You could refer to my blogpost at http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ It's basically a listing of all vulnerable web applications, specifically created for learning web application security. Hope you'll find it usefull. Regards, --- Wasim Halani http://securitythoughts.wordpress.com http://twitter.com/washalsec ---------- To keep silent when you can say something wise and useful is as bad as keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.) On Sun, Mar 27, 2011 at 4:04 AM, H Morrow Long <morrow.long@yale.edu> wrote: > There is an open source (SourceForge) project sponsored and run by Maven > Security which has integrated many of the tutorial web security lessons and > tools into one package -- Web Security Dojo. > > See: http://www.mavensecurity.com/web_security_dojo/ > > You download a VirtualBox or VMware virtual machine (both are available via > the above URL) and then start up the VM (Ubuntu-based I believe). > > - Morrow > > > > -----Original Message----- > From: websecurity-bounces@lists.webappsec.org > [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Paul > Johnston > Sent: Friday, March 25, 2011 6:32 AM > To: Webappsec Group > Subject: [WEB SECURITY] Training web app pentesters > > Hi, > > I have some guys who I need to train to be web app testers. Initially to > work under the supervision of an experienced tester. > > I realise there are a number of courses we could send them on, but these > are quite competent guys and I think they can get a long way with a > self-study approach. > > I've got them working through WebGoat at the moment. My general > impression is that this is not a bad start, although some lessons are > better than others. One particular criticism though is that it's too > easy really. For example, you learn about simple cross-site scripting, > but not more subtle attack vectors, e.g. injection into attributes, URL > encoding, etc. > > I've also got them reading the OWASP testing guide. Although, at over > 300 pages, reading this from start to finish is not for the feint > hearted - it's more useful as a reference. > > So, does anyone here have suggestions of material to use for this. I > know there are many vulnerable apps like WebGoat; are there some that > are a bit more difficult for the tester? > > Regards, > > Paul > > -- > Pentest - When a tick in the box is not enough > > Paul Johnston - IT Security Consultant / Tiger SST > Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) > > Office: +44 (0) 161 233 0100 > Mobile: +44 (0) 7817 219 072 > > Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy > Registered Number: 4217114 England & Wales > Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

Send them to http://EnigmaGroup.org <http://enigmagroup.org/> they have over 170 hacking challenges on their site and plenty of articles and forum help for the self learner. On Sat, Mar 26, 2011 at 9:24 PM, Wasim Halani <wasimhalani@gmail.com> wrote: > You could refer to my blogpost at > http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ > It's basically a listing of all vulnerable web applications, specifically > created for learning web application security. > > Hope you'll find it usefull. > > Regards, > --- > Wasim Halani > http://securitythoughts.wordpress.com > http://twitter.com/washalsec > ---------- > To keep silent when you can say something wise and useful is as bad as > keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.) > > > On Sun, Mar 27, 2011 at 4:04 AM, H Morrow Long <morrow.long@yale.edu>wrote: > >> There is an open source (SourceForge) project sponsored and run by Maven >> Security which has integrated many of the tutorial web security lessons >> and >> tools into one package -- Web Security Dojo. >> >> See: http://www.mavensecurity.com/web_security_dojo/ >> >> You download a VirtualBox or VMware virtual machine (both are available >> via >> the above URL) and then start up the VM (Ubuntu-based I believe). >> >> - Morrow >> >> >> >> -----Original Message----- >> From: websecurity-bounces@lists.webappsec.org >> [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Paul >> Johnston >> Sent: Friday, March 25, 2011 6:32 AM >> To: Webappsec Group >> Subject: [WEB SECURITY] Training web app pentesters >> >> Hi, >> >> I have some guys who I need to train to be web app testers. Initially to >> work under the supervision of an experienced tester. >> >> I realise there are a number of courses we could send them on, but these >> are quite competent guys and I think they can get a long way with a >> self-study approach. >> >> I've got them working through WebGoat at the moment. My general >> impression is that this is not a bad start, although some lessons are >> better than others. One particular criticism though is that it's too >> easy really. For example, you learn about simple cross-site scripting, >> but not more subtle attack vectors, e.g. injection into attributes, URL >> encoding, etc. >> >> I've also got them reading the OWASP testing guide. Although, at over >> 300 pages, reading this from start to finish is not for the feint >> hearted - it's more useful as a reference. >> >> So, does anyone here have suggestions of material to use for this. I >> know there are many vulnerable apps like WebGoat; are there some that >> are a bit more difficult for the tester? >> >> Regards, >> >> Paul >> >> -- >> Pentest - When a tick in the box is not enough >> >> Paul Johnston - IT Security Consultant / Tiger SST >> Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) >> >> Office: +44 (0) 161 233 0100 >> Mobile: +44 (0) 7817 219 072 >> >> Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy >> Registered Number: 4217114 England & Wales >> Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > -- 01000001 01110101 01110011 01101111 01101101 01100101 00110001