[Collection] Some good Vulnerable Web application Lab for PenTester
-
WebGoat
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
-
DVWA
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
The aim of DVWA is to practice some of the most common web vulnerability, with various difficultly levels, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerability with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
-
sqli-labs
SQLI-LABS is a platform to learn SQLI Following labs are covered for GET and POST scenarios:
- Error Based Injections (Union Select)
- String
- Integer
- Error Based Injections (Double Injection Based)
- BLIND Injections:
- Boolean Based
- Time-Based
- Update Query Injection.
- Insert Query Injections.
- Header Injections.
- Referer-based.
- UserAgent based.
- Cookie-based.
- Second Order Injections
- Bypassing WAF
- Bypassing Blacklist filters Stripping comments Stripping OR & AND Stripping SPACES and COMMENTS Stripping UNION & SELECT
- Impedance mismatch
- Bypass addslashes()
- Bypassing mysql_real_escape_string. (under special conditions)
- Stacked SQL injections.
- Secondary channel extraction
- Error Based Injections (Union Select)
-
vulnerable-node
The goal of this project is to be a project with really vulnerable code in NodeJS, not simulated.
Vulnerability list:
This project has the most common vulnerabilities of OWASP Top 10 <https://www.owasp.org/index.php/Top_10_2013-Top_10>:
- A1 – Injection
- A2 – Broken Authentication and Session Management
- A3 – Cross-Site Scripting (XSS)
- A4 – Insecure Direct Object References
- A5 – Security Misconfiguration
- A6 – Sensitive Data Exposure
- A8 – Cross-Site Request Forgery (CSRF)
- A10 – Unvalidated Redirects and Forwards
-
XVWA
XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in the local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community is possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.
XVWA is designed to understand following security issues.
SQL Injection – Error Based
SQL Injection – Blind
OS Command Injection
XPATH Injection
Formula Injection
PHP Object Injection
Unrestricted File Upload
Reflected Cross-Site Scripting
Stored Cross-Site Scripting
DOM Based Cross Site Scripting
Server-Side Request Forgery (Cross Site Port Attacks)
File Inclusion
Session Issues
Insecure Direct Object Reference
Missing Functional Level Access Control
Cross-Site Request Forgery (CSRF)
Cryptography
Unvalidated Redirect & Forwards
Server Side Template Injection
