WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
The aim of DVWA is to practice some of the most common web vulnerability, with various difficultly levels, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerability with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
SQLI-LABS is a platform to learn SQLI Following labs are covered for GET and POST scenarios:
Error Based Injections (Union Select)
Error Based Injections (Double Injection Based)
BLIND Injections: 1.Boolian Based 2.Time Based
Update Query Injection.
Insert Query Injections.
Header Injections. 1.Referer based. 2.UserAgent based. 3.Cookie based.
Second Order Injections
Bypassing Blacklist filters Stripping comments Stripping OR & AND Stripping SPACES and COMMENTS Stripping UNION & SELECT
Bypassing mysql_real_escape_string. (under special conditions)
Stacked SQL injections.
Secondary channel extraction
The goal of this project is to be a project with really vulnerable code in NodeJS, not simulated.
This project has the most common vulnerabilities of OWASP Top 10 :
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A8 – Cross-Site Request Forgery (CSRF)
A10 – Unvalidated Redirects and Forwards
XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.
XVWA is designed to understand following security issues.
SQL Injection – Error Based
SQL Injection – Blind
OS Command Injection
PHP Object Injection
Unrestricted File Upload
Reflected Cross Site Scripting
Stored Cross Site Scripting
DOM Based Cross Site Scripting
Server Side Request Forgery (Cross Site Port Attacks)
Insecure Direct Object Reference
Missing Functional Level Access Control
Cross Site Request Forgery (CSRF)
Unvalidated Redirect & Forwards
Server Side Template Injection
The post [Collection] Some good Vulnerable Web application Lab for PenTester appeared first on Penetration Testing.