Setting up a vulnerable web application
Before we start exploring the web application scanning features offered by the Metasploit Framework, we need to set up a test application environment in which we can fire our tests. As discussed in the previous chapters, Metasploitable 2 is a Linux distribution that is deliberately made vulnerable. It also contains web applications that are intentionally made vulnerable, and we can leverage this to practice using Metasploit's web scanning modules.
Metasploitable 2 contains two vulnerable web applications that we can use as targets: Multidae and Damn Vulnerable Web Application (DVWA).
In order to get the vulnerable test applications up and running, simply boot up Metasploitable 2 and access it remotely from any of the web browsers, as in the following screenshot:
The Multidae vulnerable application can be opened for further tests by browsing to Metasploitable 2...