Tuesday, September 3, 2013

Web-Application Penetration Testing - List of Vulnerable Web Applications

Hi all of you out there….

This blog is dedicated to all those who want to learn and test their penetration testing skills.

Being a web application security enthusiast, I will be concentrating on “setting up web-app pentesting lab”.

IMPORTANT – Many make mistake of testing live applications which are present in the wild internet. This can cause a huge trouble to the person testing the website (without legal disclaimer) . This can bring a “full-stop” on his/her information career. Perform Pentest only on web applications where you have proper permissions to do so.

Normally a person new to the web-app pentesting can have a question which states following :-
If testing live application without prior permission is not legal, then how can I learn and test my skills?

Well there is a simple solution to this question.
Set up your own lab and start pentesting.
At first, this may sound a little bit cumbersome but believe me, it’s not at all that hard.
What do you have to do when setting up a lab ?

Some may think that they will have to code and develop their own web application and then start pentesting it. If you are thinking such, then please chill…You don’t need to do any coding. (If you know coding then its definitely a plus point but if you don't know then don't worry, you don't need it here in set up) 

There are ready-made “vulnerable” web applications available on Internet. You just need to download them and do a little bit setting on your laptop/PC and then you are all set to go.

I will mention some of the “vulnerable” web application here.  


This is a web application which is designed with vulnerabilities already built into it.
For a newbie, this is a perfect application to get started with. 
There are particular tabs provided for each vulnerabilities, you just need to visit the tab and exploit that particular vulnerability.

There are appropriate security settings (low, medium, high) built into this application. 
There is also an "Intrusion Detection System" of PHP namely PHPIDS included in this appplication. By default, it is disabled.
If you want to really test your skills, then set the "security" to "high" and enable PHPIDS. ;-)


Main thing I like about this web-app, is the way it has implemented the vulnerabilities.
The vulnerabilities are placed according to the rankings of OWASP TOP 10.

If you get stuck somewhere, don't worry. There is an option of "help" provided for easing your task.


OWASP webgoat is another test web-app that can be used to learn and enhance your skills.
The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
This application is based on J2EE. If you want to try the .NET version then you can visit OWASP WebGoat .NET



If you think that you don't want to go "step-by-step" vulnerability exploitation, as it is the case in above web applications, then you can try out "Hackxor".It is a webapp hacking game, where players must locate and exploit vulnerabilities to progress through the story. It is a web app with a plot and a focus on realism&difficulty. Hackxor contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc



Another good vulnerable web application is "exploit.co.il".
This "Vulnerable Web app" is designed as a learning platform to test various SQL injection Techniques
This is a fully functional web site with a content management system based on fckeditor.


This is a good "vulnerable" web application which gives you the look and feel as if you are exploiting live application.
You can learn a lot with Bodgeit. 
Like the above examples, this download will also come as a zipped file. Just extract it and start using.


This vulnerable web application was designed particularly for the cause of testing various automated security scanners. This research was named as "Why Johnny can't Pentest? ". (I request you to read this research paper)

WackoPicko is a simulation of picture sharing web app. Find vulnerabilities and see the pics which are not intended for normal user to see.. ;-) It's fun to exploit this web app.


The OWASP Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment.
Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective


This are few web applications that I found interesting. 
It is safe from legal perspective and at the same time you will get to learn a lot from them.

Above examples are simple ones and you will get a zipped file in download. You just need to extract and use appropriate server environment. I used XAMPP

If you are not aware about setting up XAMPP then click here.  This link will help you in setting up XAMPP. 
Don't go into much deep. 

If you are not comfortable with setting up XAMPP, then let me know in comments. I will try my best to help you out.

Hope this blog helps you and boost up your infosec career. 

Thank you..


  1. thank a lot .... lots of information i got from your blog... as i already know about some of them and thanks for the other webapp which was not in my information yet... very very thanks dude....hey can we discuss certain matter of facts and knowledge and other problems through email id if you are interested because i am also looking for guy like you whom i can discuss and enhance knowledge in pentesting.
    my mail id is :lllingardium@gmail.com...... waiting for your positive reply