The best way to learn to play defense is to play offense, and the OWASP Broken Web Applications Project makes it easy for application developers, novice penetration testers, and security-curious management to flex their offensive muscle in the safety of a virtual machine on their own laptop.
Web applications are the most visible front door to any enterprise and are often designed and built without strong security in mind. Stressing out over hardware vulnerabilities like Spectre or Meltdown is fun and trendy, but while you're digging a moat around your castle someone is prancing across the drawbridge using SQL injection (SQLi) or cross-site scripting (XSS).
The OWASP Broken Web Applications Project comes bundled in a virtual machine (VM) that contains a large collection of deliberately broken web applications with tutorials to help students master the various attack vectors. From trivial to more difficult, the project is designed to lead the user to a better understanding of web application security.
What is the OWASP Broken Web Applications Project?
The OWASP Broken Web Applications Project includes the appropriately named Damn Vulnerable Web Application, deliberately broken for your pentesting enjoyment. For maximum lulz, download OWASP Zed Attack Proxy (ZAP, a free alternative to Burp Suite), configure a local browser to proxy traffic through ZAP, and get ready to attack some damn vulnerable web applications.
The Damn Vulnerable Web Application is a good place for a beginner to start and includes the (apparently necessary?) warning that "Damn Vulnerable Web App is damn vulnerable!" Pretty much every attack vector you could think of has been deliberately included in this application, making it a one-stop shop of low-hanging fruit at the farmer's market of pick-your-own web app vulnerabilities.
Getting started with OWASP's broken web apps
Before you get sucked into the Damn Vulnerable Web Application, the Security Shepherd includes hands-on lessons to help you get from zero to, well, maybe not sixty, but at least 45 in the slow lane. Bundled into the same VM, Security Shepherd includes tutorials on SQLi, XSS, CSRF and many other common web application vulnerabilities.
Before you can start popping web apps, you need to install a bunch of stuff first. A common, free setup looks something like this: Download and install VirtualBox, and then download the OWASP Broken Web Applications VM (.ova file). Import the .ova, and make sure that networking is set to "host-only." (You don't want to expose these deliberately broken applications to the outside world.) Start the VM. Log into the VM and run ifconfig to determine the IP address, e.g., 192.168.56.103.
Point a web browser at that address to ensure the VM is set up correctly. That done, start ZAP and accept the default options to start with. Configure your browser's proxy settings to point to localhost port 8080, where ZAP lives. Don't forget to change your proxy settings back when you're done. Alternatively, use a browser you don't normally use on a day-to-day basis.
Readers familiar with Burp Suite might object at this point that their favorite tool is superior to ZAP, but it's also not free. Beginners are likely better served by a free tool while they pickaxe their way up the learning curve to Burp country.
Once you've set things up, you'll be able to man-in-the-middle (MitM) traffic to the broken web applications, allowing you to intercept traffic and modify it on the fly.
Your traffic flow will look like this:
Firefox --> ZAP --> Broken web app
Broken web app --> ZAP --> Firefox
ZAP automates testing web applications and even generates attack code. Point ZAP at the Security Shepherd Cross Site Scripting lesson and ZAP generates code to copy and paste into the vulnerable web app. This is a trivial attack, granted, but then maybe that's the point--it's a trivial attack that any low-skilled attacker with a couple hours to fool around can learn how to do, and maybe you should defend against it.
Remember the low-hanging fruit at the farmer's market of pick-your-own web app vulnerabilities? Pick them apples before the hordes of script kiddie tourists arrive (and for the love of Kali avoid torturing metaphors the way we do).
Play offense to learn defense
Building web applications is easy. Securing them is hard. Locking the front door of your castle is a must so that the script kiddie tourists picking low-hanging fruit can't waltz across your drawbridge while you're filling the moat with alligators.
Hacking web applications is an easy first step into penetration testing. Even those who have no interest in a career as a pentester will gain valuable experience spending a few days attacking some broken web applications. Policymakers, judges, journalists--looking at you. Demystifying how hacking works, and revealing just how rudimentary it can be, is a key lesson for management and policy folk alike.