7 Vulnerable Applications for Practicing Pentesting
The best way to learn security concepts is by doing it. But how to do it if you don’t know it? These vulnerable apps will make you learn and do it!
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
The app is divided into sections for different types of vulnerabilities. The best thing about DVWA is it has lessons/guidelines on how to exploit a vulnerability.
WebGoat is a deliberately insecure application that allows you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.
Like DVWA this also has tutorials for each vulnerability.
3. Juice Shop
Juice shop also has tutorials for several of the easy challenges.
Metasploitable is a vulnerable virtual machine intended for practicing taking over machines. Intended to be practiced with metasploit- the ultimate vulnerability exploitation tool, this vulnerable VM is one of the most enjoyable ones to play with. It has three versions:
- Metasploitable: Released in 2010, this one is quite old. A lot of the vulnerabilities are not valid anymore.
- Metasploitable 2: Released in 2012, this one is more beefed up with vulnerabilities.
- Metasploitable 3: This one is the latest version and the one you should be focusing on.
The difference between versions 2 and 3 is that in metasploitable 3, you will also get to practice on windows environments. Metasploitable 1 and 2 are only Linux based.
5. Security Shepherd
The Security Shepherd Project is a web and mobile application security training platform. This is the only app in this list that can provide a flavor of mobile app pen-testing.
The above apps are the best to get started with and practice penetration testing. However, there are some lesser-known apps that you can also try out to further improve your skills.
Buggy web app (bWAPP) is also PHP/MySQL web app. It has over 100 vulnerabilities fo you to test.
Damn Vulnerable Node Application is a lesser-known vulnerable web app. Do this only after you have done Juice Shop.
Installing the vulnerable applications can be painful. It requires setting up multiple environments such as:
- Apache server
- And other dependencies…
Not to mention, version conflicts is quite common. It could cause conflicts and break your environment.
You don’t want this hassle. There’s an easier way. Just use docker.
$ sudo apt-get install docker.io
And then just pull the image you want to use and run it. No need to install dependencies separately. This is way more convenient.
## 1. For DVWA docker run --rm -it -p 80:80 vulnerables/web-dvwa ## 2. For Webgoat docker pull webgoat/webgoat-8.0 docker run -p 8080:8080 -t webgoat/webgoat-8.0 ## 3. For Juice shop docker pull bkimminich/juice-shop Run docker run --rm -p 3000:3000 bkimminich/juice-shop ## 4. Metasploitable is a VM. ## DOwnload the VM and use it with virtual box. ## 5. For Security shepherd docker pull owasp/security-shepherd ## 6. For bWAPP docker run -d -p 80:80 raesene/bwapp ## 7. For DVNA docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite