Deliberately Insecure Web Applications For Learning Web App Security (WebGoat, BadStore, Hacme, SecuriBench, WebMaven)

Deliberately Insecure Web Applications For Learning Web App Security

Over the last few months I've been teaching free classes for the ISSA Kentuckiana chapter in Louisville Kentucky. After doing one on Nmap and another on Sniffers, I talked it over with my buddies Brian and Jeff and decided that the next one should be on web application vulnerabilities. Now the question becomes what to test against in a classroom environment? To tell the truth, I'm not as up on web application security as I think I need to be to teach the class yet, and I don't want to have to develop my own insecure code just to have something to test against in the lab. I could look through BugTraq for good candidates and install old venerable versions of apps like phpBB but I did not think that would be the clearest way to illustrate some concepts. What I wanted was a "one stop shop" for a bunch of common vulnerabilities. It also occurred to me to use one of the many online wargame/hacker challenge sites, but there are a few major problems with that approach:

1. Often the places I teach at won't let me have unfettered access to the global Internet during class.

2. Some of the challenges are not really all that realistic.

3. If the ISP was monitoring the traffic for misuse with an IDS they may write me angry letters, even if I have permissions from the target.

What I needed were deliberately insecure web application designed for learning. With a little Googling I found quite a few. I plan to update this page as I have more time to test them, and I'd be glad to hear your comments and suggestions for additions to the list. While there may not be a deliberately insecure web application for your specific development environment, most common application vulnerabilities show a lot of platform overlap so they should still be useful in teaching you what to avoid when you code your applications.

BadStore

Link: http://www.badstore.net/

Platform: Perl, Apache and MySQL

Install: Meant to run by booting a Live CD, but I'd recommend using my Live CD VMX

Notes: Easy to set up, and it's nice that you can run it from a VM with a little work. Just make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only).

Damn Vulnerable Web App

Link: http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/

Platform: PHP, Apache and MySQL

Install: Should work on any box you can install Apache/PHP/MySQL on.

Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me and told be about a project he started a few months before mine. His is also PHP/MySQL based, and looks prettier than mine. :) I've yet to play with it much, but I may be using some of his code in the near future to expand Mutillidae.

Gruyere

Link: http://google-gruyere.appspot.com/

Platform: Google app engine or locally with Python

Install: You don't have to install it, you could just run it from http://google-gruyere.appspot.com/start but instructions for running it locally are on the project's website.

Notes: None yet, I've not played with it much.

Hacme Series from Foundstone

Foundstone has put out a whole series of venerable web applications you can learn from and test your skills against. Some are harder to install than others since a few are quite old by web standards and the installers require outdated MSSQL services that don't work the same way as the more up-to-date ones. Still, with a little work you should be able to get them installed on a modern system. I can't guarantee all of them are designed to only listen to the local loopback, so if you decide to run them on a production network I highly recommend you use a VM set to use the IP addresses that are only available from the local host OS (NAT or Host-only). One of the great things about the Hackme series is the diverse programming platforms they are written in. As I said in the intro paragraph, most web development platforms have similar common vulnerabilities, but it's nice to know what to look out for on your specific environment. Most of them I have limited install note on, but I'm working on testing them out.

Moth

Link: http://www.bonsai-sec.com/en/research/moth.php

Platform: Linux VMWare image

Install: Just download the VM and open it in VMWare player

Notes: I've yet to messed with it much, but from the sound of it it looks like and easy test platform to get up and running. Unfortunately, the version I tested is over 5GB uncompressed, and their web site needs more of a description of what is included in the 396MB download. The readme you get after the download sheds some light on this, it seems to include vulnerable versions of the following packages:

Nanbiquara 2.0 (PHP + MySQL)

Riotpix .61p (PHP + MySQL)

Vanilla 1.1.4 (PHP + MySQL)

Wordpress 2.6.5 (PHP + MySQL)

Yazd war 3.0r (Tomcat 6 + MySQ)

I like the idea of being able to access the script thee different ways (directly, through mod_security or through PHP-IDS) and seeing the different results, but they need to work on getting the install smaller.

Mutillidae

Link: http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Platform: PHP, Apache and MySQL

Install: Should work on any box you can install Apache/PHP/MySQL on. I have personally tested it in XAMPP under Windows and Linux.

Notes: Mutillidae is my personal project to implement the OWASP Top 10 Vulnerabilities. It's designed to be easy to follow and geared towards a classroom environment. Think of it as a noob's WebGoat.

Stanford SecuriBench

Link: http://suif.stanford.edu/~livshits/securibench/

Platform: J2EE application, Java Development Kit

Install: Looks like it's another "by hand" install.

Notes: Includes a bunch of venerable J2EE web apps, such as: jboard 0.30, blueblog 1.0, webgoat 0.9, blojsom 1.9.6, personalblog 1.2.6, snipsnap 1.0-BETA-1, road2hibernate 2.1.4, pebble 1.6-beta1 and roller 0.9.9 .

Vicnum

Link: http://sourceforge.net/projects/vicnum/

http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project

Platform: PHP and Perl

Install: Should work on any box you can install Apache/PHP/MySQL on. Try it with XAMPP.

Notes: Mordecai Kraushar sent me an email about his project. The more the merrier. Here is how it is described: "A web application showing common vulnerabilities such as cross site scripting and session management issues. Helpful to IT auditors honing web security skills and to those setting up 'capture the flag' exercises. For the VM login as root/vicnum"

WebGoat

Link: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Platform: J2EE web application

Install: Self contained Tomcat server you can run from a directory under Windows or Linux

Notes: Love the fact it's so self contained and easy to run. By default it only listens on the loopback address, so you can run it from your workstation a production network with little worries.

WebMaven (AKA: Buggy Bank)

Link: http://www.mavensecurity.com/WebMaven.php

Platform: Perl CGI scripts

Install: You have to install this on a box with a web server and Perl CGI support. The creators recommend Xitami for the sake of ease. Makes sure that you don't put the server on a production network.

Notes: I've not played with this one much. The website for WebMaven says it was the basis for WebGoat v1.

Other Resources

The Heorot forum also has a collection of Live CDs you can use as targets in learning pen-testing. If you are interested in trying out exploits against binaries, check out some of the out-of-date apps available at http://oldapps.com . They are not necessarily web app focused, but they may still be useful to you.

If you have more suggestions for deliberately insecure web apps I can add to the page, please contact me.

Change log:

09/23/2009: Added information on Vicnum and oldapps.com.

05/02/2009: Added Moth to the list.

03/02/2009: Added Mutillidae and Damn Vulnerable Web App to the list.

12/22/2008: First posted.