When you're just starting out and trying to figure out what in your application could open a hole for a potential security threat, you might not know exactly what you're looking for. You've read all the descriptions of what an XSS vulnerability is or what kind of damage a RFI injection could cause, but you don't have much hands on experience as to what those sorts of issues really look like. Thankfully, there's two tools that can introduce you to these kinds of issues (and more) and will let you practice your skills to apply them to your own applications - WebGoat (from the OWASP) and the DVWA (Damn Vulnerable Web Application).
The idea behind both of these projects is providing you with a self-contained, follow along sort of application that not only instructs you in how to perform some of the most basic (and popular) vulnerabilities, but provides you with help along the way so you can more easily spot the issues in the future.
The WebGoat project is a tool provided by the OWASP (Open Source Web Security Project) that walks you through several different kinds of web vulnerabilities including:
The WebGoat download is provided as a download from the project's Google Code page
as a stand-alone package. You download the latest release and fire up the server that's
provided with it (Tomcat - yeah, it's Java). You can then access the URL on localhost for the server:
http://localhost/WebGoat/attack and get to the first pages of the project. On the left-hand
side of the page, you'll find a list of different kinds of vulnerabilities that you can
try your hand at as well as a "report card" to see how you're doing. Sometimes the application
will offer you hints if you're close to locating the exploit, but most of the time you'll
really need to think about what you're trying to accomplish and find the shortest path there.
With WebGoat, you use this proxy to manipulate the requests you're making and hack into various parts of the application. You'll need to use not only the intercepting proxy to solve some of the problems, but also other tools like Firebug/Chrome Developer Tools and some good old fashioned educated guessing.
The WebGoat project shows you vulnerabilities like:
Each of the lessons has a few sub-sections, so be sure you have some time to work on these things. You can always come back later, of course.
Where the WebGoat application is more of a stand-along kind of thing that hasdles its own configuration, the DMVA is pretty similar to WebGoat in its intentions. It also provides a contained set of examples where you can try things out, testing your knowledge and learning at the same time.
There's one key difference between the two projects. The DVWA is actually a website that you drop into your server (maybe as a VirualHost) and start running the tests. The DVWA covers:
Unlike the WebGoat software, you'll need one additional requirement - the setup of a database backend (MySQL or the like). This is used in the SQL injection testing. All you need is to create the database, set up a user for access to it and alter the configuration for the DVWA to match the credentials.
Unlike WebGoat, the DVWA doesn't provide too much in the way of guidance for each of the examples. There's usually a few links included in the page (and a "help" option) but WebGoat does a better job of helping you along.
If you're new to the web application testing world and are trying to figure out exactly how to locate the issues in your own apps, give these two tools a try. Personally, I found WebGoat to be a better introduction to most of the important concepts, but the DVWA had a few topics that WebGoat didn't include.
With over 12 years of experience in development and a focus on application security Chris is on a quest to bring his knowledge to the masses, making application security accessible to everyone. He also is an avodcate for security in the PHP community and provides application security training and consulting services.