[Collection] Some good Vulnerable Web application Lab for PenTester – Penetration Testing


WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.


Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerability, with various difficultly levels, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerability with this software. This is intentional. You are encouraged to try and discover as many issues as possible.


SQLI-LABS is a platform to learn SQLI Following labs are covered for GET and POST scenarios:

Error Based Injections (Union Select)



Error Based Injections (Double Injection Based)

BLIND Injections: 1.Boolian Based 2.Time Based

Update Query Injection.

Insert Query Injections.

Header Injections. 1.Referer based. 2.UserAgent based. 3.Cookie based.

Second Order Injections

Bypassing WAF

Bypassing Blacklist filters Stripping comments Stripping OR & AND Stripping SPACES and COMMENTS Stripping UNION & SELECT

Impidence mismatch

Bypass addslashes()

Bypassing mysql_real_escape_string. (under special conditions)

Stacked SQL injections.

Secondary channel extraction


The goal of this project is to be a project with really vulnerable code in NodeJS, not simulated.

Vulnerability list:

This project has the most common vulnerabilities of OWASP Top 10 :

A1 – Injection

A2 – Broken Authentication and Session Management

A3 – Cross-Site Scripting (XSS)

A4 – Insecure Direct Object References

A5 – Security Misconfiguration

A6 – Sensitive Data Exposure

A8 – Cross-Site Request Forgery (CSRF)

A10 – Unvalidated Redirects and Forwards


XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.

XVWA is designed to understand following security issues.

SQL Injection – Error Based
SQL Injection – Blind
OS Command Injection
XPATH Injection
Formula Injection
PHP Object Injection
Unrestricted File Upload
Reflected Cross Site Scripting
Stored Cross Site Scripting
DOM Based Cross Site Scripting
Server Side Request Forgery (Cross Site Port Attacks)
File Inclusion
Session Issues
Insecure Direct Object Reference
Missing Functional Level Access Control
Cross Site Request Forgery (CSRF)
Unvalidated Redirect & Forwards
Server Side Template Injection

The post [Collection] Some good Vulnerable Web application Lab for PenTester appeared first on Penetration Testing.


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair /  Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )


Conectando a %s