In my spare time I am teaching computer security topics in a local university. One of the activities that my students enjoy is the teaching of application security assessment and vulnerability detection.

I made my search for the applications that supported the largest possible number of vulnerabilities. As a result of the research, I began to work with the following applications:

• Damn Vulnerable Web App:  It has a brute force, command execution, file inclusion, SQL Injection, blind SQL Injection, upload, XSS reflected and XSS stored modules.
• Mutillidae: Version 1.5 has modules that implement the OWASP 2010 Top-10.

One aspect that I did not like about these applications is that they show scenarios to fully exploit the vulnerability point, without being real and that identification scenarios for my students can be complex due to their lack of experience in the field. So I started looking for an application that was as close as possible to a real web application, which had modules that include one or more vulnerabilities. Finally I found a very interesting application called wackopicko, which poses as a real website for sharing pictures with real application modules that have the following vulnerabilities: Reflected XSS, Stored XSS vulnerability SessionID, Stored SQL Injection, Reflected SQL Injection, Directory Traversal, Multi-Step Stored XSS, Forceful Browsing, Command-line Injection, Parameter Manipulation, behind Reflected XSS JavaScript Logic Flaw, a flash behind Reflected XSS Weak form and username / password.

Do you have any other interesting vulnerability playground to share with us? Let us know.  

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org