Cylab Play - Vulnerable Apps

Cylab Play is a collection of vulnerable applications that can be used to illustrate and experiment with different kinds of vulnerabilities.

SQL GET Injection

A web application that can be hacked using SQL injection attack. The app uses a MySQL database and parameters are sent using a GET request.

SQL Injection

A web application that can be hacked using SQL injection attack. The app uses a MySQL database.

SQL Nice Injection

A web application that can be hacked using SQL injection attack. The app uses nice URL's.

SQLite Injection

A web application that can be hacked using SQL injection attack. The app uses a SQLite database.

Brute Force

A web application that can be hacked using a brute force attack.

Upload

A vulnerable web application suffering from unrestricted file upload

HTTP Secret

A simple web application, that will reveal a secret code if you query using a command line tool like netcat, telnet or simpletcpclient.


Blog

SQLMap : additional techniques
In a previous blog post, we have explained what SQL injection is, and how to exploit it using sqlmap. In this blog post, we will show some additional techniques: how to exploit web applications that use clean URLs, how to exploit a POSTed form, how to hide traces etc.
Web shells and the dangers of unrestricted file upload
In previous blog posts, we have already illustrated two web application vulnerabilities: brute force login cracking and SQL injection. In this post we illustrate a 3rd vulnerability, unrestricted file upload, and show how it can be exploited using a web shell.
Crack a login page : the easy way
In this blog post, we will show that a login page from a web application can be easily cracked if the application does not implement specific protections against this kind of attack.