Saw this on the SecurityFocus pen-testers mailing list and thought I would capture them here for future reference. These are some sites/tools to help evaluate web app security scanner tools.
SPI Dynamics zero.webappsecurity.com
Cenzic crackme.cenzic.com
Foundstone SASS tools
OWASP WebGoat
OWASP SiteGenerator
Watchfire demo site
Acunetix php test site
Typically, lots of the online “hack me” or “hacker challenge” sites like some in my right menu list tend to touch on web-borne “hacks” for their challenges as opposed to anything else. May get some mileage from them as well. Most also can be Googled for solutions should you get stuck and want to just learn quickly.
Can I add these to some of the OWASP pages that I manage? It’s a great list.
Add Acunetix’s to your list:
http://testphp.acunetix.com/
Yeah, totally go ahead and use the list. It’s definitely not my property really! 🙂
others were added, see under “Test Sites” (right at the top):
http://owasp.org/index.php/Phoenix/Tools
Wow, that list is excellent!