I am preparing for my Certified Ethical Hacker (CEH) certification, and have compiled several resources to aid in my studying. I already have a high level of technical knowledge, and am generally more of a hands-on person. I am not as concerned with reading book material; I would rather learn by doing.
Some of simulations are website files (don’t place these in a live server), others are full virtual machines. I’m on a Mac, so my emulator of choice is Parallels Desktop 7. It’s considerably faster than VMWare, but I will be doing a full review on that another time. It’s important to note that the HackXor simulation below is a VMWare image, but Parallels has no problem converting it.
1. Web Goat
WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard.
2. Damn Vulnerable Web Application
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.It is a best platform to practice web application hacking and security.
Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc.
The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. On the left menu you can see all attack scenarios that are currently available.
5. Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo. Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.2, which is patched with the appropriate updates and VM additions for easy use.
WebMaven (better known as Buggy Bank) was an interactive learning environment for web application security. It emulated various security flaws for the user to find. This enabled users to safely & legally practice web application vulnerability assessment techniques. In addition, users could benchmark their security audit tools to ensure they perform as advertised.
7. Additional Vulnerable Web Applications
Want more? Check out this list of about 30 intentionally vulnerable web applications (PHP, JSP, CGI, Java) to test your skills.