The premier environment for web security training and self-assessment
- I need a web application security assessment
- Web Security Dojo: free training environment
- I need a bid or proposal
- I would like training or a speaker for an event
News & Events
- Software Test Professionals Fall 2012
- ISACA NJ Hands-On Training
- Web Security Dojo 2.0 Released
- Interop NY - Oct 2011
- ISACA NACACS - Las Vegas - May 2011
- OWASP Raleigh - Declaritive Web Security
Software Test Professionals -
Maven Security will be teaching a one day hands on web security assessment course on Oct. 15, 2012
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.2, which is patched with the appropriate updates and VM additions for easy use.
The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.
Download Web Security Dojo from
To install Dojo you first install and run VirtualBox 3.2 or later, then “Import Appliance” using the Dojo’s OVF file. We have PDF or YouTube for instructions for Virtualbox.
As of version 1.0 a VMware version is also provided, as well as video install instructions
Sponsored by Maven Security Consulting Inc
(performing web app security testing & training since 1996).
Also, could be you! Web Security Dojo is an open source and fully transparent project, with public build scripts and bug trackers on Sourceforge .
Look for Dojo videos on our YouTube channel at http://www.youtube.com/user/MavenSecurity
Hack your way to fame and glory 1 with our security challenges posted at Reddit (http://www.reddit.com/r/WebSecChallenges/).
[1. Fame and glory not included; void where prohibited by law]
- OWASP’s WebGoat
- Google’s Gruyere
- Damn Vulnerable Web App
- Hacme Casino
- OWASP InsecureWebApp
- w3af’s test website
- simple training targets by Maven Security (including REST and JSON)
Tools: (starred = new this version)
- Burp Suite (free version)
- arachni *
- Zed Attack Proxy *
- OWASP Skavenger
- OWASP Dirbuster
- Watobo *
- helpful Firefox add-ons