There are many open source projects on the web aimed at teaching website security and the common vulnerabilities that hackers utilize. OWASP is a group that has organized over one hundred web security projects. OWASP stands for the Open Web Applications Security Project. The group is a non-profit organization committed to free, open source, web projects. OWASP has helped advance many great learning projects and tools for learning about website vulnerabilities and web attacks. One useful project is the OWASP Top Ten which is a research project and website that identifies the top ten web application security risks. The OWASP Top Ten was released for 2010 and 2007. Two more great web security learning tools that were OWASP projects are Mutillidae and ZAP.
Mutillidae is an open source vulnerable web application (i.e. vulnerable web site) that you can download and install in a testing environment. You will need to set up an AMP environment (Apache, MySQL, PHP) on your server in order to run Mutillidae and it can be run on either the Linux, Windows, or OSX platforms. You can find out more information about Mutillidae at their website: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
ZAP (Zed Attack Proxy)
Zap is an attack proxy that works as both a sniffer and a mangler in that it captures packets passing between your computer and the website you are attacking or scanning. ZAP allows you to run scans, scripts, and attacks against a targeted domain or website. ZAP is a testing tool useful for penetration testing and testing your website’s security and vulnerability level. Do not run this tool against a live domain or website without prior permission, it will be seen as a live attack.
• In Mutillidae: Toggle hints to “Noob” to get great learning information and hints
• In Firefox disable the “no script” setting
• In BackTrack ZAP is already installed
• For ZAP to work correctly you need to configure it as your web proxy in Firefox
• FoxyProxy is a proxy switcher which is installed as a Firefox plugin. It helps control which domains you want to have proxied and which you don’t.
• packetstormsecurity.org is a great website for security information and resources