As a developer, I've learned that I usually gain a better understanding of best/worst practices through experience. The area of web application security isn't really somewhere where my organization can afford to let developers learn through trial and error.

So looking for a hands-on approach to knowledge sharing of best practices in web application security, I was thinking that it would be useful to have an open source application that was deliberately built to be insecure in order to help teach junior developers about application security.

Does anyone out there know where to find something like this?

There are online (hacking challenge / practice / fun ) and offline (you got the source code) apps:

Offline :

• OWASP Webgoat
• Foundstone Hackme Series
  • Hackme Bank
  • Hackme Travel
  • Hackme Casino
  • Hackme Books
• WebMaven
• SecuriBench
• You can download VmWare Images of old vulnerable known CMSs, or just download them from repositories (try sourceforge or official old releases and find vulnerabilities from Securityfocus BID )

Online

More Realistic Demonstration

• http://zero.webappsecurity.com
• http://crackme.cenzic.com
• http://testphp.acunetix.com
• http://testasp.acunetix.com
• http://testaspnet.acunetix.com
• http://hackme.ntobjectives.com

This is an old list I grabbed from somewhere, some of them can be down right now.

Challenge sort of examples

• http://hackergames.net/
• http://www.hackthissite.org
• http://www.ngsec.com
• http://www.try2hack.nl
• http://www.hackerslab.org
• http://www.slyfx.com
• http://www.mod-x.co.uk
• http://hackme.elderson.net
• http://mindlock.bestweb.net/join.php
• http://www.cyberarmy.com/zebulun/
• http://www.roothack.org/
• http://hack.datafort.net/
• http://hacknull.com/
• http://wargames.unix.se/
• http://www.osix.net/
• http://www.h4ckerx.ne
• http://www.bright-shadows.net/
• http://www.0penhack.com/
• http://scifi.pages.at/hackits/
• http://lightning.prohosting.com/~thegame/
• http://www.hackquest.de/
• http://www.hack4u.nl
• http://hackergames.net/
• http://bigcontest.securityhack.net
• http://www.hackerss.com
• http://www.izhal.com
• http://www.boinasnegras.com
• http://ambience.digitalshell.net/~llamatron/
• http://www.blind-dice.com
• http://www.arcanum.co.nz
• http://www.ralf-mengwasser.de
• http://www.cyberarmy.com
• http://hackme.elderson.net
• http://www.slyfx.com
• http://lightning.prohosting.com/thegame
• http://digitalparadox.org
• http://www.learntohack.org
• http://x-avier.com
• http://m4tr1x.wsn.at
• http://www.hdcwargame.com
• http://vortex.labs.pulltheplug.com

Check out WebGoat. It's an application riddled with vulnerabilities from the OWASP list, designed as a learning resource for web application developers. The application is a tutorial that walks developers through the vulnerabilities it contains, with tests for each lesson.

You might want to try https://hack.me

It is a community driven project where all kinds of vulnerable web applications are hosted and shared. You can run them in a new sandbox, safely without downloading/configuring any server.

I'm the project founder but since it's a completely free project I thought this would be worth saying in addition to the great other resources mentioned.

There was a website that was built to have insecurities in it, and the object was to hack it. I can't remember its name. I'm googling around for it. Will edit as I find it.

Found it: The name is hackthissite.org.

there is also...Damn Vulnerable Web App (DVWA) ...

here...dvwa.co.uk

You can also practice various flavors of SQL Injection with SQLol and XML Injection /xPath Injection with XMLmao.

I'm reminded of this OSCON talk, though it's probably too specific to be what you're looking for.

Theres an OWASP project just to document all of the known vulnerable web apps: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project