OWASP Vulnerable Web Applications Directory

Random App of the Day

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Netsparker Test App PHP	Netsparker	Live	PHP

VWAD

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail

The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 here.

A brief description of the OWASP VWAD project is available here.

The associated GitHub repository is available here.

Open Hub Stats

On-line Resources Used

Other Vulnerable Web-app Compilations

Penetration Testing Practice Labs - Vulnerable Apps/Systems

Mobile

App. URL	Author	Reference(s)	Technology(ies)
AndroGoat	satishpatnayak	Download	Kotlin Android
Damn Vulnerable Bank	Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade	Guide	android
Goatlin	Checkmarx	Guide	Kotlin Android API REST
MSTG CrackMes	OWASP
MSTG Hacking Playground	OWASP	Guide

Offline

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
.NET Goat	OWASP		C#	Original main repo: https://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
Altoro Mutual (AltoroJ)	IBM/Watchfire	Download Live	J2EE	Log in with jsmith/demo1234 or admin/admin
AuthLab	digininja (Robin Wood)	Guide Live	GO
BodgeIt Store	Simon Bennetts (psiinon)	Download Docker	Java
Bricks	OWASP	Download Guide	PHP
Broken Crystals	NeuraLegion	Live	react Node Swagger
Butterfly Security Project		Download	PHP	Last updated in 2008
CVWA - Conviso Vulnerable Web Application	Conviso AppSec	Download	PHP
CloudGoat	Rhino Security Labs	Guide Announcement Docker	Python AWS
CryptOMG	SpiderLabs	Download	PHP
Cyclone Transfers			Ruby on Rails
DIWA - Deliberately Insecure Web Application	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application
Damn Small Vulnerable Web (DSVW)	Miroslav Stampar		Python
Damn Vulnerable Application Scanner (DVAS)	Andrea Valenza, Enrico Russo, Gabriele Costa	Guide Announcement	PHP	An intentionally vulnerable web application scanner
Damn Vulnerable Electron App (DVEA)	Najam Ul Saqib (cybersoldier)	Announcement Download	ElectronJS	A deliberately insecure ElectronJS application
Damn Vulnerable File Upload - DVFU	Thin Ba Shane (@art0flunam00n)		PHP
Damn Vulnerable Functions as a Service (DVFaaS)	we45 (Abhay Bhargav)	Guide	Python AWS
Damn Vulnerable GraphQL Application (DVGA)	Dolev Farhi <[email protected]>, Connor McKinnon		Python HTML Javascript GraphQL SQLAlchemy docker
Damn Vulnerable Node Application - DVNA	Claudio Lacayo		Node.js
Damn Vulnerable NodeJS Application - DVNA	@appsecco		Node.js	Different project from the old DVNA
Damn Vulnerable OAuth 2.0 Applications	Koen Buyens		MEAN Docker OAuth 2.0	A set of vulnerable applications which show Oauth2.0 vulnerabilities.
Damn Vulnerable Python Web Application - DVPWA	Oleksandr Kovalchuk		Python Docker
Damn Vulnerable Restaurant	theowni	Guide	Python Docker	Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide	Node AWS Azure
Damn Vulnerable Stateful WebApp	dnet	Download	PHP
Damn Vulnerable Web Application - DVWA	RandomStorm	Download Docker	PHP
Damn Vulnerable Web Services	snoopysecurity		Web Services
Damn Vulnerable Web Sockets	@appsecco		Web Sockets
DjangoGoat	Red and Black		Python Django
EasyBuggy	Kohei Tamura	Download Guide	Java
Extreme Vulnerable Node Application	vegabird	Download	NodeJS
FFUF.me	adamtlangley	Download Live	PHP Docker	Target practice for ffuf
Generic-University	Katie Paxton-Fear		PHP docker API GraphQL MySQL Laravel
Goof	Snyk	Guide Guide	NodeJS	online - via Heroku deploy
Gruyere	Google	Download Live	Python
Hackademic Challenges Project	OWASP	Download	PHP Joomla
Hackazon	Rapid7 (NTObjectives)	Download Guide Guide Guide	AJAX JSON XML GwT AMF
Hackxor	albinowax	Download Guide Live	VMware	First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
Hacme Bank	McAfee / Foundstone	Download	.NET
Hacme Bank - Android	McAfee / Foundstone
Hacme Books	McAfee / Foundstone	Download	Java
Hacme Casino	McAfee / Foundstone	Download	Ruby on Rails
Hacme Shipping	McAfee / Foundstone	Download	ColdFusion
Hacme Travel	McAfee / Foundstone	Download	C++
Hammer	iknowjason	Download Live	Ruby on Rails	Includes manual build and docker options.
LAMPSecurity		Download	VMware PHP
Magical Code Injection Rainbow - MCIR	SpiderLabs		PHP
Marathon	Christian Schneider		JAVA Docker	Vulnerable demo application
Mutillidae		Download	PHP
NoSQL Injection Lab	@digininja	Download	PHP MongoDB
NoSQL Injection Vulnerable App (NIVA)	Anton Abashkin	Docker Guide	Java MongoDB
NodeGoat	OWASP	Download	Node.js
NodeVulnerable	cr0hn		Node.js
OSTE-Vulnerable-Web-Application	(OSTE)Oudjani seyyid taqi eddine		PHP	Vulnerable web application
OWASP Damn Vulnerable Web Sockets (DVWS)	Abhineet Jayaraj (@xploresec)	Download	PHP HTML Javascript WebSockets
OWASP Juice Shop	OWASP	Download Docker Guide Demo Preview Live	TypeScript JavaScript Angular Node.js
OWASP SKF Labs	[email protected] and [email protected]	Demo Guide Live	Python HTML Javascript GraphQL Ruby	You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
OWASP VulnerableApp	Karan Preet Singh Sasan	Docker Download	Java Javascript Spring-Boot
OWASP VulnerableApp-facade	Karan Preet Singh Sasan	Docker Download	Typescript Javascript Docker
Peruggia		Download	PHP
Pixi	OWASP	Download Download Guide Guide	Node.js Swagger docker
Puzzlemall		Download	Java
PyGoat	Ade Yoseman	Guide Docker Download Live	Python
Race The Web	insp3ctre	Download
Rails Goat	OWASP	Download Downloads	Ruby on Rails
SQL injection test environment			PHP	SQLmap Project
SQLI-labs		Download Guide	PHP
SQLol		Download	PHP
SSRF Vuln Lab	incredibleindishell, Mohammed Farhan	Docker	PHP
SecDevLabs	Globo	Guide	Go NodeJS Python PHP React Angular/Spring Dart/Flutter	Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app.
Security Shepherd	OWASP	Download	Java
TicketMagpie		Download	Java
Tiredful API	@payatu	Download	Python Django
UnSAFE Bank	lucideus		Docker	Web, Android and iOS application
Varnish HTTP/2 Request Smuggling	Detectify	Announcement	Varnish HTTP/2	A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021.
VulnLab	Yavuzlar (siberyavuzlar.com)		PHP Docker	A web vulnerability lab project developed by Yavuzlar.
Vulnerable Java Web Application	Cyber Security and Privacy Foundation		Java
Vulnerable Node Express	Zachary Conger		Node.js Express	SQLi and XSS
Vulnerable OTP App	mddanish		PHP Google OTP
Vulnerable SAML App	yogisec		Python
VulnerableXsltConsoleApplication	Context Information Security		.Net	This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.
WAVSEP - Web Application Vulnerability Scanner Evaluation Project	Shay Chen	Download Downloads Downloads	Java
WIVET- Web Input Vector Extractor Teaser		Download Downloads
WackoPicko		Download	PHP
WebGoat	OWASP	Download Guide Docker	Java
WebGoatPHP	OWASP	Download Downloads	PHP
WrongSecrets	Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars)	Download	JavaScript Java Hashicorp Vault Kubernetes Docker AWS GCP	OWASP WrongSecrets is a vulnerable app used to show how to not use secrets.
XXE Lab	Joshua Barone		docker vagrant
Xtreme Vulnerable Web Application (XVWA)	@s4n7h0, @samanL33T	Download	PHP MySQL
Yrprey	Fernando Mengali, Vagner Mengali	Download Download Docker	PHP TypeScript NextJs	Framework created in NextJs (TypeScript) and PHP/MySQL with OWASP TOP 10 API vulnerabilities of 2019 and 2023. Yrprey can was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (Appsec).
bWAPP		Download Guide	PHP
crAPI	OWASP	Downloads	Go nginx
dvws-node	@snoopysecurity	Guide	Web Services NodeJS
insecure-deserialisation-net-poc	Omer Levi Hevroni		.NET JSON yoserial.NET	A small webserver vulnerable to insecure deserialization
jwtdemo	Sjoerd Langkemper (Sjord)	Guide	PHP	Practice hacking JWT tokens.
play-webgoat			Java Scala Play Framework
twitterlike	Sakti Dwi Cahyono	Download	PHP
vAPI	Tushar Kulkarni	Guide Docker	PHP	vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises
vulnerable-api	Matthew Valdes	Download	Python
websheep	Younes Jaaidi (yjaaidi)	Guide	Angular JavaScript Node	Websheep is an app based on a willingly vulnerable ReSTful APIs.

Online

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Acuart	Acunetix	Live	PHP	Art shopping
Altoro Mutual (AltoroJ)	IBM/Watchfire	Download Live	J2EE	Log in with jsmith/demo1234 or admin/admin
AuthLab	digininja (Robin Wood)	Guide Live	GO
BGA Vulnerable BANK App	BGA Security	Live	.NET
Broken Crystals	NeuraLegion	Live	react Node Swagger
CTFLearn	@ctflearn	Live
Cyber Scavenger Hunt	Arthur Kay	Download Live	Javacript React	A simple scavenger hunt to learn about pentesting a website or web application.
Defend the Web	Luke [flabbyrabbit]	Live		Formerly HackThis
FFUF.me	adamtlangley	Download Live	PHP Docker	Target practice for ffuf
Firing Range	Google	Download Live
Game of Hacks	Checkmarx	Live	Node Express.js
Gin & Juice Shop	PortSwigger	Announcement Live	JavaScript AngularJS React CSRF	A hosted always-online demo app with realistic technologies.
Gruyere	Google	Download Live	Python
Hack.me	eLearnSecurity			Beta
HackThis	Luke Ward (0x6C77)	Download Live	PHP
HackThisSite	HackThisSite Staff	Live	PHP Perl JavaScript API Binaries	Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others.
HackXpert	theXSSrat	Guide Live	PHP
HackYourselfFirst	Troy Hunt	Guide Live
Hacking Lab	Hacking Lab	Live
Hackxor	albinowax	Download Guide Live	VMware	First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
Netsparker Test App .NET	Netsparker	Live	ASP.NET
Netsparker Test App PHP	Netsparker	Live	PHP
OWASP Juice Shop	OWASP	Download Docker Guide Demo Preview Live	TypeScript JavaScript Angular Node.js
OWASP SKF Labs	[email protected] and [email protected]	Demo Guide Live	Python HTML Javascript GraphQL Ruby	You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
Pentest-Ground	Pentest-Tools.com		PHP Docker	Suite of vulnerable web apps to practice
Pentester Academy		Live
PyGoat	Ade Yoseman	Guide Docker Download Live	Python
Security Tweets	Acunetix	Live		HTML5
Solyd - Introdução ao Hacking e Pentest	Solyd		PHP Linux	In Portuguese (Português) - Free online trainning with free online lab
Zero Bank	Micro Focus Fortify (was HP/SpiDynamics)	Live		(username/password)

VM-ISO

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Bee-Box			VMware
BodgeIt Store	Simon Bennetts (psiinon)	Download Docker	Java
Broken Web Applications Project (BWA) - OWASP	OWASP - Chuck Willis	Download Download	VMware
CI/CD Goat	Cider		Gitea Jenkins GitLab Docker	Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.
CloudGoat	Rhino Security Labs	Guide Announcement Docker	Python AWS
DIWA - Deliberately Insecure Web Application	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application
Damn Vulnerable GraphQL Application (DVGA)	Dolev Farhi <[email protected]>, Connor McKinnon		Python HTML Javascript GraphQL SQLAlchemy docker
Damn Vulnerable Web Application - DVWA	RandomStorm	Download Docker	PHP
Exploit.co.il Vuln Web App		Download	VMware
FFUF.me	adamtlangley	Download Live	PHP Docker	Target practice for ffuf
Game of Active Directory	Orange-Cyberdefense	Guide	Windows Active Directory	Requires a considerably powerful system
GameOver		Download	VMware
Generic-University	Katie Paxton-Fear		PHP docker API GraphQL MySQL Laravel
Goof	Snyk	Guide Guide	NodeJS	online - via Heroku deploy
Hackxor	albinowax	Download Guide Live	VMware	First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
LAMPSecurity		Download	VMware PHP
Log4Shell sample vulnerable application	Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed		Spring Boot Log4j Java	CVE-2021-44228
Metasploitable 2		Download	VMware
Metasploitable 3		Download	VMware
Moth		Download	VMware
NoSQL Injection Vulnerable App (NIVA)	Anton Abashkin	Docker Guide	Java MongoDB
OWASP Juice Shop	OWASP	Download Docker Guide Demo Preview Live	TypeScript JavaScript Angular Node.js
PentesterLab - The Exercises			ISO PDF
Pixi	OWASP	Download Download Guide Guide	Node.js Swagger docker
PyGoat	Ade Yoseman	Guide Docker Download Live	Python
Samurai WTF		Download	ISO
Sauron		Download	Quemu
Security Labs & POCs	DataDog		docker Kubernetes PiPy OpenSSL JWT
VAmPI	erev0s	Guide Announcement	python docker OpenAPI
Virtual Hacking Lab		Download	ZIP
Vulnado	ScaleSec		Java Docker	Purposely vulnerable Java application to help lead secure coding workshops
Web Security Dojo		Download	VMware VirtualBox
XXE		Download	VMware
XXE Lab	Joshua Barone		docker vagrant
crAPI	OWASP	Downloads	Go nginx
dvws-node	@snoopysecurity	Guide	Web Services NodeJS