1 – Bricks
Bricks is a deliberately vulnerable web app built on PHP and using a MySQL database, where each “brick” contains a security vulnerability to be mitigated. The project provides a platform for learning and teaching AppSec as well as a way to test web app scanners. There are three types of ‘bricks’: login pages, file upload pages and content pages, each with different types of vulnerabilities, common for the area of the application.
2 – bWAPP
Buggy Web Application is “a free and open source deliberately insecure web application” created by Malik Messelem, @MME_IT. Vulnerabilities to keep an eye out for include over 100 common issues derived from the OWASP Top 10. bWAPP is built in PHP and uses MySQL. Download the project here. For more advanced users, bWAPP also offers what Malik calls a bee-box, a custom Linux VM that comes pre-installed with bWAPP. .
The site was created with the help of @ethicalhack3r, Ryan Dewhurst, who has also given the open source SCA tool DevBug to the community. Built in PHP/MySQL, vulnerabilities to look out for in DVWA include everything from SQL injection and cross-site scripting to captcha bypassing and malicious file execution. Get started with DVWA here or through GitHub, and check out this YouTube video for help with installation.
4 – Google Gruyere
This ‘cheesy’ vulnerable site is full of holes and aimed for those just starting to learn application security. The goals of the labs are: learn how hackers find security vulnerabilities, learn how hackers exploit web applications and learn how to stop hackers from finding and exploiting vulnerabilities. Written in Python, Gruyere offers opportunities for both black box and white box testing so “hackers” have the chance to play on both sides of the fence.
5 – iGOAT
iGoat is a mobile environment built especially for iOS developers and based off the OWASP WebGoat project, which we’ll talk about later. Developers work through lessons while learning with iGoat, laid out with a short introduction to each vulnerability, a chance to exploit it to verify the issue’s presence, a short description of the remediation appropriate for the issue and the chance to fix the issue and “rebuild” the iGoat program.
To access more websites to hone your hacking skills – Click Here
Continue to Chapter 10: The Game of Hacks
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.