Hacking without going to jail !

You ever wondered how breaking into computers feels? according to TV . . .

Hmmm.. nop, you got it so wrong again Hollywood!

Many finish university with a degree and all the foundations required to be great security engineers. Either you want to start a career as a Penetration Tester or you are a Developer and want to expand yourself more about security or simply because you are curious enough then you should try some of the following. The following is selection of projects that designed vulnerable applications to demonstrate security vulnerabilities that are common in the wild, usually in their simplest form penetration easy and some practical examples of vulnerabilities in their simplest found.

1. Webgoat

After OWASP Webgoat 5.0, the newly released version offers a more user-friendly interface and an almost complete selection of security topics in web application secure coding. In addition no installation is required, code is compressed in .jar format and can be run through java.

Vulnerabilities : OWASP Top 10
Tips : Yes
Solutions : No
Project: owasp.org/index.php/Category:OWASP_WebGoat_Project
Format: .jar
Download: github.com/WebGoat/WebGoat-Legacy/releases

Quick Start:

java -jar WebGoat-6.1.0-exec-war.jar

2. Damn Vulnerable Web Applications (DVWA)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Vulnerabilities : OWASP Top 10
Tips : Yes
Solutions : No
Project: owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
Format: PHP/SQL
Download: github.com/RandomStorm/DVWA

Quick Start:

The easiest way to install DVWA is to download and install 'XAMPP' if you do not already have a web server setup. 

XAMPP can be downloaded from: www.apachefriends.org/en/xampp.html

Simply unzip dvwa.zip, place the unzipped files in your public htm folder, 
then point your browser to

3. OWASP Bricks

Bricks is a web application security learning platform built on PHP and MySQL. The project focuses on variations of commonly seen application security issues. Each ‘Brick’ has some sort of security issue which can be leveraged manually or using automated software tools. The mission is to ‘Break the Bricks’ and thus learn the various aspects of web application security.Bricks is a completely free and open source project brought to you by OWASP.

Vulnerabilities : OWASP Top 10
Tips : Yes
Solutions : No
Download: http://sourceforge.net/projects/owaspbricks/files/Tuivai%20-%202.2/OWASP%20Bricks%20-%20Tuivai.zip/download
Project: sechow.com/bricks/index.html

Quick Start:

Copy this folder into the www directory. Start running the server. 
Create a new database for Bricks: 
 Click on the PHPMyAdmin button or go to http://<your_ip>/mysql/ on browser. 
 Any name can be used for database. For example: bricks. Fill up the name and click on Create button. 
Go to http://<your_ip>/bricks/ on browser. 
Bricks will redirect automatically to http://<your_ip>/bricks/config/. 
Fill in the configuration details: 
Database username: root 
Database password: root in uWAMP. Keep it blank in the case of XAMPP 
Database name: bricks 
Database host: localhost 
Show executed commands: checked by default 
Click on Submit button and a file, LocalSettings.php, will get downloaded. Place this file in the www directory. 
Refresh http://<your_ip>/bricks/config/ page 
Click on Setup/reset database  
Installation finished. 
Bricks will be ready at http://<your_ip>/bricks/ 
4. Online Web Applications:


Hack.me http://hack.me
XSS Game by Google https://xss-game.appspot.com
Cenzic Bank http://crackme.cenzic.com

However for those who want to sharp their knowledge here is a list in different areas with noticeable projects, I kept those who have been updated recently and related with web application security. In the future I will post another list for web application services and infastructure testing enviroments. Please feel free to add any comments, suggestions or corrections below. . .