Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information most likely containing personally identifiable information.


While traditional firewalls and other network security controls are an important layer of any Information Security Program, they can’t defend or alert against many of the attack vectors specific to web applications. It is critical for an organisation to ensure that its web applications are not susceptible to common types of attack.


Best Practice suggests that an organisation should perform a web application test in addition to regular security assessments in order to ensure the security of its web applications.


For today’s post, I decided to share my very own lists of common vulnerable web applications to built our web penetration testing lab.





OWSAP Mantra


Mantra – Free and Open Source Browser based Security Framework, is a collection of free and open source tools integrated into a web browser.


OWASP Mantra  is a version of Firefox dedicated security technology that integrates an arsenal of tools to do a complete audit and debug your applications online.


Mantra is a security framework that can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, access, escalation of privileges, maintaining access , and backing tracks. Apart from this, it also contains a set of tools targeted for web developers and code debuggers which makes it very convenient for both the offensive and defensive security related security tasks.


For installing OWSAP Mantra follow my previous post  https://sathisharthars.com/2014/07/30/installing-owasp-mantra-in-kali-linux/





DVWA (Dam Vulnerable Web Application) 


This vulnerable PHP/MySQL web application is one of the famous web applications used for or testing your skills in web penetration testing and your knowledge in manual SQL Injection, XSS, Blind SQL Injection, etc. DVWA is developed by Ryan Dewhurst a.k.a ethicalhack3r and is part of RandomStorm OpenSource project.



Try below command to download DVWA

#wget -c https://kaz.dl.sourceforge.net/project/dvwa/DVWA-1.0.7.zip


Unzip download file and copy dvwa folder into Computer → File system → var → www


Set permission of DVWA into 755 for this open Termianl and type

#chmod -R 755 /var/www/dvwa


Run Apache for this go to Application → kali linux → System Service → HTTP → apache2start

#/etc/init.d/apache2 restart


Run My SQL  for this go to Application → kali linux → System Service → MySQL → mysql start

#/etc/init.d/mysql start


Screenshot from 2014-07-31 12:20:39



Now Create Database for dvwa


Open Terminal  and type

#mysql -u root -p

#create database dvwa;



Screenshot from 2014-07-31 12:21:31



Configuration is done by opening the /var/www/dvwa/config/config.inc.php and add your mysql password.


Screenshot from 2014-07-31 12:26:45



Now go to your browser and write or https://localhost/dvwa and write your username and password by default it is username – admin and password – password than click in login


Screenshot from 2014-07-31 12:23:21


Screenshot from 2014-07-31 12:23:46


Screenshot from 2014-07-31 12:27:03


Screenshot from 2014-07-31 12:27:22


You have successfully logged in.




NOWASP Multillide


Mutillidae – is a free and open source web application for website penetration testing and hacking which was developed by Adrian “Irongeek” Crenshaw and Jeremy “webpwnized” Druin. It is designed to be exploitable and vulnerable and ideal for practicing your Web Fu skills like SQL injection, cross site scripting, HTML injection, Javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more based on OWASP (Open Web Application Security) Top 10 Web Vulnerabilties



Download latest version of Mutillidae

#wget -c https://ncu.dl.sourceforge.net/project/mutillidae/mutillidae-project/LATEST-mutillidae-2.6.10.zip


Unzip the latest version (the only folder in the ZIP file is the “mutillidae” folder)

#unzip -q LATEST-mutillidae-2.6.10.zip


Copy the latest version to /var/www

#cp -R mutillidae /var/www/


Screenshot from 2014-07-31 12:33:51



Now Create Database for mutillidae


Open Terminal  and type

#mysql -u root -p

#create database mutillidae;



Screenshot from 2014-07-31 12:45:58



Configuration is done by opening the /var/www/mutillidae/classes/MySQLHandler.php and add your Mysql root password




Screenshot from 2014-07-31 12:46:49


Starting the project is done by browsing to https://localhost/mutillidae  and clicking the Reset-DB button on the menu bar.


Screenshot from 2014-07-31 12:47:24



Browse to https://localhost/mutillidae



Screenshot from 2014-07-31 12:47:39







WebGoat is an OWASP project and a deliberately insecure J2EE web application designed to teach web application security lessons and concepts. What’s cool about this web application is that it lets users demonstrate their understanding of a security issue by exploiting a real vulnerability in the application in each lesson.



#wget -c https://webgoat.googlecode.com/files/WebGoat-OWASP_Standard-5.3_RC1.7z


WebGoat is a platform independent environment. It utilizes Apache Tomcat and the JAVA development environment.


For installing JAVA, try below command


#apt-get install openjdk-6-jre



Unzip the WebGoat-OWASP_Standard-x.x.zip to your working directory

#p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z


Screenshot from 2014-08-01 17:55:03



#cd WebGoat-5.3_RC1


Set JAVA_HOME to point to your JDK installation


#export JRE_HOME=/usr/lib/jvm/java-6-openjdk-amd64/bin/../

#export CATALINA_BASE=./tomcat

#export CATALINA_HOME=./tomcat

#export JAVA_HOME=/usr/lib/jvm/java-6-openjdk-amd64/bin/../

#chmod +x webgoat.sh


Screenshot from 2014-08-01 17:58:00



Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.


#sh webgoat.sh start

#sh webgoat.sh stop



start your browser and browse to… https://localhost/webgoat/attack
Login in as: user = guest, password = guest


Screenshot from 2014-08-01 18:07:47


Screenshot from 2014-08-01 18:08:09



That’s it, make use the vulnerable systems and understand vulnerabilities.