OWASP Vulnerable Web Applications Directory
Author(s): psiinon, kingthorin, raulsiles
Contributor(s): bkimminich, S3DFX-CYBER, yrprey, arthurakay, HarshitVerma109, ritorhymes, commjoen, hblankenship, noraj, preetkaran20, ebell451, PauloASilva, Aif4thah, AlexandraC0, alexcolb, codeXanu, Commando-X, dhower7, drfoofoo, interference-security, LBartolini, mal-tee, markdenihan, mike386, mrtlgz, msudol, nbaars, njmulsqb, OSTEsayed, pentesttools-com, rcowsill, roottusk, sadicann, SamanthaGroves, snoopysecurity, subhashdasyam, yjaaidi
Contributor(s): bkimminich, S3DFX-CYBER, yrprey, arthurakay, HarshitVerma109, ritorhymes, commjoen, hblankenship, noraj, preetkaran20, ebell451, PauloASilva, Aif4thah, AlexandraC0, alexcolb, codeXanu, Commando-X, dhower7, drfoofoo, interference-security, LBartolini, mal-tee, markdenihan, mike386, mrtlgz, msudol, nbaars, njmulsqb, OSTEsayed, pentesttools-com, rcowsill, roottusk, sadicann, SamanthaGroves, snoopysecurity, subhashdasyam, yjaaidi
Random App of the Day
| App. URL | Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
| Solyd - Introdução ao Hacking e Pentest | Solyd |
|
In Portuguese (Português) - Free online training with free online lab |
VWAD
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.
The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail 
The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and Containerized (Docker images, VMs, ISOs). Each list has been ordered alphabetically.
A brief description of the OWASP VWAD project is available here.
On-line Resources Used
Other Vulnerable Web-app Compilations
Mobile
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
Allsafe (Android)
354 |
t0thkr1s |
|
Intentionally vulnerable Android application. Last commit: 2025-09-20 
|
|
|
AndroGoat
313 |
satishpatnayak |
|
Last commit: 2025-11-22
|
|
|
DIVA Android
1074 |
Payatu |
|
DIVA (Damn Insecure and Vulnerable App) is an intentionally vulnerable Android application designed to help security professionals and developers learn about Android security vulnerabilities. Last commit: 2016-01-15 
|
|
|
Damn Vulnerable Bank
731 |
Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade |
|
Last commit: 2023-12-13
|
|
|
Damn Vulnerable iOS App (DVIA-v2)
1051 |
prateekg147 |
|
An iOS application that is damn vulnerable. Last commit: 2024-03-29 
|
|
|
Goatlin
36 |
Checkmarx |
|
Last commit: 2022-01-06
|
|
|
InjuredAndroid
735 |
B3nac |
|
A vulnerable Android application with CTF-style challenges focused on Android security. Last commit: 2021-06-25 
|
|
|
InsecureBankv2
1396 |
Dinesh Shetty |
|
Vulnerable Android application for security enthusiasts and developers to learn about Android insecurities. Showcases various security vulnerabilities in Android banking applications. Last commit: 2019-11-21 
|
|
|
MSTG CrackMes
12685 |
OWASP |
Last commit: 2026-01-29
|
||
|
MSTG Hacking Playground
657 |
OWASP |
Last commit: 2022-10-31
|
||
|
OversecuredVulnerableiOSApp
230 |
Oversecured Inc |
|
an iOS app that aggregates all the platform's known and popular security vulnerabilities. Last commit: 2024-01-10 
|
|
|
Vuln-Bank
549 |
Al-Amir Badmus |
|
A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment. Last commit: 2025-11-23 
|
Offline
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
.NET Goat
245 |
OWASP |
|
Original main repo: https://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET. Last commit: 2014-02-22 
|
|
|
AI-Goat
314 |
fhammon, Guanwei Hu |
|
AI Goat uses the Vicuna LLM which derived from Meta's LLaMA and coupled with ChatGPT's response data. When installing AI Goat the LLM binary is downloaded from third party locally on your computer. Last commit: 2024-08-22 
|
|
|
Altoro Mutual (AltoroJ)
280 |
HCL/IBM/Watchfire |
|
Log in with jsmith/demo1234 or admin/admin Last commit: 2024-07-23 
|
|
|
AuthLab
98 |
digininja (Robin Wood) |
|
Last commit: 2023-01-30
|
|
|
BodgeIt Store
281 |
Simon Bennetts (psiinon) |
|
Last commit: 2024-08-13
|
|
| Bricks | OWASP |
|
||
|
Broken Crystals
180 |
NeuraLegion |
|
Last commit: 2026-01-14
|
|
|
BugGPT
0 |
attacker-codeninja |
|
BugGPT is an intentionally vulnerable application generator for educational security training purposes. Last commit: 2024-10-23 
|
|
| Butterfly Security Project |
|
Last updated in 2008 |
||
|
CVWA - Conviso Vulnerable Web Application
63 |
Conviso AppSec |
|
Last commit: 2025-07-16
|
|
|
CloudGoat
3455 |
Rhino Security Labs |
|
Last commit: 2025-09-18
|
|
|
CryptOMG
193 |
SpiderLabs |
|
Last commit: 2015-06-25
|
|
|
Cyclone Transfers
5 |
|
Last commit: 2013-10-17
|
||
|
DIWA - Deliberately Insecure Web Application
71 |
Tim Steufmehl |
|
A Deliberately Insecure Web Application Last commit: 2020-01-09 
|
|
|
Damn Small Vulnerable Web (DSVW)
854 |
Miroslav Stampar |
|
Last commit: 2025-12-21
|
|
|
Damn Vulnerable Application Scanner (DVAS)
6 |
Andrea Valenza, Enrico Russo, Gabriele Costa |
|
An intentionally vulnerable web application scanner Last commit: 2021-04-25 
|
|
|
Damn Vulnerable C# Application (API)
79 |
Appsecco |
|
Last commit: 2022-12-07
|
|
|
Damn Vulnerable Electron App (DVEA)
17 |
Najam Ul Saqib (cybersoldier) |
|
A deliberately insecure ElectronJS application Last commit: 2026-01-28 
|
|
|
Damn Vulnerable File Upload - DVFU
102 |
Thin Ba Shane (@art0flunam00n) |
|
Last commit: 2018-05-26
|
|
|
Damn Vulnerable Functions as a Service (DVFaaS)
136 |
we45 (Abhay Bhargav) |
|
Last commit: 2019-01-23
|
|
|
Damn Vulnerable GraphQL Application (DVGA)
1675 |
Dolev Farhi <[email protected]>, Connor McKinnon |
|
Last commit: 2025-05-24
|
|
|
Damn Vulnerable Infrastructure (DVI)
5 |
Lorenzo Bartolini, Gabriele Costa |
|
A fully simulated and self-hosted Damn Vulnerable Infrastructure with routers, subnetworks, Scada and many other vulnerable containers. It simulates an Energy Management System inside a University Campus. Last commit: 2025-11-11 
|
|
|
Damn Vulnerable LLM Agent
357 |
Reversec Labs |
|
Last commit: 2025-06-25
|
|
|
Damn Vulnerable Node Application - DVNA
20 |
Claudio Lacayo |
|
Last commit: 2015-12-22
|
|
|
Damn Vulnerable NodeJS Application - DVNA
758 |
@appsecco |
|
Different project from the old DVNA Last commit: 2023-11-08 
|
|
|
Damn Vulnerable OAuth 2.0 Applications
324 |
Koen Buyens |
|
A set of vulnerable applications which show Oauth2.0 vulnerabilities. Last commit: 2018-09-15 
|
|
|
Damn Vulnerable Python Web Application - DVPWA
183 |
Oleksandr Kovalchuk |
|
Last commit: 2022-11-04
|
|
|
Damn Vulnerable Restaurant
888 |
theowni |
|
Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers. Last commit: 2026-01-03 
|
|
|
Damn Vulnerable Serverless App (DVSA)
544 |
Protego Labs |
|
Last commit: 2023-09-12
|
|
|
Damn Vulnerable Stateful WebApp
14 |
dnet |
|
Last commit: 2015-12-04
|
|
|
Damn Vulnerable Web Application - DVWA
12523 |
RandomStorm |
|
Last commit: 2026-01-21
|
|
|
Damn Vulnerable Web Services
457 |
snoopysecurity |
|
Last commit: 2021-12-06
|
|
|
Damn Vulnerable Web Sockets
356 |
@appsecco |
|
Last commit: 2025-12-19
|
|
|
DjanGoat
75 |
Contrast Security |
|
Intentionally vulnerable Django application inspired by RailsGoat, designed as an internal employee portal and containing OWASP Top 10 vulnerabilities for educational use. Last commit: 2025-10-08 
|
|
|
DjangoGoat
45 |
Red and Black |
|
Last commit: 2019-08-18
|
|
|
EKS Goat
37 |
OWASP |
|
AWS EKS Security Lab and activity. Last commit: 2026-01-21 
|
|
|
EasyBuggy
257 |
Kohei Tamura |
|
Last commit: 2026-01-11
|
|
|
Extreme Vulnerable Node Application
95 |
vegabird |
|
Last commit: 2018-02-08
|
|
|
FFUF.me
70 |
adamtlangley |
|
Target practice for ffuf Last commit: 2021-08-10 
|
|
|
Generic-University
416 |
Katie Paxton-Fear |
|
Last commit: 2022-11-14
|
|
|
Goof
534 |
Snyk |
|
online - via Heroku deploy Last commit: 2023-05-24 
|
|
| Gruyere |
|
|||
|
Hackademic Challenges Project
324 |
OWASP |
|
Last commit: 2017-02-24
|
|
|
Hackazon
1016 |
Rapid7 (NTObjectives) |
|
Last commit: 2021-03-11
|
|
| Hackxor | albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
|
|
Hammer
21 |
iknowjason |
|
Includes manual build and docker options. Last commit: 2022-04-26 
|
|
| LAMPSecurity |
|
|||
|
Magical Code Injection Rainbow - MCIR
446 |
SpiderLabs |
|
Last commit: 2020-08-07
|
|
|
Marathon
66 |
Christian Schneider |
|
Vulnerable demo application Last commit: 2025-06-15 
|
|
|
Mutillidae
1465 |
|
Last commit: 2025-08-03
|
||
|
NoSQL Injection Lab
134 |
@digininja |
|
Last commit: 2020-07-22
|
|
|
NoSQL Injection Vulnerable App (NIVA)
19 |
Anton Abashkin |
|
Last commit: 2022-11-21
|
|
|
NodeGoat
2009 |
OWASP |
|
Last commit: 2023-06-21
|
|
|
NodeVulnerable
482 |
cr0hn |
|
Last commit: 2024-04-29
|
|
|
OSTE-Vulnerable-Web-Application
17 |
(OSTE)Oudjani seyyid taqi eddine |
|
Vulnerable web application Last commit: 2023-12-15 
|
|
|
OWASP Damn Vulnerable Web Sockets (DVWS)
356 |
Abhineet Jayaraj (@xploresec) |
|
Last commit: 2025-12-19
|
|
|
OWASP Juice Shop
12405 |
OWASP |
|
Last commit: 2026-01-05
|
|
|
OWASP SKF Labs
463 |
[email protected] and [email protected] |
|
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs. Last commit: 2024-08-02 
|
|
|
OWASP VulnerableApp
357 |
Karan Preet Singh Sasan |
|
Last commit: 2026-01-26
|
|
|
OWASP VulnerableApp-facade
49 |
Karan Preet Singh Sasan |
|
Last commit: 2023-12-04
|
|
| Peruggia |
|
|||
|
Pixi
132 |
OWASP |
|
Last commit: 2020-03-31
|
|
| Puzzlemall |
|
|||
|
PyGoat
298 |
Ade Yoseman |
|
Last commit: 2026-01-25
|
|
|
Race The Web
627 |
insp3ctre |
Last commit: 2019-10-16
|
||
|
Rails Goat
911 |
OWASP |
|
Last commit: 2026-01-28
|
|
|
SQL injection test environment
352 |
|
SQLmap Project Last commit: 2022-04-14 
|
||
|
SQLI-labs
5710 |
|
Last commit: 2014-10-31
|
||
|
SQLol
123 |
|
Last commit: 2013-07-19
|
||
|
SSRF Vuln Lab
754 |
incredibleindishell, Mohammed Farhan |
|
Last commit: 2023-08-21
|
|
|
Scriptease
1 |
|
A vulnerable JavaScript SPA (no back end) that demonstrates several client-side security flaws (XSS, open redirect, prototype pollution, ReDoS, request hijacking, etc.) It showcases a diverse set of sources and sinks for taint analysis, uses two alternative bundlers (Webpack, Vite), and includes lazy-loaded modules Last commit: 2026-01-02 
|
||
|
SecDevLabs
969 |
Globo |
|
Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app. Last commit: 2024-09-25 
|
|
|
Security Shepherd
1420 |
OWASP |
|
Last commit: 2025-10-15
|
|
|
TicketMagpie
20 |
|
Last commit: 2017-05-11
|
||
|
Tiredful API
578 |
@payatu |
|
Last commit: 2020-09-07
|
|
|
UnSAFE Bank
167 |
lucideus |
|
Web, Android and iOS application Last commit: 2025-09-29 
|
|
|
Varnish HTTP/2 Request Smuggling
56 |
Detectify |
|
A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021. Last commit: 2021-08-26 
|
|
|
VulnLab
477 |
Yavuzlar (siberyavuzlar.com) |
|
A web vulnerability lab project developed by Yavuzlar. Last commit: 2025-02-02 
|
|
|
Vulnerable Java Web Application
270 |
Cyber Security and Privacy Foundation |
|
Last commit: 2024-06-20
|
|
|
Vulnerable Node Express
21 |
Zachary Conger |
|
SQLi and XSS Last commit: 2023-11-16 
|
|
|
Vulnerable OTP App
85 |
mddanish |
|
Last commit: 2019-11-13
|
|
|
Vulnerable SAML App
54 |
yogisec |
|
Last commit: 2020-11-02
|
|
|
VulnerableLightApp
52 |
Michael Vacarella |
|
Vulnerable API for educational purposes Last commit: 2026-01-07 
|
|
|
VulnerableXsltConsoleApplication
10 |
Context Information Security |
|
This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files. Last commit: 2017-09-25 
|
|
|
WAVSEP - Web Application Vulnerability Scanner Evaluation Project
14 |
Shay Chen & The ZAP Dev Team |
|
Last commit: 2025-09-08
|
|
| WIVET- Web Input Vector Extractor Teaser | ||||
|
WackoPicko
344 |
|
Last commit: 2021-11-17
|
||
|
WebGoat
8893 |
OWASP |
|
Last commit: 2025-11-02
|
|
|
WebGoatPHP
148 |
OWASP |
|
Last commit: 2025-04-28
|
|
|
Weird Proxies - Labs
1852 |
Green Dog (GrrrDog) |
|
Last commit: 2023-11-04
|
|
|
WrongSecrets
1391 |
Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars) |
|
OWASP WrongSecrets is a vulnerable app used to show how to not use secrets. Last commit: 2026-01-26 
|
|
|
XXE Lab
229 |
Joshua Barone |
|
Last commit: 2021-11-10
|
|
|
Xtreme Vulnerable Web Application (XVWA)
1745 |
@s4n7h0, @samanL33T |
|
Last commit: 2020-09-12
|
|
| Yrprey | Fernando Mengali, Vagner Mengali |
|
Framework created in NextJs (TypeScript) and PHP/MySQL with OWASP TOP 10 API vulnerabilities of 2019 and 2023. Yrprey can was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (Appsec). |
|
| YrpreyBlog | Fernando Mengali |
|
A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities. |
|
| YrpreyC | Fernando Mengali |
|
YrpreyC is a framework written in the C language that contains vulnerabilities related to memory issues, categorized as overflows |
|
| YrpreyC++ | Fernando Mengali |
|
YrpreyC++ is a framework written in the C++ language that contains vulnerabilities related to memory issues, categorized as overflows |
|
| YrpreyPHP | Fernando Mengali |
|
A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities. YrpreyPHP was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (AppSec). |
|
| YrpreyPathTraversal | Fernando Mengali |
|
YrpreyPathTraversal is a framework written in PHP, with examples of exploiting Path Traversal and Local File Inclusion vulnerabilities in different ways. |
|
|
Zero Health
33 |
Aliyu G. Yisa |
|
Zero trust. Zero security. Total exposure. A deliberately vulnerable health tech platform with AI Chatbot for learning about application security and ethical hacking. It contains vulnerabilities from OWASP top 10 Web, API and AI/LLM Security Vulnerabilities. Highly vulnerable, never use in production. Last commit: 2025-06-15 
|
|
| bWAPP |
|
|||
|
crAPI
1410 |
OWASP |
|
OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security teams practice API security testing including BOLA, BFLA, mass assignment, and authentication flaws. Last commit: 2026-01-20 
|
|
|
dvws-node
502 |
@snoopysecurity |
|
Last commit: 2026-01-23
|
|
|
gRPC Goat
50 |
rootxjs |
|
Vulnerable by Design lab for learning and practicing gRPC security. Last commit: 2025-09-22 
|
|
|
insecure-deserialisation-net-poc
20 |
Omer Levi Hevroni |
|
A small webserver vulnerable to insecure deserialization Last commit: 2017-11-30 
|
|
|
jwtdemo
116 |
Sjoerd Langkemper (Sjord) |
|
Practice hacking JWT tokens. Last commit: 2022-09-08 
|
|
|
play-webgoat
18 |
|
Last commit: 2026-01-28
|
||
|
twitterlike
4 |
Sakti Dwi Cahyono |
|
Last commit: 2013-10-16
|
|
|
vAPI
1322 |
Tushar Kulkarni |
|
vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises Last commit: 2025-01-10 
|
|
|
vuln-node.js-express.js-app
41 |
SirAppSec |
|
A Very Vulnerable Node.js Express.js Web Application and API. Used for testing Security tools, Application security and penetration testing. Using Swagger, Sqlite, Sequelize. Last commit: 2024-08-26 
|
|
|
vulnerable-api
70 |
Matthew Valdes |
|
Last commit: 2016-06-29
|
|
|
websheep
57 |
Younes Jaaidi (yjaaidi) |
|
Websheep is an app based on a willingly vulnerable ReSTful APIs. Last commit: 2022-12-21 
|
|
| ypreyAPINodeJS | Fernando Mengali |
|
yrpreyAPINodeJS is a vulnerable framework written in NodeJS and based on the OWASP TOP 10 API. |
|
| ypreyAPIPython | Fernando Mengali |
|
ypreyAPIPython is a vulnerable framework written in Python and based on the OWASP TOP 10 API. |
|
| ypreyPollsPHP | Fernando Mengali |
|
ypreyPollsPHP is a vulnerable framework written in PHP with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyASPC | Fernando Mengali |
|
yrpreyASPC is a vulnerable framework written in ASP and C with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities. |
|
| yrpreyASPCPlus | Fernando Mengali |
|
yrpreyASPCPlus is a vulnerable framework written in ASP and C++ with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities. |
|
| yrpreyFinance | Fernando Mengali |
|
yrpreyFinance is a vulnerable framework written in PHP with a financial management scenario, based on the OWASP TOP 10 |
|
| yrpreyLibrary | Fernando Mengali |
|
yrpreyLibrary is a vulnerable framework written in PHP, based on the OWASP TOP 10 |
|
| yrpreyPollsNodeJS | Fernando Mengali |
|
yrpreyPollsNodeJS is a vulnerable framework written in NodeJS with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyPollsPerl | Fernando Mengali |
|
yrpreyPollsPerl is a vulnerable framework written in Perl with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyPollsPython | Fernando Mengali |
|
yrpreyPollsPython is a vulnerable framework written in Python with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyTasks | Fernando Mengali |
|
yrpreyTasks is a vulnerable framework written in PHP with a task management scenario, based on the OWASP TOP 10 |
|
| yrpreyTasksNodeJS | Fernando Mengali |
|
yrpreyTasksNodeJS is a vulnerable framework written in NodeJS with a task management scenario, based on the OWASP TOP 10 |
|
| yrpreyTasksPython | Fernando Mengali |
|
yrpreyTasksPython is a vulnerable framework written in Python with a task management scenario, based on the OWASP TOP 10 |
Online
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
| AWS CTF Challenge | AWS Security Team |
|
Capture-the-flag challenges for AWS |
|
|
AWS Infrastructure Pentest Lab
3439 |
AWS Security Team |
|
Hands-on lab for AWS infrastructure pentesting Last commit: 2025-09-18
|
|
| AWS Security Workshop | AWS Security Team |
|
Interactive workshop covering AWS security best practices |
|
| Acuart | Acunetix |
|
Art shopping |
|
|
Altoro Mutual (AltoroJ)
280 |
HCL/IBM/Watchfire |
|
Log in with jsmith/demo1234 or admin/admin Last commit: 2024-07-23
|
|
|
AuthLab
98 |
digininja (Robin Wood) |
|
Last commit: 2023-01-30
|
|
| Azure AD CTF Challenge | Azure Security Team |
|
Capture-the-flag challenges for Azure AD |
|
|
Azure Infrastructure Workshop
616 |
Azure Security Team |
|
Interactive workshop covering Azure security best practices Last commit: 2023-06-01 
|
|
|
Broken Crystals
180 |
NeuraLegion |
|
Last commit: 2026-01-14
|
|
| CTFLearn | @ctflearn | |||
|
Cyber Scavenger Hunt
15 |
Arthur Kay |
|
A simple scavenger hunt to learn about pentesting a website or web application. Last commit: 2022-07-19 
|
|
| Damn Vulnerable AI Bank (DVAIB) | Subhash Dasyam |
|
Hands-on AI security training platform for prompt injection and jailbreaking, realistic attack scenarios, achievements, and leaderboard. |
|
|
Damn Vulnerable RESTaurant (DV-REST)
888 |
theowni |
|
An intentionally vulnerable API training game for developers, ethical hackers, and security engineers. Designed as a CTF-style playground to learn, detect, exploit, and remediate API security vulnerabilities using a FastAPI-based application. Supports local Docker deployment and online execution via GitHub Codespaces. Last commit: 2026-01-03 
|
|
| Defend the Web | Luke [flabbyrabbit] |
Formerly HackThis |
||
| Duck Store | DonAsako |
|
Duck Store is an intentionally vulnerable web app for training purposes on how to find classic and business logic vulns dedicated to developers, ethical hackers, and security engineers. |
|
|
EntraGoat
876 |
Azure Security Team |
|
A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack challenges. Last commit: 2026-01-15 
|
|
|
FFUF.me
70 |
adamtlangley |
|
Target practice for ffuf Last commit: 2021-08-10
|
|
|
Firing Range
1403 |
Last commit: 2018-11-08
|
|||
| Gandalf | Lakera |
|
A game designed to challenge your ability to interact with large language models (LLMs) and test prompt injection skills. Your goal is to trick Gandalf into revealing the secret password. |
|
| Gin & Juice Shop | PortSwigger |
|
A hosted always-online demo app with realistic technologies. |
|
| Gruyere |
|
|||
| HackTheBox | HackTheBox |
|
Online platform featuring vulnerable machines and challenges for penetration testing practice. Includes retired machines, active challenges, and Pro Labs. |
|
|
HackThis
46 |
Luke Ward (0x6C77) |
|
Last commit: 2018-08-31
|
|
| HackThisSite | HackThisSite Staff |
|
Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others. |
|
| HackXpert | theXSSrat |
|
||
| HackYourselfFirst | Troy Hunt | |||
| Hacking Lab | Hacking Lab | |||
| Hackxor | albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
|
| Kubernetes CTF Challenge | Kubernetes Security Team |
|
Capture-the-flag challenges for Kubernetes |
|
|
Kubernetes Security Workshop
5382 |
Kubernetes Security Team |
|
Interactive workshop covering Kubernetes security best practices Last commit: 2025-11-18 
|
|
| Netsparker Test App .NET | Netsparker |
|
||
| Netsparker Test App PHP | Netsparker |
|
||
|
OWASP Juice Shop
12405 |
OWASP |
|
Last commit: 2026-01-05
|
|
|
OWASP SKF Labs
463 |
[email protected] and [email protected] |
|
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs. Last commit: 2024-08-02
|
|
| Pentest-Ground | Pentest-Tools.com |
|
Suite of vulnerable web apps to practice |
|
|
PyGoat
298 |
Ade Yoseman |
|
Last commit: 2026-01-25
|
|
| Root Me | Root-Me |
Root-Me is a non-profit organization aimed at providing an outstanding learning platform for ethical hacking. It offers hundreds of challenges and virtual environments. |
||
| Security Tweets | Acunetix |
HTML5 |
||
| Solyd - Introdução ao Hacking e Pentest | Solyd |
|
In Portuguese (Português) - Free online training with free online lab |
|
| TryHackMe | TryHackMe |
|
Online platform for learning cyber security through hands-on exercises and labs. Features virtual rooms with vulnerable machines and guided learning paths. |
|
|
Vuln-Bank
549 |
Al-Amir Badmus |
|
A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment. Last commit: 2025-11-23
|
|
| Zero Bank | Micro Focus Fortify (was HP/SpiDynamics) |
(username/password) |
VM-ISO
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
| Bee-Box |
|
|||
|
BodgeIt Store
281 |
Simon Bennetts (psiinon) |
|
Last commit: 2024-08-13
|
|
|
CI/CD Goat
2182 |
Cider |
|
Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags. Last commit: 2024-07-11 
|
|
|
CloudGoat
3455 |
Rhino Security Labs |
|
Last commit: 2025-09-18
|
|
|
DIWA - Deliberately Insecure Web Application
71 |
Tim Steufmehl |
|
A Deliberately Insecure Web Application Last commit: 2020-01-09
|
|
|
Damn Vulnerable C# Application (API)
79 |
Appsecco |
|
Last commit: 2022-12-07
|
|
|
Damn Vulnerable GraphQL Application (DVGA)
1675 |
Dolev Farhi <[email protected]>, Connor McKinnon |
|
Last commit: 2025-05-24
|
|
|
Damn Vulnerable LLM Agent
357 |
Reversec Labs |
|
Last commit: 2025-06-25
|
|
|
Damn Vulnerable RESTaurant (DV-REST)
888 |
theowni |
|
An intentionally vulnerable API training game for developers, ethical hackers, and security engineers. Designed as a CTF-style playground to learn, detect, exploit, and remediate API security vulnerabilities using a FastAPI-based application. Supports local Docker deployment and online execution via GitHub Codespaces. Last commit: 2026-01-03
|
|
|
Damn Vulnerable Web Application - DVWA
12523 |
RandomStorm |
|
Last commit: 2026-01-21
|
|
|
EKS Goat
37 |
OWASP |
|
AWS EKS Security Lab and activity. Last commit: 2026-01-21
|
|
| Exploit.co.il Vuln Web App |
|
|||
|
FFUF.me
70 |
adamtlangley |
|
Target practice for ffuf Last commit: 2021-08-10
|
|
|
Game of Active Directory
7390 |
Orange-Cyberdefense |
|
Requires a considerably powerful system Last commit: 2025-07-16 
|
|
| GameOver |
|
|||
|
Generic-University
416 |
Katie Paxton-Fear |
|
Last commit: 2022-11-14
|
|
|
Goof
534 |
Snyk |
|
online - via Heroku deploy Last commit: 2023-05-24
|
|
|
Google Security Testbeds
58 |
|
This project aims to provide a central repository for testbeds contents usable to assert the quality and functionality of security scanners. This includes 0-day and 1-day scanning capabilities. Covering various CVEs, weak credentials across various services, exposed UI for various services. Last commit: 2026-01-16 
|
||
| Hackxor | albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
|
|
Kubernetes Infrastructure Pentest Lab
268 |
Kubernetes Security Team |
|
Hands-on lab for Kubernetes infrastructure pentesting Last commit: 2026-01-14 
|
|
| LAMPSecurity |
|
|||
|
Log4Shell sample vulnerable application
1135 |
Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed |
|
CVE-2021-44228 Last commit: 2022-12-14 
|
|
| Metasploitable 2 |
|
|||
|
Metasploitable 3
5411 |
|
Last commit: 2025-02-13
|
||
| Moth |
|
|||
|
NoSQL Injection Vulnerable App (NIVA)
19 |
Anton Abashkin |
|
Last commit: 2022-11-21
|
|
|
OWASP Juice Shop
12405 |
OWASP |
|
Last commit: 2026-01-05
|
|
| PentesterLab - The Exercises |
|
|||
|
Pixi
132 |
OWASP |
|
Last commit: 2020-03-31
|
|
|
PyGoat
298 |
Ade Yoseman |
|
Last commit: 2026-01-25
|
|
| Samurai WTF |
|
|||
| Sauron |
|
|||
|
Security Labs & POCs
449 |
DataDog |
|
Last commit: 2025-08-18
|
|
|
Template Injection Playground
58 |
Hackmanit and Maximilian Hildebrand |
|
Last commit: 2026-01-03
|
|
|
VAmPI
1163 |
erev0s |
|
Last commit: 2024-11-25
|
|
| Virtual Hacking Lab |
|
|||
|
Vuln-Bank
549 |
Al-Amir Badmus |
|
A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment. Last commit: 2025-11-23
|
|
|
Vulnado
191 |
ScaleSec |
|
Purposely vulnerable Java application to help lead secure coding workshops Last commit: 2020-06-02 
|
|
|
Wayfarer
1 |
SamuraiWTF |
|
Last commit: 2023-08-24
|
|
| Web Security Dojo |
|
|||
|
Weird Proxies - Labs
1852 |
Green Dog (GrrrDog) |
|
Last commit: 2023-11-04
|
|
| XXE |
|
|||
|
XXE Lab
229 |
Joshua Barone |
|
Last commit: 2021-11-10
|
|
|
Zero Health
33 |
Aliyu G. Yisa |
|
Zero trust. Zero security. Total exposure. A deliberately vulnerable health tech platform with AI Chatbot for learning about application security and ethical hacking. It contains vulnerabilities from OWASP top 10 Web, API and AI/LLM Security Vulnerabilities. Highly vulnerable, never use in production. Last commit: 2025-06-15
|
|
|
crAPI
1410 |
OWASP |
|
OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security teams practice API security testing including BOLA, BFLA, mass assignment, and authentication flaws. Last commit: 2026-01-20
|
|
|
c{api}tal
319 |
Checkmarx |
|
Last commit: 2024-04-05
|
|
|
dvws-node
502 |
@snoopysecurity |
|
Last commit: 2026-01-23
|
|
|
gRPC Goat
50 |
rootxjs |
|
Vulnerable by Design lab for learning and practicing gRPC security. Last commit: 2025-09-22
|
|
|
vuln-node.js-express.js-app
41 |
SirAppSec |
|
A Very Vulnerable Node.js Express.js Web Application and API. Used for testing Security tools, Application security and penetration testing. Using Swagger, Sqlite, Sequelize. Last commit: 2024-08-26
|
Platform
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
| Caido labs | Caido |
Caido Labs provides interactive security testing challenges and vulnerable web applications for learning and practicing web security skills. |
||
|
Google Security Testbeds
58 |
|
This project aims to provide a central repository for testbeds contents usable to assert the quality and functionality of security scanners. This includes 0-day and 1-day scanning capabilities. Covering various CVEs, weak credentials across various services, exposed UI for various services. Last commit: 2026-01-16
|
||
| HackTheBox | HackTheBox |
|
Online platform featuring vulnerable machines and challenges for penetration testing practice. Includes retired machines, active challenges, and Pro Labs. |
|
| HackingHub Labs | HackingHub |
Carefully crafted environments based on real vulnerabilities, released pentests and bug bounty findings. |
||
| TryHackMe | TryHackMe |
|
Online platform for learning cyber security through hands-on exercises and labs. Features virtual rooms with vulnerable machines and guided learning paths. |