April 15, 2015

This one deserves a post. A nice guy who teaches Web Application Security to Universities has developed an awesome VMware image with a lot of vulnerable Web Applications. He has combined a lot of the common vulnerable Web Apps such as DVWA and OWASP Bricks into a single bootable bundle.

A lot of the Web Apps come with complete course modules where Penetration Testers can run through modules in a course style environment. Best of all. It’s completely free, fun and safe.

Students can practice simple stuff such as HTML GET and POST manipulation, LFI/RFI to advanced Javascript vulnerabilities, Cross Site Scripting (XSS) and SQL Injection. You can test automated tools such as Burp Suite, Nikto, OWASP-ZAP, Netstalker etc. You can use Firefox Pentesting plugins all the way to manual testing.

A special funny highlight is the OWASP Hackademic Challenges Project where you become a little Cyber agent with tasks of gaining access to websites, find hidden files etc.

IMHO, working with such vulnerable distributions is a LOT more valuable to Penetration Testers than reading and understanding dry theory and concepts. Penetration Testing is all about being able to face challenges and to be able to do Pentesting not just understanding the concepts.

You can download the VMware image here:



Gone are the times where Operating systems such as Windows had tons of flaws. The OS manufacturers are getting better (even Microsoft). Yes there are still server vulnerabilities and there always will be, but these day it’s not as easy for Hackers as it used to be a few years ago where they ran Metasploit with standard exploits and they were in.

So did Hackers give up now? No, far from that. They have discovered the Web Application layer. With hundreds and thousands of different Web Apps, flaws are unavoidable. The market demands new features, develops more and more Web Apps, SaaS applications and the security is neglected with many of those developers. Look at Open Source WordPress. So many businesses use it, help themselves to free plugins. Do you think those free plugins don’t have vulnerabilities? Of course they do and more than ever before.

LFI, SQL injection, Cookie hijacking and XSS are the new popular terms around Hackers. APIs are present everywhere, allow cross platform logins, share data. Whilst a lot of the developers at least try to implement security, others process input unchecked which allows for remote code injection.

Yes, open source freeware and shareware is great, but before you deploy those on your website, please do consider the security risks! Open source typically has the source code open somewhere and even a entry or mid level programmer can spot security flaws and exploit those.

Above is the reason why more than 70% of all technical attacks involve Web Applications these days.