Vulnerable web apps (from OWASP and others)
Web application attacks significantly contribute to the breaches and various other cyberattacks. In fact, web applications provide an easy entry point to attackers if vulnerable. Something like the Equifax breach, which happened through a struts vulnerability, takes a lifetime to forget about.
With the passing of time, some of the vulnerabilities may fade out while other classes of vulnerabilities emerge. This is what happened in 2015 when Java deserialization vulnerabilities blew up the information security world. It is not easy to keep up with ever-changing vulnerability classes without hands-on experience. Thus, penetration testers and security professionals need vulnerable playgrounds to understand and legally practice various web security vulnerabilities.
Learn Secure Coding
In this article, we will go through some of the existing vulnerable web applications that can be used to identify and exploit web application vulnerabilities.
List of top deliberately vulnerable web application
Let’s explore some of the top vulnerable web applications that can be used to practice web application vulnerabilities in various languages.
OWASP WebGoat
WebGoat is an OWASP project developed in Java. Many large enterprises use web applications built using Java, and WebGoat is a good candidate to learn vulnerabilities specifically in Java-based web applications. This is an open-source application; this means we can also understand vulnerabilities with source code examples.
A majority of the free software applications are available as Docker images these days, which makes it easy to use them. WebGoat is also available as a Docker image and we can quickly spin up a container and play with WebGoat.
The following image shows the WebGoat UI after launching it.
Docker Hub: https://hub.docker.com/r/webgoat/webgoat-8.0
GitHub: https://github.com/WebGoat/WebGoat
OWASP DVWA
Damn Vulnerable Web Application (DVWA) is another popular vulnerable web application developed in PHP. Since this is developed in PHP, beginners usually find it easy to follow. Each vulnerability contains various difficult levels from Low to High, so it is possible to learn web security at varying difficulty levels. PHP source code snippets are provided in each challenge and thus, it is possible to find the flaws by reviewing the source code.
DVWA is also available as a Docker image and we can quickly spin up a container and play with DVWA.
The following image shows DVWA UI after launching it.
Docker Hub: https://hub.docker.com/r/vulnerables/web-dvwa/
Website: http://dvwa.co.uk/
XVWA
Xtreme Vulnerable Web Application (XVWA) is a badly coded web application written in PHP/MySQL to help security enthusiasts learn application security. The XVWA application is ideal if you want an easy-to-use application with some modern-day attacks covered. Some not-so-traditional vulnerabilities such as server-side template injection and server-side request forgery are covered in this application.
The authors of XVWA did not create a Docker image, but it was made available by someone else and featured on the official GitHub page of XVWA.
The following figure shows XVWA UI after launching it.
Docker Container: https://github.com/tuxotron/xvwa_lamp_container
GitHub: https://github.com/s4n7h0/xvwa
bWAPP
Buggy Web Application (bWAPP) is another free and open-source vulnerable web application. bWAPP comes with a comprehensive list of vulnerabilities with great coverage.
There are several vulnerabilities covered in bWAPP that are not covered in any other vulnerable web application, such as Heartbleed and Shellshock. However, we need to download the virtual machine to avail ourselves of some of these rarely seen vulnerabilities. The reason for this is that these vulnerabilities require additional configurations on the server where the web application is installed.
The virtual machine, bee-box, already contains these configurations and thus these vulnerabilities are ready to use. The bottom line is, we can get the best of bWAPP if we use the bee-box VM. There is also a Docker image made available, which can be used to quickly spin up the web application.
The following image shows bWAPP UI after launching it.
Docker Container: https://hub.docker.com/r/raesene/bwapp
Website: http://www.itsecgames.com/
OWASP Juice Shop
Juice Shop is an OWASP project, the most modern and sophisticated insecure web application. Juice Shop is written in Node.js, Express and Angular. Since this application is completely written in JavaScript, it is considered an application built using modern technologies, unlike other vulnerable applications such as WebGoat and DVWA.
This application is a great choice if one wants to practice their attacks against applications developed using JavaScript technologies. There is also a Docker image available, which can be used to quickly spin up the web application.
The following figure shows OWASP Juice Shop UI after launching it.
Docker Container: https://hub.docker.com/r/bkimminich/juice-shop
Website: https://owasp.org/www-project-juice-shop/
OWASP WEBGOAT.NET
OWASP WEBGOAT.NET is a deliberately vulnerable web application developed using C# .NET. This application is useful if someone is specifically interested in learning security vulnerabilities associated with .NET applications.
Webgoat.NET has a docker image available on Docker Hub, which can be used to quickly spin up the web application.
The following image shows OWASP WEBGOAT.NET UI after launching it.
Docker Container: https://hub.docker.com/r/appsecco/owasp-webgoat-dot-net/
GitHub: https://github.com/jerryhoff/WebGoat.NET
Other vulnerable web apps worth looking at
We have covered several unique and commonly used vulnerable web applications in this article. However, following are some other applications that are worth looking at.
- OWASP Rails Goat Project: This is the project you want if you want a vulnerable application developed using Ruby On Rails.
- VulnerableSAMLApp: During penetration tests in enterprise environments, we often come across applications with Single Sign-On setup. If we want to get our hands dirty with some SAML-based SSO vulnerabilities, VulnerableSAMLApp is worth taking a look at.
- JWTdemo: JSON web tokens are commonly used in many REST API-based applications. JWTdemo is an application, which can be used to practice JWT-based attacks.
Conclusion
We discussed several vulnerable web applications which are great resources to start learning web application security. These vulnerable apps provide great value as they can assist security professionals to have deeper and practical understanding of security vulnerabilities.
It is worth noting that all of the vulnerable applications shown in the article can be set up locally in the laptop using virtualization software such as a virtual machine.
Learn Secure Coding
Sources
- Dafydd Stuttard, "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws," Wiley, 2011
- vuln-web-apps, GitHub
- OWASP Vulnerable Web Applications Directory, OWASP
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Vulnerable web apps (from OWASP and others)
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding