Checkmarx Named a Leader in Gartner Magic Quadrant for Application Security Testing

Keeping Up With The Hackers: Where To Practice Your Web Hacking Skills

This guest post is by application security professional Dave Ferguson. Keep up with Dave’s posts on his blog!

There’s a shortage of application security experts.  Hackers seem to continually have the upper hand over those trying to defend applications against threats.  One reason is that software has become so prevalent; This trend will only continue (we’ll need even more software if we’re going to enable The Internet of Things).  The bottom line is that we’re writing code faster than we can secure it.

If you’re someone who’s trying to enter the application security field, first start with the basics.  Learn about common vulnerabilities and how hackers exploit them.  You can’t become a true expert just by reading about them.  To really understand application attacks at a deep technical level (and be able to explain them to others – the benchmark of actually knowing something), you have to see them in action and experience them first hand.

Looking back, I was fortunate.  I had the opportunity to penetration test hundreds of different applications in my role as an application security consultant.  Our corporate clients gave me free reign to hack their sites.  It was a terrific learning experience.

Unfortunately, that type of opportunity isn’t available to most people.  So, the big question: how do you develop or improve your web hacking skills?  You definitely don’t want to test any old live production site and risk being arrested and prosecuted!  There are training classes and boot camps of course, but they can run on the expensive side and give you only a limited time of the real hands-on hacking.

One of the best ways to learn about vulnerabilities and attacks is to test applications built specifically for that purpose.  As application security has become more and more prevalent over the last few years, dozens of intentionally vulnerable web apps have been written and made available.  You’ll find a comprehensive list of these applications at the OWASP Vulnerable Web Applications Directory.  It’s broken into three categories:

  • Online apps (live, Internet-facing web apps)
  • Offline apps (applications you download and run locally)
  • VMs / ISOs (self-contained environments that run multiple vulnerable apps)
The OWASP Buggy Web App homepage
The OWASP Broken Web App homepage

I highly recommend the OWASP Broken Web App Project (OWASPBWA).  OWASPBWA is a self-contained virtual machine that has pre-configured deployments of about 35 different web applications.  Some are tailored specifically for training, such as WebGoat.  Some are realistic, intentionally vulnerable apps (e.g., Vicnum, WackoPicko).  Others are old, vulnerable versions of real applications (e.g., WordPress, Joomla, GetBoo).

To get started with OWASPBWA, simply download the VM (the current version is 1.1.1) and launch it within Oracle VirtualBox or VMware Player (both are free).  Open your browser to http://owaspbwa after the boot up has finished. 

This is the OWASPBWA home page.  Next to each application, you will see a green “+”, which is where you can find helpful information about each application, such as programming language and user credentials needed to log in.  Near the top of this page is a link that details many of the specific vulnerabilities in the applications.  But if you want to challenge yourself, don’t look at that.  Instead try to find the vulnerabilities on your own.

OWASPBWA is updated periodically.  For example, the bWAPP vulnerable web app will be added soon.

For now, go forth, hack, and learn!

About Dave:

dferguson_picDave Ferguson is an experienced Application Security professional currently working at a large enterprise in the U.S.  With a 12-year career as a software developer under his belt, he transitioned to a role in Application Security.  He served as a Principal Consultant with a leading information security company and as well as a Solutions Architect with an application security vendor.  Dave holds CISSP and CSSLP certifications, is an OWASP member and contributor since 2006, and authored the OWASP Forgot Password Cheat Sheet.

For more AppSec posts from Dave, check out his blog!

Jump to Category