OWASP Vulnerable Web Applications Directory

Random App of the Day

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Metasploitable 2		Download	VMware

VWAD

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail

The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and Containerized (Docker images, VMs, ISOs). Each list has been ordered alphabetically.

A brief description of the OWASP VWAD project is available here.

Open Hub Stats

On-line Resources Used

Other Vulnerable Web-app Compilations

Penetration Testing Practice Labs - Vulnerable Apps/Systems

Mobile

Filter:

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
AndroGoat ⭐ 307	satishpatnayak	Download	Kotlin Android	Last commit: 2025-11-22
DIVA Android ⭐ 1068	Payatu	Download Guide	Android Java	DIVA (Damn Insecure and Vulnerable App) is an intentionally vulnerable Android application designed to help security professionals and developers learn about Android security vulnerabilities. Last commit: 2016-01-15
Damn Vulnerable Bank ⭐ 728	Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade	Guide	android	Last commit: 2023-12-13
Goatlin ⭐ 36	Checkmarx	Guide	Kotlin Android API REST	Last commit: 2022-01-06
InjuredAndroid ⭐ 730	B3nac	Download	Android Java	A vulnerable Android application with CTF-style challenges focused on Android security. Last commit: 2021-06-25
InsecureBankv2 ⭐ 1389	Dinesh Shetty	Download	Android Java	Vulnerable Android application for security enthusiasts and developers to learn about Android insecurities. Showcases various security vulnerabilities in Android banking applications. Last commit: 2019-11-21
MSTG CrackMes	OWASP
MSTG Hacking Playground ⭐ 651	OWASP	Guide		Last commit: 2022-10-31
Vuln-Bank	Al-Amir Badmus	Live Download	Python JavaScript Postgres Docker HTML/CSS AI/LLM	A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment.

Offline

Filter:

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
.NET Goat ⭐ 244	OWASP		C#	Original main repo: https://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET. Last commit: 2014-02-22
AI-Goat ⭐ 314	fhammon, Guanwei Hu	Download	Python Vicuna LLM LLaMa	AI Goat uses the Vicuna LLM which derived from Meta's LLaMA and coupled with ChatGPT's response data. When installing AI Goat the LLM binary is downloaded from third party locally on your computer. Last commit: 2024-08-22
Altoro Mutual (AltoroJ) ⭐ 279	IBM/Watchfire	Download Live	J2EE	Log in with jsmith/demo1234 or admin/admin Last commit: 2024-07-23
AuthLab ⭐ 98	digininja (Robin Wood)	Guide Live	GO	Last commit: 2023-01-30
BodgeIt Store ⭐ 281	Simon Bennetts (psiinon)	Download Docker	Java	Last commit: 2024-08-13
Bricks	OWASP	Download Guide	PHP
Broken Crystals ⭐ 179	NeuraLegion	Live	react Node Swagger	Last commit: 2025-12-08
BugGPT ⭐ 0	attacker-codeninja	Download Guide	Python Flask OpenAI API Github Actions	BugGPT is an intentionally vulnerable application generator for educational security training purposes. Last commit: 2024-10-23
Butterfly Security Project		Download	PHP	Last updated in 2008
CVWA - Conviso Vulnerable Web Application ⭐ 62	Conviso AppSec	Download	PHP	Last commit: 2025-07-16
CloudGoat ⭐ 3431	Rhino Security Labs	Guide Announcement Docker	Python AWS	Last commit: 2025-09-18
CryptOMG ⭐ 193	SpiderLabs	Download	PHP	Last commit: 2015-06-25
Cyclone Transfers ⭐ 5			Ruby on Rails	Last commit: 2013-10-17
DIWA - Deliberately Insecure Web Application ⭐ 71	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application Last commit: 2020-01-09
Damn Small Vulnerable Web (DSVW) ⭐ 852	Miroslav Stampar		Python	Last commit: 2025-12-21
Damn Vulnerable Application Scanner (DVAS) ⭐ 6	Andrea Valenza, Enrico Russo, Gabriele Costa	Guide Announcement	PHP	An intentionally vulnerable web application scanner Last commit: 2021-04-25
Damn Vulnerable C# Application (API) ⭐ 79	Appsecco	Guide	Docker C# dotnet	Last commit: 2022-12-07
Damn Vulnerable Electron App (DVEA) ⭐ 17	Najam Ul Saqib (cybersoldier)	Announcement Download	ElectronJS	A deliberately insecure ElectronJS application Last commit: 2024-11-23
Damn Vulnerable File Upload - DVFU ⭐ 101	Thin Ba Shane (@art0flunam00n)		PHP	Last commit: 2018-05-26
Damn Vulnerable Functions as a Service (DVFaaS) ⭐ 136	we45 (Abhay Bhargav)	Guide	Python AWS	Last commit: 2019-01-23
Damn Vulnerable GraphQL Application (DVGA) ⭐ 1676	Dolev Farhi <[email protected]>, Connor McKinnon		Python HTML Javascript GraphQL SQLAlchemy docker	Last commit: 2025-05-24
Damn Vulnerable Infrastructure (DVI) ⭐ 3	Lorenzo Bartolini, Gabriele Costa	Guide Download	PHP Java MySQL SCADA Docker	A fully simulated and self-hosted Damn Vulnerable Infrastructure with routers, subnetworks, Scada and many other vulnerable containers. It simulates an Energy Management System inside a University Campus. Last commit: 2025-11-11
Damn Vulnerable Node Application - DVNA	Claudio Lacayo		Node.js
Damn Vulnerable NodeJS Application - DVNA	@appsecco		Node.js	Different project from the old DVNA
Damn Vulnerable OAuth 2.0 Applications	Koen Buyens		MEAN Docker OAuth 2.0	A set of vulnerable applications which show Oauth2.0 vulnerabilities.
Damn Vulnerable Python Web Application - DVPWA	Oleksandr Kovalchuk		Python Docker
Damn Vulnerable Restaurant	theowni	Guide	Python Docker	Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide	Node AWS Azure
Damn Vulnerable Stateful WebApp	dnet	Download	PHP
Damn Vulnerable Web Application - DVWA	RandomStorm	Download Docker	PHP
Damn Vulnerable Web Services	snoopysecurity		Web Services
Damn Vulnerable Web Sockets ⭐ 355	@appsecco		Web Sockets	Last commit: 2025-12-19
DjangoGoat ⭐ 45	Red and Black		Python Django	Last commit: 2019-08-18
EKS Goat ⭐ 35	OWASP	Announcement Guide Download	Kubernetes AWS EKS	AWS EKS Security Lab and activity. Last commit: 2025-12-11
EasyBuggy ⭐ 256	Kohei Tamura	Download Guide	Java	Last commit: 2025-12-18
Extreme Vulnerable Node Application ⭐ 95	vegabird	Download	NodeJS	Last commit: 2018-02-08
FFUF.me ⭐ 69	adamtlangley	Download Live	PHP Docker	Target practice for ffuf Last commit: 2021-08-10
Generic-University ⭐ 417	Katie Paxton-Fear		PHP docker API GraphQL MySQL Laravel	Last commit: 2022-11-14
Goof ⭐ 532	Snyk	Guide Guide	NodeJS	online - via Heroku deploy Last commit: 2023-05-24
Gruyere	Google	Download Live	Python
Hackademic Challenges Project ⭐ 324	OWASP	Download	PHP Joomla	Last commit: 2017-02-24
Hackazon ⭐ 1013	Rapid7 (NTObjectives)	Download Guide Guide Guide	AJAX JSON XML GwT AMF	Last commit: 2021-03-11
Hackxor	albinowax	Download Guide Live	VMware	First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
Hacme Bank	McAfee / Foundstone	Download	.NET
Hacme Bank - Android	McAfee / Foundstone
Hacme Books	McAfee / Foundstone	Download	Java
Hacme Casino	McAfee / Foundstone	Download	Ruby on Rails
Hacme Shipping	McAfee / Foundstone	Download	ColdFusion
Hacme Travel	McAfee / Foundstone	Download	C++
Hammer ⭐ 21	iknowjason	Download Live	Ruby on Rails	Includes manual build and docker options. Last commit: 2022-04-26
LAMPSecurity		Download	VMware PHP
Magical Code Injection Rainbow - MCIR ⭐ 445	SpiderLabs		PHP	Last commit: 2020-08-07
Marathon ⭐ 66	Christian Schneider		JAVA Docker	Vulnerable demo application Last commit: 2025-06-15
Mutillidae ⭐ 1457		Download	PHP	Last commit: 2025-08-03
NoSQL Injection Lab ⭐ 134	@digininja	Download	PHP MongoDB	Last commit: 2020-07-22
NoSQL Injection Vulnerable App (NIVA) ⭐ 19	Anton Abashkin	Docker Guide	Java MongoDB	Last commit: 2022-11-21
NodeGoat ⭐ 1998	OWASP	Download	Node.js	Last commit: 2023-06-21
NodeVulnerable ⭐ 480	cr0hn		Node.js	Last commit: 2024-04-29
OSTE-Vulnerable-Web-Application ⭐ 16	(OSTE)Oudjani seyyid taqi eddine		PHP	Vulnerable web application Last commit: 2023-12-15
OWASP Damn Vulnerable Web Sockets (DVWS) ⭐ 355	Abhineet Jayaraj (@xploresec)	Download	PHP HTML Javascript WebSockets	Last commit: 2025-12-19
OWASP Juice Shop ⭐ 12262	OWASP	Download Docker Guide Demo Preview Live	TypeScript JavaScript Angular Node.js	Last commit: 2026-01-05
OWASP SKF Labs ⭐ 460	[email protected] and [email protected]	Demo Guide Live	Python HTML Javascript GraphQL Ruby	You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs. Last commit: 2024-08-02
OWASP VulnerableApp ⭐ 354	Karan Preet Singh Sasan	Docker Download	Java Javascript Spring-Boot	Last commit: 2025-12-31
OWASP VulnerableApp-facade ⭐ 49	Karan Preet Singh Sasan	Docker Download	Typescript Javascript Docker	Last commit: 2023-12-04
Peruggia		Download	PHP
Pixi ⭐ 132	OWASP	Download Download Guide Guide	Node.js Swagger docker	Last commit: 2020-03-31
Puzzlemall		Download	Java
PyGoat ⭐ 297	Ade Yoseman	Guide Docker Download Live	Python	Last commit: 2026-01-05
Race The Web ⭐ 629	insp3ctre	Download		Last commit: 2019-10-16
Rails Goat ⭐ 903	OWASP	Download Downloads	Ruby on Rails	Last commit: 2026-01-07
SQL injection test environment ⭐ 352			PHP	SQLmap Project Last commit: 2022-04-14
SQLI-labs ⭐ 5690		Download Guide	PHP	Last commit: 2014-10-31
SQLol ⭐ 123		Download	PHP	Last commit: 2013-07-19
SSRF Vuln Lab ⭐ 743	incredibleindishell, Mohammed Farhan	Docker	PHP	Last commit: 2023-08-21
Scriptease ⭐ 1		Download	JavaScript React Webpack Vite	A vulnerable JavaScript SPA (no back end) that demonstrates several client-side security flaws (XSS, open redirect, prototype pollution, ReDoS, request hijacking, etc.) It showcases a diverse set of sources and sinks for taint analysis, uses two alternative bundlers (Webpack, Vite), and includes lazy-loaded modules Last commit: 2026-01-02
SecDevLabs ⭐ 967	Globo	Guide	Go NodeJS Python PHP React Angular/Spring Dart/Flutter	Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app. Last commit: 2024-09-25
Security Shepherd ⭐ 1418	OWASP	Download	Java	Last commit: 2025-10-15
TicketMagpie ⭐ 20		Download	Java	Last commit: 2017-05-11
Tiredful API ⭐ 577	@payatu	Download	Python Django	Last commit: 2020-09-07
UnSAFE Bank ⭐ 166	lucideus		Docker	Web, Android and iOS application Last commit: 2025-09-29
Varnish HTTP/2 Request Smuggling	Detectify	Announcement	Varnish HTTP/2	A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021.
VulnLab	Yavuzlar (siberyavuzlar.com)		PHP Docker	A web vulnerability lab project developed by Yavuzlar.
Vulnerable Java Web Application	Cyber Security and Privacy Foundation		Java
Vulnerable Node Express	Zachary Conger		Node.js Express	SQLi and XSS
Vulnerable OTP App	mddanish		PHP Google OTP
Vulnerable SAML App	yogisec		Python
VulnerableLightApp	Michael Vacarella	Guide	.NET C# AspNetCore	Vulnerable API for educational purposes
VulnerableXsltConsoleApplication	Context Information Security		.Net	This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.
WAVSEP - Web Application Vulnerability Scanner Evaluation Project	Shay Chen	Download Downloads Downloads	Java
WIVET- Web Input Vector Extractor Teaser		Download Downloads
WackoPicko		Download	PHP
WebGoat	OWASP	Download Guide Docker	Java
WebGoatPHP	OWASP	Download Downloads	PHP
WrongSecrets	Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars)	Download	JavaScript Java Hashicorp Vault Kubernetes Docker AWS GCP	OWASP WrongSecrets is a vulnerable app used to show how to not use secrets.
XXE Lab	Joshua Barone		docker vagrant
Xtreme Vulnerable Web Application (XVWA)	@s4n7h0, @samanL33T	Download	PHP MySQL
Yrprey	Fernando Mengali, Vagner Mengali	Download Download Docker	PHP TypeScript NextJs	Framework created in NextJs (TypeScript) and PHP/MySQL with OWASP TOP 10 API vulnerabilities of 2019 and 2023. Yrprey can was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (Appsec).
YrpreyBlog	Fernando Mengali	Download	PHP CSS Bootstrap MySQL	A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities.
YrpreyC	Fernando Mengali	Download	C	YrpreyC is a framework written in the C language that contains vulnerabilities related to memory issues, categorized as overflows
YrpreyC++	Fernando Mengali	Download	C++	YrpreyC++ is a framework written in the C++ language that contains vulnerabilities related to memory issues, categorized as overflows
YrpreyPHP	Fernando Mengali	Download	PHP CSS Bootstrap MySQL	A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities. YrpreyPHP was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (AppSec).
YrpreyPathTraversal	Fernando Mengali	Download	PHP MySQL Semantic UI Bootstrap	YrpreyPathTraversal is a framework written in PHP, with examples of exploiting Path Traversal and Local File Inclusion vulnerabilities in different ways.
Zero Health	Aliyu G. Yisa	Download Guide Demo	React NodeJS JavaScript Postgres Docker Ollama Swagger/OpenAPI	Zero trust. Zero security. Total exposure. A deliberately vulnerable health tech platform with AI Chatbot for learning about application security and ethical hacking. It contains vulnerabilities from OWASP top 10 Web, API and AI/LLM Security Vulnerabilities. Highly vulnerable, never use in production.
bWAPP		Download Guide	PHP
crAPI ⭐ 1406	OWASP	Downloads	Go nginx REST Docker	OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security teams practice API security testing including BOLA, BFLA, mass assignment, and authentication flaws. Last commit: 2025-11-13
dvws-node	@snoopysecurity	Guide	Web Services NodeJS
gRPC Goat	rootxjs	Download Guide	Go gRPC Docker	Vulnerable by Design lab for learning and practicing gRPC security.
insecure-deserialisation-net-poc	Omer Levi Hevroni		.NET JSON yoserial.NET	A small webserver vulnerable to insecure deserialization
jwtdemo	Sjoerd Langkemper (Sjord)	Guide	PHP	Practice hacking JWT tokens.
play-webgoat			Java Scala Play Framework
twitterlike	Sakti Dwi Cahyono	Download	PHP
vAPI	Tushar Kulkarni	Guide Docker	PHP	vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises
vuln-node.js-express.js-app	SirAppSec	Download Docker	Node.js Express.js swagger sqlite sequelize	A Very Vulnerable Node.js Express.js Web Application and API. Used for testing Security tools, Application security and penetration testing. Using Swagger, Sqlite, Sequelize.
vulnerable-api	Matthew Valdes	Download	Python
websheep	Younes Jaaidi (yjaaidi)	Guide	Angular JavaScript Node	Websheep is an app based on a willingly vulnerable ReSTful APIs.
ypreyAPINodeJS	Fernando Mengali	Download	NodeJS PHP MariaDB Bootstrap JavaScript	yrpreyAPINodeJS is a vulnerable framework written in NodeJS and based on the OWASP TOP 10 API.
ypreyAPIPython	Fernando Mengali	Download	Python PHP MariaDB Bootstrap JavaScript	ypreyAPIPython is a vulnerable framework written in Python and based on the OWASP TOP 10 API.
ypreyPollsPHP	Fernando Mengali	Download	PHP MySQL Materialize Bootstrap	ypreyPollsPHP is a vulnerable framework written in PHP with a polls management scenario, based on the OWASP TOP 10
yrpreyASPC	Fernando Mengali	Download	ASP MySQL C	yrpreyASPC is a vulnerable framework written in ASP and C with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities.
yrpreyASPCPlus	Fernando Mengali	Download	ASP MySQL C++	yrpreyASPCPlus is a vulnerable framework written in ASP and C++ with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities.
yrpreyFinance	Fernando Mengali	Download	PHP MySQL Bootstrap	yrpreyFinance is a vulnerable framework written in PHP with a financial management scenario, based on the OWASP TOP 10
yrpreyLibrary	Fernando Mengali	Download	PHP MySQL Bootstrap	yrpreyLibrary is a vulnerable framework written in PHP, based on the OWASP TOP 10
yrpreyPollsNodeJS	Fernando Mengali	Download	NodeJS PHP MySQL Materialize Bootstrap	yrpreyPollsNodeJS is a vulnerable framework written in NodeJS with a polls management scenario, based on the OWASP TOP 10
yrpreyPollsPerl	Fernando Mengali	Download	Perl PHP MySQL Materialize Bootstrap	yrpreyPollsPerl is a vulnerable framework written in Perl with a polls management scenario, based on the OWASP TOP 10
yrpreyPollsPython	Fernando Mengali	Download	Python PHP MySQL Materialize Bootstrap	yrpreyPollsPython is a vulnerable framework written in Python with a polls management scenario, based on the OWASP TOP 10
yrpreyTasks	Fernando Mengali	Download	PHP MySQL Bootstrap	yrpreyTasks is a vulnerable framework written in PHP with a task management scenario, based on the OWASP TOP 10
yrpreyTasksNodeJS	Fernando Mengali	Download	NodeJS PHP MySQL Bootstrap	yrpreyTasksNodeJS is a vulnerable framework written in NodeJS with a task management scenario, based on the OWASP TOP 10
yrpreyTasksPython	Fernando Mengali	Download	Python PHP MySQL Bootstrap	yrpreyTasksPython is a vulnerable framework written in Python with a task management scenario, based on the OWASP TOP 10

Online

Filter:

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
AWS CTF Challenge	AWS Security Team		AWS	Capture-the-flag challenges for AWS
AWS Infrastructure Pentest Lab ⭐ 3431	AWS Security Team		AWS	Hands-on lab for AWS infrastructure pentesting Last commit: 2025-09-18
AWS Security Workshop	AWS Security Team		AWS	Interactive workshop covering AWS security best practices
Acuart	Acunetix	Live	PHP	Art shopping
Altoro Mutual (AltoroJ) ⭐ 279	IBM/Watchfire	Download Live	J2EE	Log in with jsmith/demo1234 or admin/admin Last commit: 2024-07-23
AuthLab ⭐ 98	digininja (Robin Wood)	Guide Live	GO	Last commit: 2023-01-30
Azure AD CTF Challenge	Azure Security Team		Azure	Capture-the-flag challenges for Azure AD
Azure AD Pentest Lab	Azure Security Team		Azure	Hands-on lab for Azure AD pentesting
Azure Infrastructure Workshop	Azure Security Team		Azure	Interactive workshop covering Azure security best practices
BGA Vulnerable BANK App	BGA Security	Live	.NET
Broken Crystals ⭐ 179	NeuraLegion	Live	react Node Swagger	Last commit: 2025-12-08
BugBait - Vulnerable Web Application	Blacklock Security	Live	Node.js	bugbait.io is a vulnerable web application for students, developers, cyber enthusiasts and pen testers to identify and exploit the vulnerabilities.
CTFLearn	@ctflearn	Live
Cyber Scavenger Hunt ⭐ 15	Arthur Kay	Download Live	Javacript React	A simple scavenger hunt to learn about pentesting a website or web application. Last commit: 2022-07-19
Damn Vulnerable AI Bank (DVAIB)	Subhash Dasyam	Live	React LLM Transformers Vision Language Models Document Parsers Python Vector DB PostgreSQL	Hands-on AI security training platform for prompt injection and jailbreaking, realistic attack scenarios, achievements, and leaderboard.
Damn Vulnerable RESTaurant (DV-REST) ⭐ 876	theowni	Download	Python FastAPI PostgreSQL Docker Docker Compose Codespaces REST API	An intentionally vulnerable API training game for developers, ethical hackers, and security engineers. Designed as a CTF-style playground to learn, detect, exploit, and remediate API security vulnerabilities using a FastAPI-based application. Supports local Docker deployment and online execution via GitHub Codespaces. Last commit: 2026-01-03
Defend the Web	Luke [flabbyrabbit]	Live		Formerly HackThis
Duck Store	DonAsako	Announcement Live	React FastAPI	Duck Store is an intentionally vulnerable web app for training purposes on how to find classic and business logic vulns dedicated to developers, ethical hackers, and security engineers.
FFUF.me ⭐ 69	adamtlangley	Download Live	PHP Docker	Target practice for ffuf Last commit: 2021-08-10
Firing Range ⭐ 1404	Google	Download Live		Last commit: 2018-11-08
GCP Infrastructure CTF	GCP Security Team		GCP	Capture-the-flag challenges for Google Cloud Platform
GCP Infrastructure Pentest Lab	GCP Security Team		GCP	Hands-on lab for GCP infrastructure pentesting
GCP Security Workshop	GCP Security Team		GCP	Interactive workshop covering GCP security best practices
Game of Hacks	Checkmarx	Live	Node Express.js
Gandalf	Lakera	Live Announcement	AI LLM Prompt Injection	A game designed to challenge your ability to interact with large language models (LLMs) and test prompt injection skills. Your goal is to trick Gandalf into revealing the secret password.
Gin & Juice Shop	PortSwigger	Announcement Live	JavaScript AngularJS React CSRF	A hosted always-online demo app with realistic technologies.
Gruyere	Google	Download Live	Python
Hack.me	eLearnSecurity			Beta
HackTheBox	HackTheBox	Live	Various	Online platform featuring vulnerable machines and challenges for penetration testing practice. Includes retired machines, active challenges, and Pro Labs.
HackThis ⭐ 46	Luke Ward (0x6C77)	Download Live	PHP	Last commit: 2018-08-31
HackThisSite	HackThisSite Staff	Live	PHP Perl JavaScript API Binaries	Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others.
HackXpert	theXSSrat	Guide Live	PHP
HackYourselfFirst	Troy Hunt	Guide Live
Hacking Lab	Hacking Lab	Live
Hackxor	albinowax	Download Guide Live	VMware	First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
Kubernetes CTF Challenge	Kubernetes Security Team		Kubernetes	Capture-the-flag challenges for Kubernetes
Kubernetes Infrastructure Pentest Lab	Kubernetes Security Team		Kubernetes	Hands-on lab for Kubernetes infrastructure pentesting
Kubernetes Security Workshop	Kubernetes Security Team		Kubernetes	Interactive workshop covering Kubernetes security best practices
Netsparker Test App .NET	Netsparker	Live	ASP.NET
Netsparker Test App PHP	Netsparker	Live	PHP
OWASP Juice Shop ⭐ 12262	OWASP	Download Docker Guide Demo Preview Live	TypeScript JavaScript Angular Node.js	Last commit: 2026-01-05
OWASP SKF Labs ⭐ 460	[email protected] and [email protected]	Demo Guide Live	Python HTML Javascript GraphQL Ruby	You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs. Last commit: 2024-08-02
Pentest-Ground	Pentest-Tools.com		PHP Docker	Suite of vulnerable web apps to practice
Pentester Academy		Live
PyGoat ⭐ 297	Ade Yoseman	Guide Docker Download Live	Python	Last commit: 2026-01-05
Root Me	Root-Me	Live		Root-Me is a non-profit organization aimed at providing an outstanding learning platform for ethical hacking. It offers hundreds of challenges and virtual environments.
Security Tweets	Acunetix	Live		HTML5
Solyd - Introdução ao Hacking e Pentest	Solyd		PHP Linux	In Portuguese (Português) - Free online trainning with free online lab
TryHackMe	TryHackMe	Live	Various	Online platform for learning cyber security through hands-on exercises and labs. Features virtual rooms with vulnerable machines and guided learning paths.
Vuln-Bank	Al-Amir Badmus	Live Download	Python JavaScript Postgres Docker HTML/CSS AI/LLM	A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment.
Zero Bank	Micro Focus Fortify (was HP/SpiDynamics)	Live		(username/password)

VM-ISO

Filter:

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Bee-Box			VMware
BodgeIt Store ⭐ 281	Simon Bennetts (psiinon)	Download Docker	Java	Last commit: 2024-08-13
Broken Web Applications Project (BWA) - OWASP	OWASP - Chuck Willis	Download Download	VMware
CI/CD Goat ⭐ 2174	Cider		Gitea Jenkins GitLab Docker	Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags. Last commit: 2024-07-11
CloudGoat ⭐ 3431	Rhino Security Labs	Guide Announcement Docker	Python AWS	Last commit: 2025-09-18
DIWA - Deliberately Insecure Web Application ⭐ 71	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application Last commit: 2020-01-09
Damn Vulnerable C# Application (API) ⭐ 79	Appsecco	Guide	Docker C# dotnet	Last commit: 2022-12-07
Damn Vulnerable GraphQL Application (DVGA) ⭐ 1676	Dolev Farhi <[email protected]>, Connor McKinnon		Python HTML Javascript GraphQL SQLAlchemy docker	Last commit: 2025-05-24
Damn Vulnerable RESTaurant (DV-REST) ⭐ 876	theowni	Download	Python FastAPI PostgreSQL Docker Docker Compose Codespaces REST API	An intentionally vulnerable API training game for developers, ethical hackers, and security engineers. Designed as a CTF-style playground to learn, detect, exploit, and remediate API security vulnerabilities using a FastAPI-based application. Supports local Docker deployment and online execution via GitHub Codespaces. Last commit: 2026-01-03
Damn Vulnerable Web Application - DVWA	RandomStorm	Download Docker	PHP
EKS Goat ⭐ 35	OWASP	Announcement Guide Download	Kubernetes AWS EKS	AWS EKS Security Lab and activity. Last commit: 2025-12-11
Exploit.co.il Vuln Web App		Download	VMware
FFUF.me ⭐ 69	adamtlangley	Download Live	PHP Docker	Target practice for ffuf Last commit: 2021-08-10
Game of Active Directory ⭐ 7300	Orange-Cyberdefense	Guide	Windows Active Directory	Requires a considerably powerful system Last commit: 2025-07-16
GameOver		Download	VMware
Generic-University ⭐ 417	Katie Paxton-Fear		PHP docker API GraphQL MySQL Laravel	Last commit: 2022-11-14
Goof ⭐ 532	Snyk	Guide Guide	NodeJS	online - via Heroku deploy Last commit: 2023-05-24
Hackxor	albinowax	Download Guide Live	VMware	First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
LAMPSecurity		Download	VMware PHP
Log4Shell sample vulnerable application ⭐ 1136	Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed		Spring Boot Log4j Java	CVE-2021-44228
Metasploitable 2		Download	VMware
Metasploitable 3 ⭐ 5388		Download	VMware	Last commit: 2025-02-13
Moth		Download	VMware
NoSQL Injection Vulnerable App (NIVA) ⭐ 19	Anton Abashkin	Docker Guide	Java MongoDB	Last commit: 2022-11-21
OWASP Juice Shop ⭐ 12262	OWASP	Download Docker Guide Demo Preview Live	TypeScript JavaScript Angular Node.js	Last commit: 2026-01-05
PentesterLab - The Exercises			ISO PDF
Pixi ⭐ 132	OWASP	Download Download Guide Guide	Node.js Swagger docker	Last commit: 2020-03-31
PyGoat ⭐ 297	Ade Yoseman	Guide Docker Download Live	Python	Last commit: 2026-01-05
Samurai WTF		Download	ISO
Sauron		Download	Quemu
Security Labs & POCs ⭐ 448	DataDog		docker Kubernetes PiPy OpenSSL JWT	Last commit: 2025-08-18
Template Injection Playground ⭐ 56	Hackmanit and Maximilian Hildebrand		Docker Various Template Engines	Last commit: 2026-01-03
VAmPI ⭐ 1155	erev0s	Guide Announcement	python docker OpenAPI
Virtual Hacking Lab		Download	ZIP
Vuln-Bank	Al-Amir Badmus	Live Download	Python JavaScript Postgres Docker HTML/CSS AI/LLM	A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment.
Vulnado	ScaleSec		Java Docker	Purposely vulnerable Java application to help lead secure coding workshops
Wayfarer	SamuraiWTF		Docker OAuth React
Web Security Dojo		Download	VMware VirtualBox
XXE		Download	VMware
XXE Lab	Joshua Barone		docker vagrant
Zero Health	Aliyu G. Yisa	Download Guide Demo	React NodeJS JavaScript Postgres Docker Ollama Swagger/OpenAPI	Zero trust. Zero security. Total exposure. A deliberately vulnerable health tech platform with AI Chatbot for learning about application security and ethical hacking. It contains vulnerabilities from OWASP top 10 Web, API and AI/LLM Security Vulnerabilities. Highly vulnerable, never use in production.
crAPI ⭐ 1406	OWASP	Downloads	Go nginx REST Docker	OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security teams practice API security testing including BOLA, BFLA, mass assignment, and authentication flaws. Last commit: 2025-11-13
c{api}tal ⭐ 315	Checkmarx		Docker postgres OpenAPI Python	Last commit: 2024-04-05
dvws-node	@snoopysecurity	Guide	Web Services NodeJS
gRPC Goat	rootxjs	Download Guide	Go gRPC Docker	Vulnerable by Design lab for learning and practicing gRPC security.
vuln-node.js-express.js-app	SirAppSec	Download Docker	Node.js Express.js swagger sqlite sequelize	A Very Vulnerable Node.js Express.js Web Application and API. Used for testing Security tools, Application security and penetration testing. Using Swagger, Sqlite, Sequelize.