Many times, learning and practicing Ethical Hacking is difficult because it requires a bit of background work setting a proper lab, installing all the required software versions, etc. But things have changed and I'm very happy to share with you what I've just discovered : the OWASP Broken Web Applications Project which aims to provide a complete testing environment packed in a self-contained VMWare machine.

The nice folks at owaspbwa have mamaged to set up quite a few web platforms and applications so that we, the users,can skip the tedious setup part and jump right in web security hacking.  I will quote the developers about the contents of this VMWare machine:

This VM has two web servers running. One Apache server on port 80 and one Tomcat server on port 8080. The following vulnerable web applications are running on the VM (listed in no particular order).

Intentionally Vulnerable Applications:

• OWASP WebGoat version 5.3-SNAPSHOT (Java, use username=guest, password=guest, home page)
• OWASP Vicnum (Perl, home page)
• Mutillidae version 1.3 (PHP, home page)
• Damn Vulnerable Web Application version 1.06 (PHP, use username=admin, password=password, home page)
• OWASP CSRFGuard Test Application version 2.2 (Java, home page)
• Mandiant Struts Forms (Java/Struts)
• Simple ASP.NET Forms (ASP.NET/C#)
• Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

Old Versions of Real Applications:

• WordPress version 2.0.0 (PHP, released December 31, 2005, home page)
• phpBB version 2.0.0 (PHP, released April 4, 2002, home page)
• Yazd version 1.0 (Java, released February 20, 2002, home page)

You can find all about this wonderful project on OWASBWAPA google code page  . Thanks to all who developed it !