Happy New Year!!! I am giving this blog another go-around. I still am trying to switch fields (application developer to penetration testing). Anyway, you’re not reading this post to get my current life story.
While I was away from this blog, I found OWASP Broken Web Applications, website –> https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
There are different web vulnerable apps in this package. To install, you will need VMWare or VirtualBox. Once you have this, then you can download the iso package. If you do not know how to install an iso into a virtual machine, look at this video for VirtualBox —>
There are an assortment of different vulnerable apps that vary in level of difficulty.
The training applications are:
OWASP WebGoat
OWASP WebGoat.Net
Multillidae
Ghost
Damn Vulnerable Web Application
OWASP ESAPI Java SwingSet Interface
Realistic, intentionally vulnerable applications:
OWASP Vicnum
Peruggia
Hackxor
BodgeIt
WackoPicko
Google Gruyere
Old (Vulnerable) versions of real applications:
WordPress
OrangeHRM
GetBoo
GTP-PHP
Yazd
WebCalendar
Gallery2
Tiki Wiki
Joomla
AWStats
I have read other websites and even wrote on hackernetwork.net (please create an account if you don’t have it!), and I have started with Multilldae, using OWASP ZAP. OWASP ZAP is a proxy that can be used in between the target and the internet. You can download it here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
You can view a YouTube video describing this by this link:
If you don’t like ZAP proxy, then you can use BurpSuite.
If you’re up for the challenge, try installing this package, and test out some of the applications. I promise it is addicting!!!