OWASP Vulnerable Web Applications Directory

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments… without going to jail :)

The vulnerable web applications have been classified in three categories: Online, Offline, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 here.

A brief description of the OWASP VWAD project is available here.

The associated GitHub repository is available here.

Open Hub Stats

On-line Resources Used

Other Vulnerable Web-app Compilations

Penetration Testing Practice Labs - Vulnerable Apps/Systems

Mobile

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
AndroGoat	satishpatnayak	Download	Kotlin Android

Offline

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
.NET Goat	OWASP		C#	Original main repo: http://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
AltoroJ	HCL Technologies		J2EE	Source code of Altoro Mutual
AuthLab	digininja (Robin Wood)	Guide	GO
BodgeIt Store	Simon Bennetts (psiinon)	Download Docker	Java
Bricks	OWASP	Download Guide	PHP
Broken Crystals	NeuraLegion	Live	react Node Swagger
Butterfly Security Project		Download	PHP	Last updated in 2008
CloudGoat	Rhino Security Labs	Guide	Python
CryptOMG	SpiderLabs	Download	PHP
Cyclone Transfers			Ruby on Rails
DIWA	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application
Damn Small Vulnerable Web (DSVW)	Miroslav Stampar		Python
Damn Vulnerable File Upload - DVFU	Thin Ba Shane (@art0flunam00n)		PHP
Damn Vulnerable Functions as a Service (DVFaaS)	we45 (Abhay Bhargav)	Guide	Python AWS
Damn Vulnerable GraphQL Application (DVGA)	Dolev Farhi <[email protected]>, Connor McKinnon		Python HTML Javascript GraphQL SQLAlchemy
Damn Vulnerable Node Application - DVNA	Claudio Lacayo		Node.js
Damn Vulnerable NodeJS Application - DVNA	@appsecco		Node.js	Different project from the old DVNA
Damn Vulnerable Python Web Application - DVPWA	Oleksandr Kovalchuk		Python Docker
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide	Node AWS Azure
Damn Vulnerable Stateful WebApp	dnet	Download	PHP
Damn Vulnerable Web Application - DVWA	RandomStorm	Download	PHP
Damn Vulnerable Web Services	snoopysecurity		Web Services
Damn Vulnerable Web Sockets	@appsecco		Web Sockets
DjangoGoat	Red and Black		Python Django
EasyBuggy	Kohei Tamura	Download Guide	Java
Extreme Vulnerable Node Application	vegabird	Download	NodeJS
Gruyere	Google	Download	Python
Hackademic Challenges Project	OWASP	Download	PHP
Hacme Bank	McAfee / Foundstone	Download	.NET
Hacme Bank - Android	McAfee / Foundstone
Hacme Books	McAfee / Foundstone	Download	Java
Hacme Casino	McAfee / Foundstone	Download	Ruby on Rails
Hacme Shipping	McAfee / Foundstone	Download	ColdFusion
Hacme Travel	McAfee / Foundstone	Download	C++
Hammer	iknowjason	Download Live	Ruby on Rails	Includes manual build and docker options.
LampSecurity			PHP
Magical Code Injection Rainbow - MCIR	SpiderLabs		PHP
Marathon	Christian Schneider		JAVA Docker	Vulnerable demo application
Mutillidae		Download	PHP
NoSQL Injection Lab	@digininja	Download	PHP MongoDB
NodeGoat	OWASP	Download	Node.js
NodeVulnerable	cr0hn		Node.js
OWASP Juice Shop	OWASP	Download Docker Guide	Javascript Angular Node.js
OWASP VulnerableApp	Karan Preet Singh Sasan	Docker Download	Java Javascript Spring-Boot
Peruggia		Download	PHP
Pixi	OWASP	Download	Node.js Swagger docker
Puzzlemall		Download	Java
Rails Goat	OWASP	Download Downloads	Ruby on Rails
SQL injection test environment			PHP	SQLmap Project
SQLI-labs		Download Guide	PHP
SQLol		Download	PHP
SecDevLabs	Globo	Guide	Go NodeJS Python PHP React Angular/Spring Dart/Flutter	Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app.
Security Shepherd	OWASP	Download	Java
TicketMagpie		Download	Java
Tiredful API	@payatu	Download	Python Django
UnSAFE Bank	lucideus		Docker	Web, Android and iOS application
Vulnerable Java Web Application	Cyber Security and Privacy Foundation		Java
Vulnerable OTP App	mddanish		PHP Google OTP
Vulnerable SAML App	yogisec		Python
VulnerableXsltConsoleApplication	Context Information Security		.Net	This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.
WAVSEP - Web Application Vulnerability Scanner Evaluation Project	Shay Chen	Download Downloads Downloads	Java
WIVET- Web Input Vector Extractor Teaser		Download Downloads
WackoPicko		Download	PHP
WebGoat	OWASP	Download Guide Docker	Java
WebGoatPHP	OWASP	Download Downloads	PHP
Xtreme Vulnerable Web Application (XVWA)	@s4n7h0, @samanL33T	Download	PHP MySQL
bWAPP		Download Guide	PHP
dvws-node	@snoopysecurity	Guide	Web Services NodeJS
hackxor				First 2 levels online, rest offline
insecure-deserialisation-net-poc	Omer Levi Hevroni		.NET JSON yoserial.NET	A small webserver vulnerable to insecure deserialization
jwtdemo	Sjoerd Langkemper (Sjord)	Guide	PHP	Practice hacking JWT tokens.
play-webgoat			Java Scala Play Framework
skf-labs	[email protected] and [email protected]	Guide	Python HTML Javascript GraphQL Ruby	Check the guide URL here you find how to pull the Docker images and run them locally.
twitterlike	Sakti Dwi Cahyono	Download	PHP
vulnerable-api	Matthew Valdes	Download	Python
websheep	Younes Jaaidi (yjaaidi)	Guide	Angular JavaScript Node	Websheep is an app based on a willingly vulnerable ReSTful APIs.
wrongsecrets	Jeroen Willemsen (commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars)	Download	JavaScript Java Hashicorp Vault Kubernetes Docker	wrongsecrets is an exercise used to show how you can or should not consume/create secrets.

Online

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Acuart	Acunetix		PHP	Art shopping
Altoro Mutual	IBM/Watchfire		J2EE	Log in with jsmith/demo1234 or admin/admin
AuthLab	digininja (Robin Wood)	Guide Live	GO
BGA Vulnerable BANK App	BGA Security		.NET
Broken Crystals	NeuraLegion	Live	react Node Swagger
CloudGoat	Rhino Security Labs	Announcement Guide	Python AWS
Cyber Scavenger Hunt	Arthur Kay	Download	Javacript React	A simple scavenger hunt to learn about pentesting a website or web application.
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide	Node AWS Azure
Defend the Web	Luke [flabbyrabbit]			Formerly HackThis
Enigma Group	Enigma Group
Firing Range	Google	Download
Game of Hacks	Checkmarx		Node Express.js
Gruyere	Google		Python
Hack.me	eLearnSecurity			Beta
HackThis	Luke Ward (0x6C77)	Download	PHP
HackThisSite HackThisSite				Basic & Realistic (web) Missions
HackYourselfFirst	Troy Hunt	Guide
Hackademic Challenges Project	OWASP		PHP Joomla
Hackazon	Rapid7 (NTObjectives)	Download Guide Guide Guide	AJAX JSON XML GwT AMF
Hacking Lab	Hacking Lab
Netsparker Test App .NET	Netsparker		ASP.NET
Netsparker Test App PHP	Netsparker		PHP
OWASP Juice Shop	OWASP	Demo Preview Guide	Javascript Angular Node.js	Do not use these instances for massive attacks/scans! Demo hosts latest released version. Preview hosts snapshot of upcoming release.
OWASP SKF Labs	[email protected] and [email protected]	Demo Guide	Python HTML Javascript GraphQL Ruby	You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
OWASP Serverless Goat	OWASP	Guide Live	Node AWS
Pentester Academy
Race The Web	insp3ctre	Download
Security Tweets	Acunetix			HTML5
Solyd - Introdução ao Hacking e Pentest	Solyd		PHP Linux	In Portuguese (Português) - Free online trainning with free online lab
Web Scanner Test Site	Rapid7 appspider (was NTOSpider)		AJAX JSON XML PHP Javacript React Angular REST SOAP Swagger	(testuser/testpass)
XSS Test Suite
Zero Bank	Micro Focus (was HP/SpiDynamics)			(admin/admin)
hackxor	albinowax			Web application hacking game via missions, based on real vulnerabilities.

VM-ISO

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
(OWASP) Broken Web Applications Project (BWA)	OWASP - Chuck Willis	Download Download	VMware
Bee-Box			VMware
Exploit.co.il Vuln Web App		Download	VMware
GameOver		Download	VMware
Hackxor		Download Guide	VMware
LAMPSecurity		Download	VMware
Metasploitable 2		Download	VMware
Metasploitable 3		Download	VMware
Moth		Download	VMware
PentesterLab - The Exercises			ISO PDF
Pixi (OWASP)	thedeadrobots	Download Guide Guide	Docker MEAN Stack
Samurai WTF		Download	ISO
Sauron		Download	Quemu
Virtual Hacking Lab		Download	ZIP
Vulnado	ScaleSec		Java Docker	Purposely vulnerable Java application to help lead secure coding workshops
Web Security Dojo		Download	VMware VirtualBox
XXE		Download	VMware