OWASP Vulnerable Web Applications Directory

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments… without going to jail :)

The vulnerable web applications have been classified in three categories: Online, Offline, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 here.

A brief description of the OWASP VWAD project is available here.

The associated GitHub repository is available here.

Open Hub Stats


Presentation(s)

On-line Resources Used

Other Vulnerable Web-app Compilations


Offline

App. URL Author Reference(s) Technology(ies) Note(s)
.NET Goat
GitHub stars
OWASP
GitHub contributors
  • C#
Original main repo: http://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
GitHub last commit
AuthLab
GitHub stars
digininja (Robin Wood)
GitHub contributors
  • GO

GitHub last commit
BadStore

  • Perl(CGI)

BodgeIt Store
GitHub stars
Simon Bennetts (psiinon)
GitHub contributors
  • Java

GitHub last commit
Bricks
OWASP
  • PHP

Butterfly Security Project

  • PHP
Last updated in 2008
CloudGoat
GitHub stars
Rhino Security Labs
GitHub contributors
  • Python

GitHub last commit
CryptOMG
GitHub stars
SpiderLabs
GitHub contributors
  • PHP

GitHub last commit
Cyclone Transfers
GitHub stars

GitHub contributors
  • Ruby on Rails

GitHub last commit
Damn Small Vulnerable Web (DSVW)
GitHub stars
Miroslav Stampar
GitHub contributors
  • Python

GitHub last commit
Damn Vulnerable File Upload - DVFU
GitHub stars
Thin Ba Shane (@art0flunam00n)
GitHub contributors
  • PHP

GitHub last commit
Damn Vulnerable Functions as a Service (DVFaaS)
GitHub stars
we45 (Abhay Bhargav)
GitHub contributors
  • Python
  • AWS

GitHub last commit
Damn Vulnerable Node Application - DVNA
GitHub stars
Claudio Lacayo
GitHub contributors
  • Node.js

GitHub last commit
Damn Vulnerable NodeJS Application - DVNA
GitHub stars
@appsecco
GitHub contributors
  • Node.js
Different project from the old DVNA
GitHub last commit
Damn Vulnerable Serverless App (DVSA)
GitHub stars
Protego Labs
GitHub contributors
  • Node
  • AWS
  • Azure

GitHub last commit
Damn Vulnerable Stateful WebApp
GitHub stars
dnet
GitHub contributors
  • PHP

GitHub last commit
Damn Vulnerable Web Application - DVWA
GitHub stars
RandomStorm
GitHub contributors
  • PHP

GitHub last commit
Damn Vulnerable Web Services
GitHub stars
snoopysecurity
GitHub contributors
  • Web Services

GitHub last commit
Damn Vulnerable Web Services - DVWS
Secure Ideas
  • PHP

Damn Vulnerable Web Sockets
GitHub stars
@appsecco
GitHub contributors
  • Web Sockets

GitHub last commit
DIWA
GitHub stars
Tim Steufmehl
GitHub contributors
  • PHP
  • Docker
A Deliberately Insecure Web Application
GitHub last commit
DjangoGoat
GitHub stars
Red and Black
GitHub contributors
  • Python
  • Django

GitHub last commit
Extreme Vulnerable Node Application
GitHub stars
vegabird
GitHub contributors
  • NodeJS

GitHub last commit
Gruyere
Google
  • Python

Hackademic Challenges Project
GitHub stars
OWASP
GitHub contributors
  • PHP

GitHub last commit
Hacme Bank
McAfee / Foundstone
  • .NET

Hacme Bank - Android
McAfee / Foundstone

Hacme Books
McAfee / Foundstone
  • Java

Hacme Casino
McAfee / Foundstone
  • Ruby on Rails

Hacme Shipping
McAfee / Foundstone
  • ColdFusion

Hacme Travel
McAfee / Foundstone
  • C++

insecure-deserialisation-net-poc
GitHub stars
Omer Levi Hevroni
GitHub contributors
  • .NET
  • JSON
  • yoserial.NET
A small webserver vulnerable to insecure deserialization
GitHub last commit
LampSecurity

  • PHP

Magical Code Injection Rainbow - MCIR
GitHub stars
SpiderLabs
GitHub contributors
  • PHP

GitHub last commit
Marathon
GitHub stars
Christian Schneider
GitHub contributors
  • JAVA
  • Docker
Vulnerable demo application
GitHub last commit
Mutillidae
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
NoSQL Injection Lab
GitHub stars
@digininja
GitHub contributors
  • PHP
  • MongoDB

GitHub last commit
NodeGoat
GitHub stars
OWASP
GitHub contributors
  • Node.js

GitHub last commit
NodeVulnerable
GitHub stars
cr0hn
GitHub contributors
  • Node.js

GitHub last commit
OWASP Juice Shop
GitHub stars
OWASP
GitHub contributors
  • Javascript
  • Angular
  • Node.js

GitHub last commit
Peruggia

  • PHP

Pixi
GitHub stars
OWASP
GitHub contributors
  • Node.js
  • Swagger

GitHub last commit
Puzzlemall

  • Java

Rails Goat
GitHub stars
OWASP
GitHub contributors
  • Ruby on Rails

GitHub last commit
SQL injection test environment
GitHub stars

GitHub contributors
  • PHP
SQLmap Project
GitHub last commit
SQLI-labs
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
SQLol
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
SecuriBench
Stanford
  • Java

SecuriBench Micro
Stanford
  • Java

Security Shepherd
GitHub stars
OWASP
GitHub contributors
  • Java

GitHub last commit
TicketMagpie
GitHub stars

GitHub contributors
  • Java

GitHub last commit
Tiredful API
GitHub stars
@payatu
GitHub contributors
  • Python
  • Django

GitHub last commit
VulnApp

  • .NET

Vulnerable Java Web Application
GitHub stars
Cyber Security and Privacy Foundation
GitHub contributors
  • Java

GitHub last commit
Vulnerable OTP App
GitHub stars
mddanish
GitHub contributors
  • PHP
  • Google OTP

GitHub last commit
Vulnerable SAML App
GitHub stars
yogisec
GitHub contributors
  • Python

GitHub last commit
Vulnerable Web App
Exploit.co.il

WAVSEP - Web Application Vulnerability Scanner Evaluation Project
GitHub stars
Shay Chen
GitHub contributors
  • Java

GitHub last commit
WIVET- Web Input Vector Extractor Teaser


WackoPicko
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
WebGoat
OWASP
  • Java

WebGoatPHP
GitHub stars
OWASP
GitHub contributors
  • PHP

GitHub last commit
Xtreme Vulnerable Web Application (XVWA)
GitHub stars
@s4n7h0, @samanL33T
GitHub contributors
  • PHP
  • MySQL

GitHub last commit
bWAPP

  • PHP

hackxor

First 2 levels online, rest offline
play-webgoat
GitHub stars

GitHub contributors
  • Java
  • Scala
  • Play Framework

GitHub last commit
twitterlike
GitHub stars
Sakti Dwi Cahyono
GitHub contributors
  • PHP

GitHub last commit
vulnerable-api
GitHub stars
Matthew Valdes
GitHub contributors
  • Python

GitHub last commit

Online

App. URL Author Reference(s) Technology(ies) Note(s)
Acuart
Acunetix
  • PHP
Art shopping
Acublog
Acunetix
  • .NET
Blog
Acuforum
Acunetix
  • ASP
Forum
Altoro Mutual
IBM/Watchfire
(jsmith/Demo1234)
AuthLab
GitHub stars
digininja (Robin Wood)
GitHub contributors
  • GO

GitHub last commit
BGA Vulnerable BANK App
BGA Security
  • .NET

CloudGoat
GitHub stars
Rhino Security Labs
GitHub contributors
  • Python
  • AWS

GitHub last commit
Crack Me Bank
Trustwave

Damn Vulnerable Serverless App (DVSA)
GitHub stars
Protego Labs
GitHub contributors
  • Node
  • AWS
  • Azure

GitHub last commit
Enigma Group
Enigma Group

Firing Range
GitHub stars
Google
GitHub contributors

GitHub last commit
Gruyere
Google
  • Python

Hack.me
eLearnSecurity
Beta
HackThis
GitHub stars
Luke Ward (0x6C77)
GitHub contributors
  • PHP

GitHub last commit
HackThisSite HackThisSite

Basic & Realistic (web) Missions
HackYourselfFirst
Troy Hunt

Hackademic Challenges Project
OWASP
  • PHP
  • Joomla

Hackazon
GitHub stars
Rapid7 (NTObjectives)
GitHub contributors
  • AJAX
  • JSON
  • XML
  • GwT
  • AMF

GitHub last commit
Hacker Challenge
PCTechtips

Hacking Lab
Hacking Lab

OWASP Juice Shop
OWASP
  • Javascript
  • Angular
  • Node.js
Demo instance. Do not use for massive attacks/scans!
Netsparker Test App .NET
Netsparker
  • ASP.NET

Netsparker Test App PHP
Netsparker
  • PHP

OWASP Serverless Goat
GitHub stars
OWASP
GitHub contributors
  • Node
  • AWS

GitHub last commit
Pentester Academy


Race The Web
GitHub stars
insp3ctre
GitHub contributors

GitHub last commit
Security Tweets
Acunetix
HTML5
Solyd - Introdução ao Hacking e Pentest
Solyd
  • PHP
  • Linux
In Portuguese (Português) - Free online trainning with free online lab
Vicnum Project

  • Perl
  • PHP

Web Scanner Test Site
Rapid7 appspider (was NTOSpider)
  • AJAX
  • JSON
  • XML
  • PHP
  • Javacript
  • React
  • Angular
  • REST
  • SOAP
  • Swagger
(testuser/testpass)
XSS Test Suite


Zero Bank
HP/SpiDynamics
(admin/admin)
hackxor
albinowax
Web application hacking game via missions, based on real vulnerabilities.

VM-ISO

App. URL Author Reference(s) Technology(ies) Note(s)
(OWASP) Broken Web Applications Project (BWA)
OWASP - Chuck Willis
  • VMware

BadStore

  • ISO

Bee-Box

  • VMware

Drunk Admin Web Hacking Challenge

  • VMware

Exploit.co.il Vuln Web App

  • VMware

GameOver

  • VMware

Hackxor

  • VMware

Hacme Bank Prebuilt VM

  • VMware

Kioptrix4

  • VMware
  • Hyper-V

LAMPSecurity

  • VMware

Metasploitable 2

  • VMware

Metasploitable 3
GitHub stars

GitHub contributors
  • VMware

GitHub last commit
Moth

  • VMware

PHDays I-Bank

  • VMware

PentesterLab - The Exercises

  • ISO
  • PDF

Pixi (OWASP)
GitHub stars
thedeadrobots
GitHub contributors
  • Docker
  • MEAN Stack

GitHub last commit
Samurai WTF

  • ISO

Sauron

  • Quemu

Virtual Hacking Lab

  • ZIP

Vulnado
GitHub stars
ScaleSec
GitHub contributors
  • Java
  • Docker
Purposely vulnerable Java application to help lead secure coding workshops
GitHub last commit
Web Security Dojo

  • VMware
  • VirtualBox

WordPress CD]
ethicalhack3r
  • VirtualBox

XXE

  • VMware