OWASP Vulnerable Web Applications Directory
Random App of the Day
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
Sauron |
|
|
|
VWAD
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.
The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail 
The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and VMs/ISOs. Each list has been ordered alphabetically.
An initial list that inspired this project was maintained till October 2013 here.
A brief description of the OWASP VWAD project is available here.
The associated GitHub repository is available here.
On-line Resources Used
- Web Applications Without Going To Jail
- Vulnerable Web Applications for learning
- OWASP BWA User Guide
Other Vulnerable Web-app Compilations
Mobile
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
AndroGoat
|
satishpatnayak
|
|
|
|
Damn Vulnerable Bank
|
Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade
|
|
|
|
Goatlin
|
Checkmarx
|
|
|
|
MSTG CrackMes
|
OWASP
|
|
|
|
MSTG Hacking Playground
|
OWASP
|
|
|
Offline
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
.NET Goat
|
OWASP
|
|
|
Original main repo: http://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
|
Altoro Mutual (AltoroJ)
|
IBM/Watchfire
|
|
Log in with jsmith/demo1234 or admin/admin
|
|
AuthLab
|
digininja (Robin Wood)
|
|
|
|
BodgeIt Store
|
Simon Bennetts (psiinon)
|
|
|
|
|
Bricks |
OWASP |
|
|
|
Broken Crystals
|
NeuraLegion
|
|
|
|
|
Butterfly Security Project |
|
|
Last updated in 2008 |
|
CVWA - Conviso Vulnerable Web Application
|
Conviso AppSec
|
|
|
|
CloudGoat
|
Rhino Security Labs
|
|
|
|
CryptOMG
|
SpiderLabs
|
|
|
|
Cyclone Transfers
|
|
|
|
|
DIWA - Deliberately Insecure Web Application
|
Tim Steufmehl
|
|
A Deliberately Insecure Web Application
|
|
Damn Small Vulnerable Web (DSVW)
|
Miroslav Stampar
|
|
|
|
Damn Vulnerable File Upload - DVFU
|
Thin Ba Shane (@art0flunam00n)
|
|
|
|
Damn Vulnerable Functions as a Service (DVFaaS)
|
we45 (Abhay Bhargav)
|
|
|
|
Damn Vulnerable GraphQL Application (DVGA)
|
Dolev Farhi <[email protected]>, Connor McKinnon
|
|
|
|
Damn Vulnerable Node Application - DVNA
|
Claudio Lacayo
|
|
|
|
Damn Vulnerable NodeJS Application - DVNA
|
@appsecco
|
|
|
Different project from the old DVNA
|
Damn Vulnerable OAuth 2.0 Applications
|
Koen Buyens
|
|
|
A set of vulnerable applications which show Oauth2.0 vulnerabilities.
|
Damn Vulnerable Python Web Application - DVPWA
|
Oleksandr Kovalchuk
|
|
|
|
Damn Vulnerable Serverless App (DVSA)
|
Protego Labs
|
|
|
|
Damn Vulnerable Stateful WebApp
|
dnet
|
|
|
|
Damn Vulnerable Web Application - DVWA
|
RandomStorm
|
|
|
|
Damn Vulnerable Web Services
|
snoopysecurity
|
|
|
|
Damn Vulnerable Web Sockets
|
@appsecco
|
|
|
|
DjangoGoat
|
Red and Black
|
|
|
|
EasyBuggy
|
Kohei Tamura
|
|
|
|
Extreme Vulnerable Node Application
|
vegabird
|
|
|
|
Generic-University
|
Katie Paxton-Fear 
|
|
|
|
Goof
|
Snyk
|
|
online - via Heroku deploy
|
|
|
Gruyere |
Google |
|
|
|
Hackademic Challenges Project
|
OWASP
|
|
|
|
|
Hacme Bank |
McAfee / Foundstone |
|
|
|
|
Hacme Bank - Android |
McAfee / Foundstone |
|
|
|
|
Hacme Books |
McAfee / Foundstone |
|
|
|
|
Hacme Casino |
McAfee / Foundstone |
|
|
|
|
Hacme Shipping |
McAfee / Foundstone |
|
|
|
|
Hacme Travel |
McAfee / Foundstone |
|
|
|
Hammer
|
iknowjason
|
|
Includes manual build and docker options.
|
|
|
LAMPSecurity |
|
|
|
|
Magical Code Injection Rainbow - MCIR
|
SpiderLabs
|
|
|
|
Marathon
|
Christian Schneider
|
|
|
Vulnerable demo application
|
Mutillidae
|
|
|
|
|
NoSQL Injection Lab
|
@digininja
|
|
|
|
NoSQL Injection Vulnerable App (NIVA)
|
Anton Abashkin
|
|
|
|
NodeGoat
|
OWASP
|
|
|
|
NodeVulnerable
|
cr0hn
|
|
|
|
|
OWASP Damn Vulnerable Web Sockets (DVWS)
|
Abhineet Jayaraj (@xploresec)
|
|
|
|
OWASP Juice Shop
|
OWASP
|
|
|
|
OWASP SKF Labs
|
[email protected] and [email protected]
|
|
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
|
|
OWASP VulnerableApp
|
Karan Preet Singh Sasan
|
|
|
|
OWASP VulnerableApp-facade
|
Karan Preet Singh Sasan
|
|
|
|
|
Peruggia |
|
|
|
|
Pixi
|
OWASP
|
|
|
|
|
Puzzlemall |
|
|
|
|
PyGoat
|
Ade Yoseman
|
|
|
|
Rails Goat
|
OWASP
|
|
|
|
SQL injection test environment
|
|
|
|
SQLmap Project
|
SQLI-labs
|
|
|
|
|
SQLol
|
|
|
|
|
SSRF Vuln Lab
|
incredibleindishell, Mohammed Farhan
|
|
|
|
SecDevLabs
|
Globo
|
|
Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app.
|
|
Security Shepherd
|
OWASP
|
|
|
|
TicketMagpie
|
|
|
|
|
Tiredful API
|
@payatu
|
|
|
|
UnSAFE Bank
|
lucideus
|
|
|
Web, Android and iOS application
|
Varnish HTTP/2 Request Smuggling
|
Detectify
|
|
A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021.
|
|
VulnLab
|
Yavuzlar (siberyavuzlar.com)
|
|
|
A web vulnerability lab project developed by Yavuzlar.
|
Vulnerable Java Web Application
|
Cyber Security and Privacy Foundation
|
|
|
|
Vulnerable Node Express
|
Zachary Conger
|
|
|
SQLi and XSS
|
Vulnerable OTP App
|
mddanish
|
|
|
|
Vulnerable SAML App
|
yogisec
|
|
|
|
VulnerableXsltConsoleApplication
|
Context Information Security
|
|
|
This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.
|
WAVSEP - Web Application Vulnerability Scanner Evaluation Project
|
Shay Chen
|
|
|
|
|
WIVET- Web Input Vector Extractor Teaser |
|
|
|
|
WackoPicko
|
|
|
|
|
WebGoat
|
OWASP
|
|
|
|
WebGoatPHP
|
OWASP
|
|
|
|
WrongSecrets
|
Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars)
|
|
OWASP WrongSecrets is a vulnerable app used to show how to not use secrets.
|
|
XXE Lab
|
Joshua Barone
|
|
|
|
Xtreme Vulnerable Web Application (XVWA)
|
@s4n7h0, @samanL33T
|
|
|
|
|
bWAPP |
|
|
|
|
crAPI
|
Paulo Silva
|
|
|
|
dvws-node
|
@snoopysecurity
|
|
|
|
|
hackxor |
albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
|
insecure-deserialisation-net-poc
|
Omer Levi Hevroni
|
|
|
A small webserver vulnerable to insecure deserialization
|
jwtdemo
|
Sjoerd Langkemper (Sjord)
|
|
Practice hacking JWT tokens.
|
|
play-webgoat
|
|
|
|
|
twitterlike
|
Sakti Dwi Cahyono
|
|
|
|
vAPI
|
Tushar Kulkarni
|
|
vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises
|
|
vulnerable-api
|
Matthew Valdes
|
|
|
|
websheep
|
Younes Jaaidi (yjaaidi)
|
|
Websheep is an app based on a willingly vulnerable ReSTful APIs.
|
Online
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
Acuart |
Acunetix |
|
|
Art shopping |
|
Altoro Mutual (AltoroJ)
|
IBM/Watchfire
|
|
Log in with jsmith/demo1234 or admin/admin
|
|
|
AuthLab
|
digininja (Robin Wood)
|
|
|
|
|
BGA Vulnerable BANK App |
BGA Security |
|
|
|
|
Broken Crystals
|
NeuraLegion
|
|
|
|
|
CTFLearn |
@ctflearn |
|
|
|
|
CloudGoat
|
Rhino Security Labs
|
|
|
|
Cyber Scavenger Hunt
|
Arthur Kay
|
|
A simple scavenger hunt to learn about pentesting a website or web application.
|
|
|
Damn Vulnerable Serverless App (DVSA)
|
Protego Labs
|
|
|
|
|
Defend the Web |
Luke [flabbyrabbit] |
|
|
Formerly HackThis |
Firing Range
|
Google
|
|
|
|
|
Game of Hacks |
Checkmarx |
|
|
|
|
Gin & Juice Shop |
PortSwigger |
|
A hosted always-online demo app with realistic technologies. |
|
|
Goof
|
Snyk
|
|
online - via Heroku deploy
|
|
|
Gruyere |
Google |
|
|
|
|
Hack.me |
eLearnSecurity |
|
|
Beta |
HackThis
|
Luke Ward (0x6C77)
|
|
|
|
|
HackThisSite |
HackThisSite Staff |
|
|
Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others. |
|
HackXpert |
theXSSrat |
|
|
|
|
HackXpert - OWASP API Top 10 2019 |
theXSSrat |
|
|
Labs specific to the 2019 OWASP API Top 10. |
|
HackYourselfFirst |
Troy Hunt |
|
|
|
|
Hackademic Challenges Project
|
OWASP
|
|
|
|
Hackazon
|
Rapid7 (NTObjectives)
|
|
|
|
|
Hacking Lab |
Hacking Lab |
|
|
|
|
Netsparker Test App .NET |
Netsparker |
|
|
|
|
Netsparker Test App PHP |
Netsparker |
|
|
|
|
OWASP Juice Shop
|
OWASP
|
|
|
|
|
OWASP SKF Labs
|
[email protected] and [email protected]
|
|
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
|
|
OWASP Serverless Goat
|
OWASP
|
|
|
|
|
Pentester Academy |
|
|
|
|
|
PyGoat
|
Ade Yoseman
|
|
|
|
Race The Web
|
insp3ctre
|
|
|
|
|
Security Tweets |
Acunetix |
|
|
HTML5 |
|
Solyd - Introdução ao Hacking e Pentest |
Solyd |
|
|
In Portuguese (Português) - Free online trainning with free online lab |
|
Web Scanner Test Site |
Rapid7 appspider (was NTOSpider) |
|
|
(testuser/testpass) |
|
XSS Test Suite |
|
|
|
|
|
Zero Bank |
Micro Focus Fortify (was HP/SpiDynamics) |
|
|
(username/password) |
|
hackxor |
albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
VM-ISO
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
Bee-Box |
|
|
|
|
|
BodgeIt Store
|
Simon Bennetts (psiinon)
|
|
|
|
|
Broken Web Applications Project (BWA) - OWASP |
OWASP - Chuck Willis |
|
|
|
|
DIWA - Deliberately Insecure Web Application
|
Tim Steufmehl
|
|
A Deliberately Insecure Web Application
|
|
|
Damn Vulnerable GraphQL Application (DVGA)
|
Dolev Farhi <[email protected]>, Connor McKinnon
|
|
|
|
|
Exploit.co.il Vuln Web App |
|
|
|
|
|
GameOver |
|
|
|
|
|
Generic-University
|
Katie Paxton-Fear
|
|
|
|
|
Goof
|
Snyk
|
|
online - via Heroku deploy
|
|
|
Hackxor |
|
|
|
|
|
LAMPSecurity |
|
|
|
|
Log4Shell sample vulnerable application
|
Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed
|
|
|
CVE-2021-44228
|
|
Metasploitable 2 |
|
|
|
|
Metasploitable 3
|
|
|
|
|
|
Moth |
|
|
|
|
|
NoSQL Injection Vulnerable App (NIVA)
|
Anton Abashkin
|
|
|
|
|
OWASP Juice Shop
|
OWASP
|
|
|
|
|
PentesterLab - The Exercises |
|
|
|
|
|
Pixi
|
OWASP
|
|
|
|
|
PyGoat
|
Ade Yoseman
|
|
|
|
|
Samurai WTF |
|
|
|
|
|
Sauron |
|
|
|
|
Security Labs & POCs
|
DataDog
|
|
|
|
VAmPI
|
erev0s
|
|
|
|
|
Virtual Hacking Lab |
|
|
|
|
Vulnado
|
ScaleSec
|
|
|
Purposely vulnerable Java application to help lead secure coding workshops
|
|
Web Security Dojo |
|
|
|
|
|
XXE |
|
|
|
|
|
XXE Lab
|
Joshua Barone
|
|
|
|
|
crAPI
|
Paulo Silva
|
|
|
|
|
dvws-node
|
@snoopysecurity
|
|
|