An interesting vulnerability playground to learn application vulnerabilities

Published: 2010-12-25
Last Updated: 2010-12-26 07:12:13 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
2 comment(s)

In my spare time I am teaching computer security topics in a local university. One of the activities that my students enjoy is the teaching of application security assessment and vulnerability detection.

I made my search for the applications that supported the largest possible number of vulnerabilities. As a result of the research, I began to work with the following applications:

One aspect that I did not like about these applications is that they show scenarios to fully exploit the vulnerability point, without being real and that identification scenarios for my students can be complex due to their lack of experience in the field. So I started looking for an application that was as close as possible to a real web application, which had modules that include one or more vulnerabilities. Finally I found a very interesting application called wackopicko, which poses as a real website for sharing pictures with real application modules that have the following vulnerabilities: Reflected XSS, Stored XSS vulnerability SessionID, Stored SQL Injection, Reflected SQL Injection, Directory Traversal, Multi-Step Stored XSS, Forceful Browsing, Command-line Injection, Parameter Manipulation, behind Reflected XSS JavaScript Logic Flaw, a flash behind Reflected XSS Weak form and username / password.

Do you have any other interesting vulnerability playground to share with us? Let us know.  

-- Manuel Humberto Santander Peláez | | | msantand at isc dot sans dot org

2 comment(s)


Interestingly enough, the link to Mutillidae also links to another article with a nice list of deliberately vulnerable web apps. Check it out.
Check out this list here:

Several intentionally vulnerable web apps and distro's...

Diary Archives