their sites.  It was a terrific learning experience.

Unfortunately, that type of opportunity isn’t available to most people.  So, the big question: how do you develop or improve your web hacking skills?  You definitely don’t want to test any old live production site and risk being arrested and prosecuted!  There are training classes and boot camps of course, but they can run on the expensive side and give you only a limited time of the real hands-on hacking.

One of the best ways to learn about vulnerabilities and attacks is to test applications built specifically for that purpose.  As application security has become more and more prevalent over the last few years, dozens of intentionally vulnerable web apps have been written and made available.  You’ll find a comprehensive list of these applications at the OWASP Vulnerable Web Applications Directory.  It’s broken into three categories:

  • Online apps (live, Internet-facing web apps)
  • Offline apps (applications you download and run locally)
  • VMs / ISOs (self-contained environments that run multiple vulnerable apps)
The OWASP Buggy Web App homepage

The OWASP Broken Web App homepage

I highly recommend the OWASP Broken Web App Project (OWASPBWA).  OWASPBWA is a self-contained virtual machine that has pre-configured deployments of about 35 different web applications.  Some are tailored specifically for training, such as WebGoat.  Some are realistic, intentionally vulnerable apps (e.g., Vicnum, WackoPicko).  Others are old, vulnerable versions of real applications (e.g., WordPress, Joomla, GetBoo).

To get started with OWASPBWA, simply download the VM (the current version is 1.1.1) and launch it within Oracle VirtualBox or VMware Player (both are free).  Open your browser to http://owaspbwa after the boot up has finished. 

This is the OWASPBWA home page.  Next to each application, you will see a green “+”, which is where you can find helpful information about each application, such as programming language and user credentials needed to log in.  Near the top of this page is a link that details many of the specific vulnerabilities in the applications.  But if you want to challenge yourself, don’t look at that.  Instead try to find the vulnerabilities on your own.

OWASPBWA is updated periodically.  For example, the bWAPP vulnerable web app will be added soon.

For now, go forth, hack, and learn!

About Dave:

dferguson_picDave Ferguson is an experienced Application Security professional currently working at a large enterprise in the U.S.  With a 12-year career as a software developer under his belt, he transitioned to a role in Application Security.  He served as a Principal Consultant with a leading information security company and as well as a Solutions Architect with an application security vendor.  Dave holds CISSP and CSSLP certifications, is an OWASP member and contributor since 2006, and authored the OWASP Forgot Password Cheat Sheet.

For more AppSec posts from Dave, check out his blog!

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.