OWASP Vulnerable Web Applications Directory

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments… without going to jail :)

The vulnerable web applications have been classified in three categories: Online, Offline, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 here.

A brief description of the OWASP VWAD project is available here.

The associated GitHub repository is available here.

Open Hub Stats


Presentation(s)

On-line Resources Used

Other Vulnerable Web-app Compilations


Offline

App. URLAuthorReference(s)Technology(ies)Note(s)
.NET Goat GitHub stars OWASP GitHub contributors
  • C#
Original main repo: http://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET. GitHub last commit
AuthLab GitHub stars digininja (Robin Wood) GitHub contributors
  • GO
GitHub last commit
BadStore
  • Perl(CGI)
BodgeIt Store GitHub stars Simon Bennetts (psiinon) GitHub contributors
  • Java
GitHub last commit
Bricks OWASP
  • PHP
Butterfly Security Project
  • PHP
Last updated in 2008
CloudGoat GitHub stars Rhino Security Labs GitHub contributors
  • Python
GitHub last commit
CryptOMG GitHub stars SpiderLabs GitHub contributors
  • PHP
GitHub last commit
Cyclone Transfers GitHub stars GitHub contributors
  • Ruby on Rails
GitHub last commit
Damn Small Vulnerable Web (DSVW) GitHub stars Miroslav Stampar GitHub contributors
  • Python
GitHub last commit
Damn Vulnerable File Upload - DVFU GitHub stars Thin Ba Shane (@art0flunam00n) GitHub contributors
  • PHP
GitHub last commit
Damn Vulnerable Functions as a Service (DVFaaS) GitHub stars we45 (Abhay Bhargav) GitHub contributors
  • Python
  • AWS
GitHub last commit
Damn Vulnerable Node Application - DVNA GitHub stars Claudio Lacayo GitHub contributors
  • Node.js
GitHub last commit
Damn Vulnerable NodeJS Application - DVNA GitHub stars @appsecco GitHub contributors
  • Node.js
Different project from the old DVNA GitHub last commit
Damn Vulnerable Serverless App (DVSA) GitHub stars Protego Labs GitHub contributors
  • Node
  • AWS
  • Azure
GitHub last commit
Damn Vulnerable Stateful WebApp GitHub stars dnet GitHub contributors
  • PHP
GitHub last commit
Damn Vulnerable Web Application - DVWA RandomStorm
  • PHP
Damn Vulnerable Web Services GitHub stars snoopysecurity GitHub contributors
  • Web Services
GitHub last commit
Damn Vulnerable Web Services - DVWS Secure Ideas
  • PHP
Damn Vulnerable Web Sockets GitHub stars @appsecco GitHub contributors
  • Web Sockets
GitHub last commit
DIWA GitHub stars Tim Steufmehl GitHub contributors
  • PHP
  • Docker
A Deliberately Insecure Web Application GitHub last commit
DjangoGoat GitHub stars Red and Black GitHub contributors
  • Python
  • Django
GitHub last commit
Extreme Vulnerable Node Application GitHub stars vegabird GitHub contributors
  • NodeJS
GitHub last commit
Gruyere Google
  • Python
Hackademic Challenges Project OWASP
  • PHP
Hacme Bank McAfee / Foundstone
  • .NET
Hacme Bank - Android McAfee / Foundstone
Hacme Books McAfee / Foundstone
  • Java
Hacme Casino McAfee / Foundstone
  • Ruby on Rails
Hacme Shipping McAfee / Foundstone
  • ColdFusion
Hacme Travel McAfee / Foundstone
  • C++
insecure-deserialisation-net-poc GitHub stars Omer Levi Hevroni GitHub contributors
  • .NET
  • JSON
  • yoserial.NET
A small webserver vulnerable to insecure deserialization GitHub last commit
LampSecurity
  • PHP
Magical Code Injection Rainbow - MCIR GitHub stars SpiderLabs GitHub contributors
  • PHP
GitHub last commit
Marathon GitHub stars Christian Schneider GitHub contributors
  • JAVA
  • Docker
Vulnerable demo application GitHub last commit
Mutillidae
  • PHP
NoSQL Injection Lab @digininja
  • PHP
  • MongoDB
NodeGoat OWASP
  • Node.js
NodeVulnerable GitHub stars cr0hn GitHub contributors
  • Node.js
GitHub last commit
OWASP Juice Shop GitHub stars OWASP GitHub contributors
  • Javascript
  • Angular
  • Node.js
GitHub last commit
Peruggia
  • PHP
Pixi GitHub stars OWASP GitHub contributors
  • Node.js
  • Swagger
GitHub last commit
Puzzlemall
  • Java
Rails Goat GitHub stars OWASP GitHub contributors
  • Ruby on Rails
GitHub last commit
SQL injection test environment GitHub stars GitHub contributors
  • PHP
SQLmap Project GitHub last commit
SQLI-labs GitHub stars GitHub contributors
  • PHP
GitHub last commit
SQLol GitHub stars GitHub contributors
  • PHP
GitHub last commit
SecuriBench Stanford
  • Java
SecuriBench Micro Stanford
  • Java
Security Shepherd OWASP
  • Java
TicketMagpie GitHub stars GitHub contributors
  • Java
GitHub last commit
Tiredful API GitHub stars @payatu GitHub contributors
  • Python
  • Django
GitHub last commit
VulnApp
  • .NET
Vulnerable Java Web Application GitHub stars Cyber Security and Privacy Foundation GitHub contributors
  • Java
GitHub last commit
Vulnerable OTP App GitHub stars mddanish GitHub contributors
  • PHP
  • Google OTP
GitHub last commit
Vulnerable SAML App GitHub stars yogisec GitHub contributors
  • Python
GitHub last commit
Vulnerable Web App Exploit.co.il
WAVSEP - Web Application Vulnerability Scanner Evaluation Project GitHub stars Shay Chen GitHub contributors
  • Java
GitHub last commit
WIVET- Web Input Vector Extractor Teaser
WackoPicko GitHub stars GitHub contributors
  • PHP
GitHub last commit
WebGoat OWASP
  • Java
WebGoatPHP GitHub stars OWASP GitHub contributors
  • PHP
GitHub last commit
Xtreme Vulnerable Web Application (XVWA) GitHub stars @s4n7h0, @samanL33T GitHub contributors
  • PHP
  • MySQL
GitHub last commit
bWAPP
  • PHP
hackxor First 2 levels online, rest offline
play-webgoat GitHub stars GitHub contributors
  • Java
  • Scala
  • Play Framework
GitHub last commit
twitterlike GitHub stars Sakti Dwi Cahyono GitHub contributors
  • PHP
GitHub last commit
vulnerable-api GitHub stars Matthew Valdes GitHub contributors
  • Python
GitHub last commit

Online

App. URLAuthorReference(s)Technology(ies)Note(s)
Acuart Acunetix
  • PHP
Art shopping
Acublog Acunetix
  • .NET
Blog
Acuforum Acunetix
  • ASP
Forum
Altoro Mutual IBM/Watchfire (jsmith/Demo1234)
AuthLab digininja (Robin Wood)
  • GO
BGA Vulnerable BANK App BGA Security
  • .NET
CloudGoat Rhino Security Labs
  • Python
  • AWS
Crack Me Bank Trustwave
Damn Vulnerable Serverless App (DVSA) Protego Labs
  • Node
  • AWS
  • Azure
Enigma Group Enigma Group
Firing Range Google
Gruyere Google
  • Python
Hack.me eLearnSecurity Beta
HackThis Luke Ward (0x6C77)
  • PHP
HackThisSite HackThisSite Basic & Realistic (web) Missions
HackYourselfFirst Troy Hunt
Hackademic Challenges Project OWASP
  • PHP
  • Joomla
Hackazon Rapid7 (NTObjectives)
  • AJAX
  • JSON
  • XML
  • GwT
  • AMF
Hacker Challenge PCTechtips
Hacking Lab Hacking Lab
OWASP Juice Shop OWASP
  • Javascript
  • Angular
  • Node.js
Demo instance. Do not use for massive attacks/scans!
Netsparker Test App .NET Netsparker
  • ASP.NET
Netsparker Test App PHP Netsparker
  • PHP
OWASP Serverless Goat OWASP
  • Node
  • AWS
Pentester Academy
Race The Web insp3ctre
Security Tweets Acunetix HTML5
Solyd - Introdução ao Hacking e Pentest Solyd
  • PHP
  • Linux
In Portuguese (Português) - Free online trainning with free online lab
Vicnum Project
  • Perl
  • PHP
Web Scanner Test Site Rapid7 appspider (was NTOSpider)
  • AJAX
  • JSON
  • XML
  • PHP
  • Javacript
  • React
  • Angular
  • REST
  • SOAP
  • Swagger
(testuser/testpass)
XSS Test Suite
Zero Bank HP/SpiDynamics (admin/admin)
hackxor albinowax Web application hacking game via missions, based on real vulnerabilities.

VM-ISO

App. URLAuthorReference(s)Technology(ies)Note(s)
(OWASP) Broken Web Applications Project (BWA) OWASP - Chuck Willis
  • VMware
BadStore
  • ISO
Bee-Box
  • VMware
Drunk Admin Web Hacking Challenge
  • VMware
Exploit.co.il Vuln Web App
  • VMware
GameOver
  • VMware
Hackxor
  • VMware
Hacme Bank Prebuilt VM
  • VMware
Kioptrix4
  • VMware
  • Hyper-V
LAMPSecurity
  • VMware
Metasploitable 2
  • VMware
Metasploitable 3
  • VMware
Moth
  • VMware
PHDays I-Bank
  • VMware
PentesterLab - The Exercises
  • ISO
  • PDF
Pixi (OWASP) thedeadrobots
  • Docker
  • MEAN Stack
Samurai WTF
  • ISO
Sauron
  • Quemu
Virtual Hacking Lab
  • ZIP
Vulnado ScaleSec
  • Java
  • Docker
Purposely vulnerable Java application to help lead secure coding workshops
Web Security Dojo
  • VMware
  • VirtualBox
WordPress CD] ethicalhack3r
  • VirtualBox
XXE
  • VMware