Where can I find a deliberately insecure open source web application?

views:

1197

answers:

+10 Q:

Where can I find a deliberately insecure open source web application?

As a developer, I've learned that I usually gain a better understanding of best/worst practices through experience. The area of web application security isn't really somewhere where my organization can afford to let developers learn through trial and error.

So looking for a hands-on approach to knowledge sharing of best practices in web application security, I was thinking that it would be useful to have an open source application that was deliberately built to be insecure in order to help teach junior developers about application security.

Does anyone out there know where to find something like this?

+2 A:

There was a website that was built to have insecurities in it, and the object was to hack it. I can't remember its name. ~~I'm googling around for it. Will edit as I find it.~~

Found it: The name is hackthissite.org.

George Stocker 2008-12-13 15:29:30

Thank you as well for this link! I just realized that I've had that in my bookmarks list, marked as something to explore, but never actually got around to doing so! (I guess I know where my next few weekends are going to go :-))

Athena 2008-12-13 15:38:15

I'm reminded of this OSCON talk, though it's probably too specific to be what you're looking for.

Athena 2008-12-13 15:34:27

Drupal, Joomla!, Wordpress, …

stesch 2008-12-13 15:48:22

Do you know of know bugs in latest release of Wordpress?

Roberto Liffredo 2008-12-13 16:01:39

OP said "deliberately", not "accidently". As for Wordpress, give it time. Every other release had security holes, this one will too.

Paul Tomblin 2008-12-13 16:05:08

Yes, every new release has bugs, but just giving names in this way is a bit unfair in respect to their developers. I don't know about Drupal and Joomla, but Wordpress developers are doing a good job in fixing bugs in a reasonable time.

Roberto Liffredo 2008-12-13 16:14:58

@Roberto Liffredo: I'm not just giving names. These are links.

stesch 2008-12-13 16:34:56

@stesch: I understand Roberto in that he feels you are being disrespectful. I don't. I think that if he can find a bug in any of those, and fills a bug ticket (even could be with a patch!) would be great both for him and the community. Win-win.

voyager 2009-04-15 22:25:41

+6 A:

Check out WebGoat. It's an application riddled with vulnerabilities from the OWASP list, designed as a learning resource for web application developers. The application is a tutorial that walks developers through the vulnerabilities it contains, with tests for each lesson.

erickson 2008-12-13 15:50:30

+12 A:

There are online (hacking challenge / practice / fun ) and offline (you got the source code) apps:

Offline :

OWASP Webgoat
Foundstone Hackme Series
- Hackme Bank
- Hackme Travel
- Hackme Casino
- Hackme Books
WebMaven
SecuriBench
You can download VmWare Images of old vulnerable known CMSs, or just download them from repositories (try sourceforge or official old releases and find vulnerabilities from Securityfocus BID )

Online

More Realistic Demonstration

This is an old list I grabbed from somewhere, some of them can be down right now.

Challenge sort of examples

dr. evil 2008-12-13 16:06:39

+1 A:

there is also...Damn Vulnerable Web App (DVWA) ...

here...dvwa.co.uk

Vizay Soni 2010-06-15 10:29:27

http://www.dvwa.co.uk/ (the link was down without the "www.")

h3xStream 2010-08-01 00:38:48

ansaurus

tags:

views:

answers:

Where can I find a deliberately insecure open source web application?

related questions