So… Since the writing of our webapp lab article a lot of people have gotten together similar projects. We like ours but we wouldn’t be objective if we didn’t report on some other options.

The big news is the OWASP Broken Web Applications Project. This Project is a nice *tidy* little VM you can spin up to train yourself in web-app pentesting ninja-ry.

The owaspbwa project includes applications from various sources (listed in no particular order).

Intentionally Vulnerable Applications:

• OWASP WebGoat version 5.3-SNAPSHOT (Java)
• OWASP Vicnum version 1.3 (Perl)
• Mutillidae version 1.3 (PHP)
• Damn Vulnerable Web Application version 1.06 (PHP)
• OWASP CSRFGuard Test Application version 2.2 (Java)
• Mandiant Struts Forms (Java/Struts)
• Simple ASP.NET Forms (ASP.NET/C#)
• Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

And old Versions of Real Applications:

• WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
• phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
• Yazd version 1.0 (Java, released February 20, 2002)

Web Security Dojo , the second project,  is actually very similar. It features not only targets, but tools to test against the targets. All in a VM for easy deployment.

• OWASP’s WebGoat v5.2
• Damn Vulnerable Web App v1.0.6
• Hacme Casino v1.0
• OWASP InsecureWebApp v1.0
• simple training targets by Maven Security (including REST and JSON)

• Burp Suite (free version) v1.3
• w3af cvs version
• OWASP Skavengerv0.6.2a
• OWASP Dirbuster v1.0 RC1
• Paros v3.2.13
• Webscarab v20070504-1631
• Ratproxy v1.57-beta
• sqlmap v0.7
• helpful Firefox add-ons

Both further the goal of raising awareness of web app flaws and breeding well trained security ninjas… we approve =)