Web Penetration Testing with Kali Linux(Third Edition)
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

OWASP Broken Web Applications

The Broken Web Applications (BWA) Project from OWASP is a collection of vulnerable web applications, which are distributed as a virtual machine with the purpose of providing students, security enthusiasts, and penetration testing professionals a platform for learning and developing web application testing skills, testing automated tools, and testing Web Application Firewalls (WAFs) and other defensive measures:

The latest version of BWA at the time of this writing is 1.2, released in August 2015. Even though it is more than a couple of years old, it is a great resource for the prospective penetration tester. It includes some of the most complete web applications made vulnerable on purpose, for testing purposes, and it covers many different platforms; consider these examples:

  • WebGoat: This is a Java-based web application with an educational focus. It contains examples and challenges for the most common web vulnerabilities.
  • WebGoat.NET and RailsGoat: These are the .NET and Ruby on Rails versions of WebGoat, respectively.
  • Damn Vulnerable Web Application (DVWA): This is perhaps the most popular vulnerable-on-purpose web application available. It is based on PHP and contains training sections for common vulnerabilities.

OWASP BWA also includes realistic vulnerable web applications, that is, vulnerable-on-purpose web applications that simulate real-world applications, where you can look for vulnerabilities that are less obvious than in the applications listed previously. Some examples are as follows:

  • WackoPicko: This is an application where you can post pictures and buy photos of other users
  • The BodgeIt Store: This simulates an online store where one needs to find vulnerabilities and complete a series of challenges
  • Peruggia: This simulates a social network where you can upload pictures, receive comments, and comment on pictures of other users

There are also versions of real-web applications with known vulnerabilities that complement this collection, which you can test and exploit; consider these examples:

  • WordPress
  • Joomla
  • WebCalendar
  • AWStats

More information on the Broken Web Applications Project and download links can be found on its website: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project.

WARNING
 When installing OWASP BWA, remember that it contains applications that have serious security issues. Do not install vulnerable applications on physical servers with internet access. Use a virtual machine, and set its network adapter to NAT, NAT network, or host only.
上一章目录下一章