我在哪里可以找到故意不安全的开源Web应用程序？

As a developer, I've learned that I usually gain a better understanding of best/worst practices through experience. The area of web application security isn't really somewhere where my organization can afford to let developers learn through trial and error.

作为一名开发人员,我了解到我通常会通过经验更好地了解最佳/最差实践。 Web应用程序安全性领域实际上并不是我的组织可以让开发人员通过反复试验来学习的地方。

So looking for a hands-on approach to knowledge sharing of best practices in web application security, I was thinking that it would be useful to have an open source application that was deliberately built to be insecure in order to help teach junior developers about application security.

因此,我正在寻找一种实际的方法来分享Web应用程序安全性最佳实践的知识,我认为有一个开源应用程序是有用的,这个应用程序是故意构建为不安全的,以便帮助初级开发人员了解应用程序安全性。

Does anyone out there know where to find something like this?

有没有人知道在哪里可以找到这样的东西?

8 个解决方案

#1

There are online (hacking challenge / practice / fun ) and offline (you got the source code) apps:

有在线(黑客挑战/练习/乐趣)和离线(你有源代码)应用程序:

Offline :

OWASP Webgoat
Foundstone Hackme Series
- Hackme Bank
- Hackme Travel
- Hackme Casino
- Hackme Books

Foundstone Hackme系列Hackme Bank Hackme Travel Hackme Casino Hackme Books

WebMaven
SecuriBench
You can download VmWare Images of old vulnerable known CMSs, or just download them from repositories (try sourceforge or official old releases and find vulnerabilities from Securityfocus BID )

您可以下载旧的易受攻击的已知CMS的VmWare映像,或者只是从存储库下载它们(尝试sourceforge或官方旧版本并从Securityfocus BID中查找漏洞)

Online

More Realistic Demonstration

更现实的示范

This is an old list I grabbed from somewhere, some of them can be down right now.

这是我从某个地方抓到的旧列表,其中一些可能现在正在关闭。

Challenge sort of examples

挑战一些例子

#2

Check out WebGoat. It's an application riddled with vulnerabilities from the OWASP list, designed as a learning resource for web application developers. The application is a tutorial that walks developers through the vulnerabilities it contains, with tests for each lesson.

查看WebGoat。它是一个充满OWASP列表漏洞的应用程序,旨在作为Web应用程序开发人员的学习资源。该应用程序是一个教程,可以让开发人员了解它包含的漏洞,并为每节课提供测试。

#3

You might want to try https://hack.me

您可能想尝试https://hack.me

It is a community driven project where all kinds of vulnerable web applications are hosted and shared. You can run them in a new sandbox, safely without downloading/configuring any server.

它是一个社区驱动的项目,托管和共享各种易受攻击的Web应用程序。您可以安全地在新沙箱中运行它们,而无需下载/配置任何服务器。

I'm the project founder but since it's a completely free project I thought this would be worth saying in addition to the great other resources mentioned.

我是项目创始人,但由于这是一个完全免费的项目,我认为除了提到的其他优秀资源之外,这还值得一提。

#4

There was a website that was built to have insecurities in it, and the object was to hack it. I can't remember its name. ~~I'm googling around for it. Will edit as I find it.~~

有一个网站建立的不安全感,其目的是破解它。我不记得它的名字。我正在谷歌上搜索它。我会发现它会编辑。

Found it: The name is hackthissite.org.

找到它:这个名字是hackthissite.org。

#5

there is also...Damn Vulnerable Web App (DVWA) ...

还有...该死的易受攻击的网络应用程序(DVWA)...

here...dvwa.co.uk

#6

You can also practice various flavors of SQL Injection with SQLol and XML Injection /xPath Injection with XMLmao.

您还可以使用SQLol和使用XMLmao的XML Injection / xPath Injection练习各种风格的SQL注入。

#7

I'm reminded of this OSCON talk, though it's probably too specific to be what you're looking for.

我想起了这次OSCON讲座,虽然它可能太具体了,无法满足您的需求。

#8

Theres an OWASP project just to document all of the known vulnerable web apps: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

这是一个OWASP项目,旨在记录所有已知的易受攻击的网络应用程序:https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

#1