April 15, 2015

This one deserves a post. A nice guy who teaches Web Application Security to Universities has developed an awesome VMware image with a lot of vulnerable Web Applications. He has combined a lot of the common vulnerable Web Apps such as DVWA and OWASP Bricks into a single bootable bundle.

A lot of the Web Apps come with complete course modules where Penetration Testers can run through modules in a course style environment. Best of all. It’s completely free, fun and safe.

Students can practice simple stuff such as HTML GET and POST manipulation, LFI/RFI to advanced Javascript vulnerabilities, Cross Site Scripting (XSS) and SQL Injection. You can test automated tools such as Burp Suite, Nikto, OWASP-ZAP, Netstalker etc. You can use Firefox Pentesting plugins all the way to manual testing.

A special funny highlight is the OWASP Hackademic Challenges Project where you become a little Cyber agent with tasks of gaining access to websites, find hidden files etc.

IMHO, working with such vulnerable distributions is a LOT more valuable to Penetration Testers than reading and understanding dry theory and concepts. Penetration Testing is all about being able to face challenges and to be able to do Pentesting not just understanding the concepts.

You can download the VMware image here: