OWASP Vulnerable Web Applications Directory

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments… without going to jail :)

The vulnerable web applications have been classified in three categories: Online, Offline, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 here.

A brief description of the OWASP VWAD project is available here.

The associated GitHub repository is available here.

Open Hub Stats

Presentation(s)

Interview with Simon Bennetts – The OWASP Web Applications Vulnerability Project

On-line Resources Used

Other Vulnerable Web-app Compilations

Penetration Testing Practice Labs - Vulnerable Apps/Systems

Offline

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
.NET Goat	OWASP		C#	Original main repo: http://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
AuthLab	digininja (Robin Wood)	Guide	GO
BadStore			Perl(CGI)
BodgeIt Store	Simon Bennetts (psiinon)	Download Docker	Java
Bricks	OWASP	Download	PHP
Butterfly Security Project		Download	PHP	Last updated in 2008
CloudGoat	Rhino Security Labs	Guide	Python
CryptOMG	SpiderLabs	Download	PHP
Cyclone Transfers			Ruby on Rails
Damn Small Vulnerable Web (DSVW)	Miroslav Stampar		Python
Damn Vulnerable File Upload - DVFU	Thin Ba Shane (@art0flunam00n)		PHP
Damn Vulnerable Functions as a Service (DVFaaS)	we45 (Abhay Bhargav)	Guide	Python AWS
Damn Vulnerable Node Application - DVNA	Claudio Lacayo		Node.js
Damn Vulnerable NodeJS Application - DVNA	@appsecco		Node.js	Different project from the old DVNA
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide	Node AWS Azure
Damn Vulnerable Stateful WebApp	dnet	Download	PHP
Damn Vulnerable Web Application - DVWA	RandomStorm	Download	PHP
Damn Vulnerable Web Services	snoopysecurity		Web Services
Damn Vulnerable Web Services - DVWS	Secure Ideas	Download	PHP
Damn Vulnerable Web Sockets	@appsecco		Web Sockets
DIWA	Tim Steufmehl	Guide	PHP Docker	A Deliberately Insecure Web Application
DjangoGoat	Red and Black		Python Django
Extreme Vulnerable Node Application	vegabird	Download	NodeJS
Gruyere	Google	Download	Python
Hackademic Challenges Project	OWASP	Download	PHP
Hacme Bank	McAfee / Foundstone	Download	.NET
Hacme Bank - Android	McAfee / Foundstone
Hacme Books	McAfee / Foundstone	Download	Java
Hacme Casino	McAfee / Foundstone	Download	Ruby on Rails
Hacme Shipping	McAfee / Foundstone	Download	ColdFusion
Hacme Travel	McAfee / Foundstone	Download	C++
insecure-deserialisation-net-poc	Omer Levi Hevroni		.NET JSON yoserial.NET	A small webserver vulnerable to insecure deserialization
jwtdemo	Sjoerd Langkemper (Sjord)	Guide	PHP	Practice hacking JWT tokens.
LampSecurity			PHP
Magical Code Injection Rainbow - MCIR	SpiderLabs		PHP
Marathon	Christian Schneider		JAVA Docker	Vulnerable demo application
Mutillidae		Download	PHP
NoSQL Injection Lab	@digininja	Download	PHP MongoDB
NodeGoat	OWASP	Download	Node.js
NodeVulnerable	cr0hn		Node.js
OWASP Juice Shop	OWASP	Download Docker Guide	Javascript Angular Node.js
OWASP VulnerableApp	Karan Preet Singh Sasan	Download	Java
Peruggia		Download	PHP
Pixi	OWASP	Download	Node.js Swagger
Puzzlemall		Download	Java
Rails Goat	OWASP	Download Downloads	Ruby on Rails
SQL injection test environment			PHP	SQLmap Project
SQLI-labs		Download Guide	PHP
SQLol		Download	PHP
SecuriBench	Stanford		Java
SecuriBench Micro	Stanford	Download	Java
Security Shepherd	OWASP	Download	Java
TicketMagpie		Download	Java
Tiredful API	@payatu	Download	Python Django
VulnApp		Download Downloads	.NET
Vulnerable Java Web Application	Cyber Security and Privacy Foundation		Java
Vulnerable OTP App	mddanish		PHP Google OTP
Vulnerable SAML App	yogisec		Python
Vulnerable Web App	Exploit.co.il
WAVSEP - Web Application Vulnerability Scanner Evaluation Project	Shay Chen	Download Downloads Downloads	Java
WIVET- Web Input Vector Extractor Teaser		Download Downloads
WackoPicko		Download Guide	PHP
WebGoat	OWASP	Download Guide Docker	Java
WebGoatPHP	OWASP	Download Downloads	PHP
Xtreme Vulnerable Web Application (XVWA)	@s4n7h0, @samanL33T	Download	PHP MySQL
bWAPP		Download	PHP
hackxor				First 2 levels online, rest offline
play-webgoat			Java Scala Play Framework
twitterlike	Sakti Dwi Cahyono	Download	PHP
vulnerable-api	Matthew Valdes	Download	Python
websheep	Younes Jaaidi (yjaaidi)	Guide	Node	Websheep is an app based on a willingly vulnerable ReSTful APIs.
AltoroJ	HCL Technologies		J2EE	Source code of Altoro Mutual

Online

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
Acuart	Acunetix		PHP	Art shopping
Acublog	Acunetix		.NET	Blog
Acuforum	Acunetix		ASP	Forum
Altoro Mutual	IBM/Watchfire		J2EE	Log in with jsmith/demo1234 or admin/admin
AuthLab	digininja (Robin Wood)	Guide Live	GO
BGA Vulnerable BANK App	BGA Security		.NET
CloudGoat	Rhino Security Labs	Announcement Guide	Python AWS
Crack Me Bank	Trustwave
Damn Vulnerable Serverless App (DVSA)	Protego Labs	Guide Live	Node AWS Azure
Enigma Group	Enigma Group
Game of Hacks	Checkmarx		Node Express.js
Firing Range	Google	Download
Gruyere	Google		Python
Hack.me	eLearnSecurity			Beta
HackThis	Luke Ward (0x6C77)	Download	PHP
HackThisSite HackThisSite				Basic & Realistic (web) Missions
HackYourselfFirst	Troy Hunt	Guide
Hackademic Challenges Project	OWASP		PHP Joomla
Hackazon	Rapid7 (NTObjectives)	Download Guide Guide Guide	AJAX JSON XML GwT AMF
Hacker Challenge	PCTechtips
Hacking Lab	Hacking Lab
OWASP Juice Shop	OWASP	Demo Preview Guide	Javascript Angular Node.js	Do not use these instances for massive attacks/scans! Demo hosts latest released version. Preview hosts snapshot of upcoming release.
Netsparker Test App .NET	Netsparker		ASP.NET
Netsparker Test App PHP	Netsparker		PHP
OWASP Serverless Goat	OWASP	Guide Live	Node AWS
Pentester Academy
Race The Web	insp3ctre	Download
Security Tweets	Acunetix			HTML5
Solyd - Introdução ao Hacking e Pentest	Solyd		PHP Linux	In Portuguese (Português) - Free online trainning with free online lab
Vicnum Project			Perl PHP
Web Scanner Test Site	Rapid7 appspider (was NTOSpider)		AJAX JSON XML PHP Javacript React Angular REST SOAP Swagger	(testuser/testpass)
XSS Test Suite
Zero Bank	Micro Focus (was HP/SpiDynamics)			(admin/admin)
hackxor	albinowax			Web application hacking game via missions, based on real vulnerabilities.

VM-ISO

App. URL	Author	Reference(s)	Technology(ies)	Note(s)
(OWASP) Broken Web Applications Project (BWA)	OWASP - Chuck Willis	Download Download	VMware
BadStore		Download	ISO
Bee-Box			VMware
Drunk Admin Web Hacking Challenge		Download	VMware
Exploit.co.il Vuln Web App		Download	VMware
GameOver		Download	VMware
Hackxor		Download Guide	VMware
Hacme Bank Prebuilt VM		Download	VMware
Kioptrix4		Download	VMware Hyper-V
LAMPSecurity		Download	VMware
Metasploitable 2		Download	VMware
Metasploitable 3		Download	VMware
Moth		Download	VMware
PHDays I-Bank		Download	VMware
PentesterLab - The Exercises			ISO PDF
Pixi (OWASP)	thedeadrobots	Download Guide Youtube	Docker MEAN Stack
Samurai WTF		Download	ISO
Sauron		Download	Quemu
Virtual Hacking Lab		Download	ZIP
Vulnado	ScaleSec		Java Docker	Purposely vulnerable Java application to help lead secure coding workshops
Web Security Dojo		Download	VMware VirtualBox
WordPress CD]	ethicalhack3r	Download	VirtualBox
XXE		Download	VMware