Why another vulnerable webapp for target practice? This from Github:
Main Selling Points:
- Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux
- Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically
- Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup
- Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board
- CTF-support: Challenge notifications optionally show a flag code for your own Capture-The-Flag events
- Re-branding: Fully customizable business context and look & feel
- Free and Open source: Licensed under the MIT license with no hidden costs or caveats
It took me just a few minutes to install and the app sits online for me to attack. You may be surprised (like me) that Heroku would allow hosting a deliberately vulnerable web app, but as long as there’s no DDoS funny-business, they’re good with it.
Another MAJOR selling point is this app utilises modern & realistic web application technology:
Björn furnishes us with a comprehensive GitBook detailing: Installation, challenges, hints and full walk-through solutions. I love this guide as Björn leads us gently through the wonders of Chrome-Developer Tools. He also advises watching a free short course on Chrome DevTools if you’re not familiar with it, which I encourage you to do.
The other element is this is GREAT FUN. You will thoroughly enjoy this and probably learn loads in the process:
I’ll say no more as below is Bjorn’s introductory talk.
If you’re short on time here’s a link to 7min intro from the OWASP 24/7 podcast.
And below is Björn’s Owasp Appsec talk in Belfast: