OWASP Vulnerable Web Applications Directory

Random App of the Day

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Enigma Group	Enigma Group

VWAD

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail

The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 here.

A brief description of the OWASP VWAD project is available here.

The associated GitHub repository is available here.

Open Hub Stats

On-line Resources Used

Other Vulnerable Web-app Compilations

Penetration Testing Practice Labs - Vulnerable Apps/Systems

Mobile

App. URL	Author	Reference(s)	Technology(ies)
AndroGoat	satishpatnayak	Download	Kotlin Android
Damn Vulnerable Bank	Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade	Guide	android
Goatlin	Checkmarx	Guide	Kotlin Android API REST
MSTG CrackMes	OWASP
MSTG Hacking Playground	OWASP	Guide

Offline

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
.NET Goat	OWASP		C#	Original main repo: http://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
Altoro Mutual (AltoroJ)	IBM/Watchfire	Download	J2EE	Log in with jsmith/demo1234 or admin/admin
AuthLab	digininja (Robin Wood)	Guide Live	GO
BodgeIt Store	Simon Bennetts (psiinon)	Download Docker	Java
Bricks	OWASP	Download Guide	PHP
Broken Crystals	NeuraLegion	Live	react Node Swagger
Butterfly Security Project		Download	PHP	Last updated in 2008
CloudGoat	Rhino Security Labs	Guide Announcement	Python AWS
CryptOMG	SpiderLabs	Download	PHP
Cyclone Transfers			Ruby on Rails
DIWA - Deliberately Insecure Web Application	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application
Damn Small Vulnerable Web (DSVW)	Miroslav Stampar		Python
Damn Vulnerable File Upload - DVFU	Thin Ba Shane (@art0flunam00n)		PHP
Damn Vulnerable Functions as a Service (DVFaaS)	we45 (Abhay Bhargav)	Guide	Python AWS
Damn Vulnerable GraphQL Application (DVGA)	Dolev Farhi <[email protected]>, Connor McKinnon		Python HTML Javascript GraphQL SQLAlchemy docker
Damn Vulnerable Node Application - DVNA	Claudio Lacayo		Node.js
Damn Vulnerable NodeJS Application - DVNA	@appsecco		Node.js	Different project from the old DVNA
Damn Vulnerable OAuth 2.0 Applications	Koen Buyens		MEAN Docker OAuth 2.0	A set of vulnerable applications which show Oauth2.0 vulnerabilities.
Damn Vulnerable Python Web Application - DVPWA	Oleksandr Kovalchuk		Python Docker
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide	Node AWS Azure
Damn Vulnerable Stateful WebApp	dnet	Download	PHP
Damn Vulnerable Web Application - DVWA	RandomStorm	Download	PHP
Damn Vulnerable Web Services	snoopysecurity		Web Services
Damn Vulnerable Web Sockets	@appsecco		Web Sockets
DjangoGoat	Red and Black		Python Django
EasyBuggy	Kohei Tamura	Download Guide	Java
Extreme Vulnerable Node Application	vegabird	Download	NodeJS
Generic-University	Katie Paxton-Fear		PHP docker API GraphQL MySQL Laravel
Goof	Snyk	Guide Guide	NodeJS	online - via Heroku deploy
Gruyere	Google	Download Live	Python
Hackademic Challenges Project	OWASP	Download Live	PHP Joomla
Hacme Bank	McAfee / Foundstone	Download	.NET
Hacme Bank - Android	McAfee / Foundstone
Hacme Books	McAfee / Foundstone	Download	Java
Hacme Casino	McAfee / Foundstone	Download	Ruby on Rails
Hacme Shipping	McAfee / Foundstone	Download	ColdFusion
Hacme Travel	McAfee / Foundstone	Download	C++
Hammer	iknowjason	Download Live	Ruby on Rails	Includes manual build and docker options.
LAMPSecurity		Download	VMware PHP
Magical Code Injection Rainbow - MCIR	SpiderLabs		PHP
Marathon	Christian Schneider		JAVA Docker	Vulnerable demo application
Mutillidae		Download	PHP
NoSQL Injection Lab	@digininja	Download	PHP MongoDB
NodeGoat	OWASP	Download	Node.js
NodeVulnerable	cr0hn		Node.js
OWASP Damn Vulnerable Web Sockets (DVWS)	Abhineet Jayaraj (@xploresec)		PHP HTML Javascript WebSockets
OWASP Juice Shop	OWASP	Download Docker Guide Demo Preview	TypeScript JavaScript Angular Node.js
OWASP SKF Labs	[email protected] and [email protected]	Demo Guide	Python HTML Javascript GraphQL Ruby	You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
OWASP VulnerableApp	Karan Preet Singh Sasan	Docker Download	Java Javascript Spring-Boot
OWASP VulnerableApp-facade	Karan Preet Singh Sasan	Docker Download	Typescript Javascript Docker
Peruggia		Download	PHP
Pixi	OWASP	Download Download Guide Guide	Node.js Swagger docker
Puzzlemall		Download	Java
PyGoat	Ade Yoseman	Guide Docker Download Live	Python
Rails Goat	OWASP	Download Downloads	Ruby on Rails
SQL injection test environment			PHP	SQLmap Project
SQLI-labs		Download Guide	PHP
SQLol		Download	PHP
SSRF Vuln Lab	incredibleindishell, Mohammed Farhan	Docker	PHP
SecDevLabs	Globo	Guide	Go NodeJS Python PHP React Angular/Spring Dart/Flutter	Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app.
Security Shepherd	OWASP	Download	Java
TicketMagpie		Download	Java
Tiredful API	@payatu	Download	Python Django
UnSAFE Bank	lucideus		Docker	Web, Android and iOS application
Varnish HTTP/2 Request Smuggling	Detectify	Announcement	Varnish HTTP/2	A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021.
VulnLab	Yavuzlar (siberyavuzlar.com)		PHP Docker	A web vulnerability lab project developed by Yavuzlar.
Vulnerable Java Web Application	Cyber Security and Privacy Foundation		Java
Vulnerable Node Express	Zachary Conger		Node.js Express	SQLi and XSS
Vulnerable OTP App	mddanish		PHP Google OTP
Vulnerable SAML App	yogisec		Python
VulnerableXsltConsoleApplication	Context Information Security		.Net	This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.
WAVSEP - Web Application Vulnerability Scanner Evaluation Project	Shay Chen	Download Downloads Downloads	Java
WIVET- Web Input Vector Extractor Teaser		Download Downloads
WackoPicko		Download	PHP
WebGoat	OWASP	Download Guide Docker	Java
WebGoatPHP	OWASP	Download Downloads	PHP
WrongSecrets	Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars)	Download	JavaScript Java Hashicorp Vault Kubernetes Docker AWS GCP	OWASP WrongSecrets is a vulnerable app used to show how to not use secrets.
XXE Lab	Joshua Barone		docker vagrant
Xtreme Vulnerable Web Application (XVWA)	@s4n7h0, @samanL33T	Download	PHP MySQL
bWAPP		Download Guide	PHP
dvws-node	@snoopysecurity	Guide	Web Services NodeJS
hackxor	albinowax	Live		First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
insecure-deserialisation-net-poc	Omer Levi Hevroni		.NET JSON yoserial.NET	A small webserver vulnerable to insecure deserialization
jwtdemo	Sjoerd Langkemper (Sjord)	Guide	PHP	Practice hacking JWT tokens.
play-webgoat			Java Scala Play Framework
twitterlike	Sakti Dwi Cahyono	Download	PHP
vAPI	Tushar Kulkarni	Guide Docker	PHP	vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises
vulnerable-api	Matthew Valdes	Download	Python
websheep	Younes Jaaidi (yjaaidi)	Guide	Angular JavaScript Node	Websheep is an app based on a willingly vulnerable ReSTful APIs.

Online

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Acuart	Acunetix		PHP	Art shopping
Altoro Mutual (AltoroJ)	IBM/Watchfire	Download	J2EE	Log in with jsmith/demo1234 or admin/admin
AuthLab	digininja (Robin Wood)	Guide Live	GO
BGA Vulnerable BANK App	BGA Security		.NET
Broken Crystals	NeuraLegion	Live	react Node Swagger
CTFLearn	@ctflearn
CloudGoat	Rhino Security Labs	Guide Announcement	Python AWS
Cyber Scavenger Hunt	Arthur Kay	Download	Javacript React	A simple scavenger hunt to learn about pentesting a website or web application.
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide	Node AWS Azure
Defend the Web	Luke [flabbyrabbit]			Formerly HackThis
Enigma Group	Enigma Group
Firing Range	Google	Download
Game of Hacks	Checkmarx		Node Express.js
Goof	Snyk	Guide Guide	NodeJS	online - via Heroku deploy
Gruyere	Google	Download Live	Python
Hack.me	eLearnSecurity			Beta
HackThis	Luke Ward (0x6C77)	Download	PHP
HackThisSite	HackThisSite Staff		PHP Perl JavaScript API Binaries	Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others.
HackXpert	theXSSrat	Guide	PHP
HackXpert - OWASP API Top 10 2019	theXSSrat		PHP API	Labs specific to the 2019 OWASP API Top 10.
HackYourselfFirst	Troy Hunt	Guide
Hackademic Challenges Project	OWASP	Download Live	PHP Joomla
Hackazon	Rapid7 (NTObjectives)	Download Guide Guide Guide	AJAX JSON XML GwT AMF
Hacking Lab	Hacking Lab
Netsparker Test App .NET	Netsparker		ASP.NET
Netsparker Test App PHP	Netsparker		PHP
OWASP Juice Shop	OWASP	Download Docker Guide Demo Preview	TypeScript JavaScript Angular Node.js
OWASP SKF Labs	[email protected] and [email protected]	Demo Guide	Python HTML Javascript GraphQL Ruby	You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
OWASP Serverless Goat	OWASP	Guide Live	Node AWS
Pentester Academy
PyGoat	Ade Yoseman	Guide Docker Download Live	Python
Race The Web	insp3ctre	Download
Security Tweets	Acunetix			HTML5
Solyd - Introdução ao Hacking e Pentest	Solyd		PHP Linux	In Portuguese (Português) - Free online trainning with free online lab
Web Scanner Test Site	Rapid7 appspider (was NTOSpider)		AJAX JSON XML PHP Javacript React Angular REST SOAP Swagger	(testuser/testpass)
XSS Test Suite
Zero Bank	Micro Focus Fortify (was HP/SpiDynamics)			(username/password)
hackxor	albinowax	Live		First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.

VM-ISO

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Bee-Box			VMware
BodgeIt Store	Simon Bennetts (psiinon)	Download Docker	Java
Broken Web Applications Project (BWA) - OWASP	OWASP - Chuck Willis	Download Download	VMware
DIWA - Deliberately Insecure Web Application	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application
Damn Vulnerable GraphQL Application (DVGA)	Dolev Farhi <[email protected]>, Connor McKinnon		Python HTML Javascript GraphQL SQLAlchemy docker
Exploit.co.il Vuln Web App		Download	VMware
GameOver		Download	VMware
Generic-University	Katie Paxton-Fear		PHP docker API GraphQL MySQL Laravel
Goof	Snyk	Guide Guide	NodeJS	online - via Heroku deploy
Hackxor		Download Guide	VMware
LAMPSecurity		Download	VMware PHP
Log4Shell sample vulnerable application	Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed		Spring Boot Log4j Java	CVE-2021-44228
Metasploitable 2		Download	VMware
Metasploitable 3		Download	VMware
Moth		Download	VMware
OWASP Juice Shop	OWASP	Download Docker Guide Demo Preview	TypeScript JavaScript Angular Node.js
PentesterLab - The Exercises			ISO PDF
Pixi	OWASP	Download Download Guide Guide	Node.js Swagger docker
PyGoat	Ade Yoseman	Guide Docker Download Live	Python
Samurai WTF		Download	ISO
Sauron		Download	Quemu
VAmPI	erev0s	Guide Announcement	python docker OpenAPI
Virtual Hacking Lab		Download	ZIP
Vulnado	ScaleSec		Java Docker	Purposely vulnerable Java application to help lead secure coding workshops
Web Security Dojo		Download	VMware VirtualBox
XXE		Download	VMware
XXE Lab	Joshua Barone		docker vagrant