Man-in-the-Browser Attack

The idea of Man-in-the-Browser attack is similar to the traditional Man-in-the-Middle (MITM) one, where a malicious third party sits between the client and the server and intercepts the traffic. But it can be more dangerous because of the position of the malware: inside the victim's system, acting like a legal process, that helps the malware get access to the abstractions of the application layer easier than MITM. That is how trojans like Zeus manipulate online banking transactions and perform unauthorized transactions.       

Learning Web App. Penetration Test

I was browsing some security blogs, and I saw this great post introducing a set of vulnerable web applications available for learning purpose. I am familiar with the OWASP broken web apps collection, and the following table from securitythoughts will help to select the next candidates to test.

S.No.	Vulnerable Application	Platform
1	SPI Dynamics (live)	ASP
2	Cenzic (live)	PHP
3	Watchfire (live)	ASPX
4	Acunetix 1 (live)	PHP
5	Acunetix 2 (live)	ASP
6	Acunetix 3 (live)	ASP.Net
7	PCTechtips Challenge (live)
8	Damn Vulnerable Web Application	PHP/MySQL
9	Mutillidae	PHP
10	The Butterfly Security Project	PHP
11	Hacme Casino	Ruby on Rails
12	Hacme Bank 2.0	ASP.NET (2.0)
13	Updated HackmeBank	ASP.NET (2.0)
14	Hacme Books	J2EE
15	Hacme Travel	C++ (application client-server)
16	Hacme Shipping	ColdFusion MX 7, MySQL
17	OWASP WebGoat	JAVA
18	OWASP Vicnum	PHP, Perl
19	OWASP InsecureWebApp	JAVA
20	OWASP SiteGenerator	ASP.NET
21	Moth
22	Stanford SecuriBench	JAVA
23	SecuriBench Micro	JAVA
24	BadStore	Perl(CGI)
25	WebMaven/Buggy Bank (very old)
26	EnigmaGroup (live)
27	XSS Encoding Skills – x5s (Casaba Watcher)
28	Google – Gruyere (live) (previously Jarlsberg)
29	Exploit- DB	Multi-platform
30	The Bodgeit Store	JSP
31	LampSecurity	PHP
32	hackxor	Perl(CGI)
33	OWASP – Hackademic	PHP
34	Exploit.co.il-WA	PHP