Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: An interesting vulnerability playground to learn application vulnerabilities - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
An interesting vulnerability playground to learn application vulnerabilities

In my spare time I am teaching computer security topics in a local university. One of the activities that my students enjoy is the teaching of application security assessment and vulnerability detection.

I made my search for the applications that supported the largest possible number of vulnerabilities. As a result of the research, I began to work with the following applications:

One aspect that I did not like about these applications is that they show scenarios to fully exploit the vulnerability point, without being real and that identification scenarios for my students can be complex due to their lack of experience in the field. So I started looking for an application that was as close as possible to a real web application, which had modules that include one or more vulnerabilities. Finally I found a very interesting application called wackopicko, which poses as a real website for sharing pictures with real application modules that have the following vulnerabilities: Reflected XSS, Stored XSS vulnerability SessionID, Stored SQL Injection, Reflected SQL Injection, Directory Traversal, Multi-Step Stored XSS, Forceful Browsing, Command-line Injection, Parameter Manipulation, behind Reflected XSS JavaScript Logic Flaw, a flash behind Reflected XSS Weak form and username / password.

Do you have any other interesting vulnerability playground to share with us? Let us know.  

-- Manuel Humberto Santander Peláez | | | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler
Dec 26th 2010
Interestingly enough, the link to Mutillidae also links to another article with a nice list of deliberately vulnerable web apps. Check it out.

65 Posts
Check out this list here:

Several intentionally vulnerable web apps and distro's...

7 Posts

Sign Up for Free or Log In to start participating in the conversation!