Sunday, 29 January 2012

Deliberately Vulnerable Applications

Deliberately Vulnerable Applications are created to demonstrate vulnerabilities or test someone's skills in detecting those vulnerabilities. They can also be used for training purposes. At Astyran we often use those in training sessions and workshops.

Sometimes these applications are also used to compare the capabilities of automated tools, but the results should be taken with a large grain of salt: vendors have been known to tweak the capabilities of their tools to the vulnerable application rendering the results of the test questionable.

Keeping an up-to-date list is a challenge, so I intend to update this post every month. Currently the descriptions are taken from the authors websites. I will play around with the applications and see if they really are in sync with vulnerabilities we often find in real web applications.
If you have any comments or suggestions to further improve this list please don’t hesitate to contact me!

Applications

This is the list of intentionally vulnerable applications that need to be installed locally:
  • Badstore: Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. The demo software is distributed as an ISO image.
  • BodgeIT: The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
  • Butterfly: The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities. The environment also includes examples demonstrating how such vulnerabilities are mitigated.
  • DVWA: The Damn Vulnerable Web App is a PHP/MySQL deliberately vulnerable application. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • Exploit.co.il: A vulnerable web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system.
  • Exploit-Db: Exploit-DB is not really a deliberately vulnerable application, but keeps an archive of vulnerable public domain web applications.
  • ExploitMe Mobile Android Labs: This is an open source project by SecurityCompass demonstrating Android mobile hacking. The labs will help learn you about
    • Parameter manipulation of mobile traffic
    • Encryption of traffic
    • Password lock screens
    • File system access permissions
    • Insecure storage of files
    • Insecure logging
  • ExploitMe Mobile iPhone Labs: This is an open source project by SecurityCompass demonstrating iPhone mobile hacking. The labs will teach you about:
    • Parameter manipulation of mobile traffic
    • Encryption of traffic
    • Password lock screens
    • File system access permissions
    • Insecure storage of files
    • Insecure logging
  • Hackme Bank: Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software.
  • Hackme Books: Foundstone Hacme Books is a learning platform for secure software development.
  • Hackme Casino: Foundstone Hacme Casino™ is a learning platform for secure software development.
  • Hackme Shipping: Hacme Shipping is a web-based shipping application developed to demonstrate common web application hacking techniques.
  • Hackme Travel: Hacme Travel is designed to create secure software.
  • Hackxor: Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism and difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, …
  • LampSecurity: LAMPSecurity is a series of vulnerable virtual machine images along with complementary documentation designed to teach Linux, Apache, PHP and MySql security.
  • Mutillidae: Mutillidae is a Deliberately Vulnerable Set Of PHP Scripts that implement the OWASP Top 10.
  • OWASP Bricks: Bricks is a deliberately vulnerable web application built on PHP and MySQL.
  • OWASP iGoat: The iGoat tool is a learning tool, primarily meant for iOS developers. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting  them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful. Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them.
  • OWASP GoatDroid: This is the Android equivalent to the iGoat Project. This project will help educate Android developers on security issues they’ll encounter when writing applications. 
  • OWASP InsecureWebApp: InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling. InsecureWebApp is primarily a teaching aid to challenge and improve secure design and coding skills.
  • OWASP Vicnum: Vicnum is flexible web app showing vulnerabilities such as cross site scripting, SQL injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.
  • OWASP WebGoat: Webgoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, students must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
  • Pandemobium:  Pandemobium is a collection of open source intentionally-flawed mobile applications that are intended to be used by developers and security analysts to explore mobile application security topics.
  • Peruggia: Peruggia is designed as a safe, legal environment to learn about and try common attacks on web applications. Peruggia looks similar to an image gallery, but contains several controlled vulnerabilities to practice on.
  • PuzzleMall: Puzzlemall is a vulnerable web application designed for training purposes. It is prone to a variety of session puzzle exposures. 
  • SQLoL: SQLol is a deliberately vulnerable PHP application. It allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw.
  • WackoPicko: WackoPicko is a vulnerable web application written in PHP used to test web application vulnerability scanners.
  • Webmaven: WebMaven (better known as Buggy Bank) was an interactive learning environment for web application security. It emulated various security flaws for the user to find. This enabled users to safely & legally practice web application vulnerability assessment techniques. In addition, users could benchmark their security audit tools to ensure they perform as advertised.
  • XSSRIA: Xssria is a vulnerable desktop RIA for dynamic tainting of the Silverlight Sandbox. 

Collections

This is a list of collections of vulnerable applications:
  • Dojo: The Web Security Dojo project comes preloaded with several web app targets and tools for an easy no-install environment to get you started with learning web app security testing.
  • Moth: Moth is a VMware image with a set of vulnerable web applications and scripts, that you may use for testing web application security scanners, testing static code analysis tools (SCA), giving an introductory course to web application security
  • OWASP BWA: The OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a virtual machine.
  • Stanford Securitybench: Stanford Securibench a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. All the benchmarks are Java J2EE applications that can be run on a Web server.

Online

This is a list of online applications that can be used for testing and learning. I did not include tool vendor websites, since it is not clear if these can be used by anyone (usually there is a statement that they can only be used for demonstrating the capabilities of the tool sold by that vendor):
  • Enigma Group: Enigma Group provides a series of challenges for people to test their pen-testing skills.
  • Google Gruyere: Google Gruyere shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:
    • How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
    • How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
  • HACKME Game: this is software security (web applications) learning game, intended to help raise awareness and interest in the subject of software security as well as train developers.
  • OWASP HackAcademic: The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. This is both an online and downloadable project. A customized version for Appsec Europe is online at http://www.hackademic.eu/.
  • p0wnlabs: Online versions of vulnerable applications and distributions.
  • Watcher Test Pages: Test pages for the Watcher tool, a Fiddler add-on which aims to assist penetration testers in passively finding Web-application vulnerabilities.
  • X5S Test Page: A small working example of how to use the x5s tool to detect encoding and transformation issues that can lead to XSS vulnerabilities.

Tool Testers

Although not strictly related to deliberately vulnerable applications, a list of applications that can check and rate the capabilities of tools is very important. Any consultant should know exactly the capabilities and limitations of his toolset. If a tool is lacking in coverage or depth, another tool might be appropriate to fill the gap or the tester might need to use his brain cells more.

A consultant who does not know what the limitations, strengths and weaknesses are of his tools will miss vulnerabilities. Having a complementary set of tools will aid the consultant to deliver a cost-effective, comprehensive test in a limited amount of time.

Name
Description
OWASP SiteGenerator OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, JavaScript, Flash, Java, etc...).
Stanford SecuriBench Micro Securibench Micro is a series of small test cases designed to exercise different parts of a static security analyser. Each test case in Securibench Micro comes with an answer, which simplifies the comparison process.
Wavsep A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners.
Wivet A benchmarking project that aims to statistically analyse web link extractors. In general, web application vulnerability scanners fall into this category: given a URL(s), they try to extract as many input vectors as possibly they can to increase the coverage of the attack surface. A recent list of the results can be found here.
ZAP Wave A collection of examples of vulnerable pages for the ZAP proxy.

Lists

Here are some other sources on the Internet related to lists and discussions of deliberately vulnerable applications.

Updates

06/06/2013 added OWASP Bricks
15/05/2013 added xssria
20/02/2012 added Pandemobium
29/01/2012 added SQLoL
28/01/2012 spellcheck
12/12/2011 added yet another list, added Hacmegame
26/10/2011 Added ExploitMe Mobile
20/09/2011 Added Puzzlemall
26/08/2011 GoatDroid is released
08/08/2011 Added link to SecToolsAddict
27/07/2011 Added link to GoatDroid
26/06/2011 Added link to Zastita.com
20/06/2011 Added OWASP iGoat, WackoPicko

No comments:

Post a Comment