Looking for extremely vulnerable source code

Hi,

Over the past year I have been learning web application hacking. I have tried little things here and there, but mainly I have only practised on scripts that I have written. However, this has become to bore me. I would like to know if anyone knows of any CMS or web application that is extremely vulnerable to penetration so I could download it, and practise on it. I do know that HBH offers challenges, but I would like to try it on my local network and I would also like to able to view source code etc.

Your input would be greatly appreciated.

Thanks.

Read wordpress and joomla changelogs and download legacy versions to practice on.

Vector-fusion wrote: I would say download PHP-Fusion and try that, as word-press and Joomla people know how to break in (and it is easy) were as with PHP-Fusion its harder and more of a test for you.

You're an idiot.

Vector-fusion wrote: Why ?

Because daddy didn't love mommy enough and that strained relationship left its scars on you.

Vector-fusion wrote: I don't understand why that makes me and idiot.

This is pretty much -why- I called you an idiot in the first place. Thanks for the confirmation.

A legacy version of Joomla would be a great choice for a damn vulnerable CMS, as long as you find the exploits yourself, rather than give up and peek at the past work of others. If you feel frustrated that Joomla's history has been full of bugs, yet you've only been able to find one, don't simply resort to other's people's work, at least you know they're there. Instead, remind yourself that it took years for all of the many bugs found in Joomla to be discovered, so give yourself some time before quitting. This method will help you truly enhance your ability to find vulnerabilities, whereas looking at the work of others will simply provide for a reference to historical exploits found in some other CMS.

Also, Perhaps you should try OWASP's WebGoat Project. Its useful for learning simple web based exploitation, and also offers the option of assistance. I recommend this over any popularly vulnerable CMS if you plan on simply googling known exploits found in said CMS.

OWASP wrote: WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. * http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project*

Despite what decision you make, Good Luck! ^_^

http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security

I did make a post about a web app that fits your criteria a while back.

here it is: http://www.hellboundhackers.org/forum/viewthread.php?forum_id=15&thread_id=14172#126492

I did say a "while back", but it seems that they have the latest version was probably in '09, so i'm afraid it's not the latest when it comes to finding bugs, but I think it'll help you sharpen your skills.

fuser wrote: I did make a post about a web app that fits your criteria a while back.

here it is: http://www.hellboundhackers.org/forum/viewthread.php?forum_id=15&thread_id=14172#126492

I did say a "while back", but it seems that they have the latest version was probably in '09, so i'm afraid it's not the latest when it comes to finding bugs, but I think it'll help you sharpen your skills.

Damn vulnerable Web App is good for the basic stuff, but it's nothing too great for an actual training of pen-testing because you are pretty much served the vulnerabilities under your nose. I still use it though, to test my scanners etc.

Thank you for your replies. I have downloaded Web goat and I am currently giving that a shot. I will be sure though to check out the other links you guys have provided.

Thanks again to everyone, really appreciate it!

Download outdated versions via http://www.oldapps.com/

I have an old copy of wordpress and phpbb from there.

Before posting, please check the date of the last post, this thread has been dead for over 2 months…

cyber-guard wrote: Before posting, please check the date of the last post, this thread has been dead for over 2 months…

The post wasn't that bad if you ask me. Actually, I think the link (=new content) deserved the bump.

In general though, try to refrain from posting in old threads.

I assumed that because it was on the first page, it was recent. I didn't realise how low activity was in the forum until you mentioned the date. Apologies :)