I had the privilege of getting to see Dan Kuykendall (@dan_kuyendall ) of NT OBJECTives introduce his latest open source project, Hackazon, at OWASP’s APP Sec USA 2014 last week. Hackazon would be best described as a Next-Generation Vulnerable Test Site.
What makes Hackazon different from the HackMe images, OWASP’s earlier suite of Broken Web Apps (BWA) and Acunetix’ vulnweb sites is that Hackazon incorporates a realistic e-commerce workflow as well as some of the harder to test frameworks such as the Google Web Toolkit (GWT) and JSON. Anyone who has tried to configure and execute a dynamic web scan against one of these frameworks, or has tried to scan a complex e-commerce site knows how difficult this is.
Dan and his team have cleverly integrated these challenges in to what is best described as a torture test for the modern scanners and the engineering staff that have run them. I had to kill the wapiti process after 72 hours and had to beef up the Java process’ resources for Vega for it to complete.
Hackzon is the most realistic DAST test environment I have come across. Kudo to the NT OBJECTives (now Rapid7) team.
Interested in other test web sites? Check out our review of Google’s Firing Range!