Web Security Dojo v0.2 released

An open source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo. For learning and practicing web app security testing techniques. It does
not need a network connection since it contains tools, targets, and
documentation. Thus making it ideal for training classes and conferences.

To install Dojo you can install and run VirtualBox, then "Import Appliance" using the OVF file. Other virtual machine packages (VMware, etc) will probably also work (can someone contribute docs?). Go here for Virtual Box instructions.

PNG - 30.3 kb

Targets include:

  • OWASP’s WebGoat v5.2
  • Damn Vulnerable Web App v1.0.6
  • Hacme Casino v1.0
  • OWASP InsecureWebApp v1.0
  • simple stand-alone PHP scripts by Maven Security (including REST and JSON)


  • Burp Suite (free version) v1.2.01
  • w3af v1.1
  • OWASP Skavengerv0.6.2a
  • OWASP Dirbuster v1.0 RC1
  • Paros v3.2.13
  • Ratproxy v1.57-beta
  • sqlmap v0.7
  • helpful Firefox add-ons

Tool Submitted by Steven Pinkham from MavenSecurity.com

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2


Related Articles

Application Scanner
Local auditing
Web Security Dojo