OWASP Vulnerable Web Applications Directory
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.
The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments… without going to jail :)
The vulnerable web applications have been classified in three categories: Online, Offline, and VMs/ISOs. Each list has been ordered alphabetically.
An initial list that inspired this project was maintained till October 2013 here.
A brief description of the OWASP VWAD project is available here.
The associated GitHub repository is available here.
Presentation(s)
On-line Resources Used
- Web Applications Without Going To Jail
- Vulnerable Web Applications for learning
- OWASP BWA User Guide
Other Vulnerable Web-app Compilations
Offline
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
.NET Goat
|
OWASP
|
|
|
Original main repo: http://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
|
AltoroJ
|
HCL Technologies
|
|
|
Source code of Altoro Mutual
|
AuthLab
|
digininja (Robin Wood)
|
|
|
|
|
BadStore |
|
|
|
|
BodgeIt Store
|
Simon Bennetts (psiinon)
|
|
|
|
|
Bricks |
OWASP |
|
|
|
|
Butterfly Security Project |
|
|
Last updated in 2008 |
|
CloudGoat
|
Rhino Security Labs
|
|
|
|
CryptOMG
|
SpiderLabs
|
|
|
|
Cyclone Transfers
|
|
|
|
|
DIWA
|
Tim Steufmehl
|
|
A Deliberately Insecure Web Application
|
|
Damn Small Vulnerable Web (DSVW)
|
Miroslav Stampar
|
|
|
|
Damn Vulnerable File Upload - DVFU
|
Thin Ba Shane (@art0flunam00n)
|
|
|
|
Damn Vulnerable Functions as a Service (DVFaaS)
|
we45 (Abhay Bhargav)
|
|
|
|
Damn Vulnerable Node Application - DVNA
|
Claudio Lacayo
|
|
|
|
Damn Vulnerable NodeJS Application - DVNA
|
@appsecco
|
|
|
Different project from the old DVNA
|
Damn Vulnerable Python Web Application - DVPWA
|
Oleksandr Kovalchuk
|
|
|
|
Damn Vulnerable Serverless App (DVSA)
|
Protego Labs
|
|
|
|
Damn Vulnerable Stateful WebApp
|
dnet
|
|
|
|
Damn Vulnerable Web Application - DVWA
|
RandomStorm
|
|
|
|
Damn Vulnerable Web Services
|
snoopysecurity
|
|
|
|
|
Damn Vulnerable Web Services - DVWS |
Secure Ideas |
|
|
|
Damn Vulnerable Web Sockets
|
@appsecco
|
|
|
|
DjangoGoat
|
Red and Black
|
|
|
|
Extreme Vulnerable Node Application
|
vegabird
|
|
|
|
|
Gruyere |
Google |
|
|
|
Hackademic Challenges Project
|
OWASP
|
|
|
|
|
Hacme Bank |
McAfee / Foundstone |
|
|
|
|
Hacme Bank - Android |
McAfee / Foundstone |
|
|
|
|
Hacme Books |
McAfee / Foundstone |
|
|
|
|
Hacme Casino |
McAfee / Foundstone |
|
|
|
|
Hacme Shipping |
McAfee / Foundstone |
|
|
|
|
Hacme Travel |
McAfee / Foundstone |
|
|
|
|
LampSecurity |
|
|
|
|
Magical Code Injection Rainbow - MCIR
|
SpiderLabs
|
|
|
|
Marathon
|
Christian Schneider
|
|
|
Vulnerable demo application
|
Mutillidae
|
|
|
|
|
NoSQL Injection Lab
|
@digininja
|
|
|
|
NodeGoat
|
OWASP
|
|
|
|
NodeVulnerable
|
cr0hn
|
|
|
|
OWASP Juice Shop
|
OWASP
|
|
|
|
OWASP VulnerableApp
|
Karan Preet Singh Sasan
|
|
|
|
|
Peruggia |
|
|
|
|
Pixi
|
OWASP
|
|
|
|
|
Puzzlemall |
|
|
|
|
Rails Goat
|
OWASP
|
|
|
|
SQL injection test environment
|
|
|
|
SQLmap Project
|
SQLI-labs
|
|
|
|
|
SQLol
|
|
|
|
|
|
SecuriBench |
Stanford |
|
|
|
|
SecuriBench Micro |
Stanford |
|
|
|
Security Shepherd
|
OWASP
|
|
|
|
TicketMagpie
|
|
|
|
|
Tiredful API
|
@payatu
|
|
|
|
UnSAFE Bank
|
lucideus
|
|
|
Web, Android and iOS application
|
|
VulnApp |
|
|
|
|
Vulnerable Java Web Application
|
Cyber Security and Privacy Foundation
|
|
|
|
Vulnerable OTP App
|
mddanish
|
|
|
|
Vulnerable SAML App
|
yogisec
|
|
|
|
|
Vulnerable Web App |
Exploit.co.il |
|
|
|
VulnerableXsltConsoleApplication
|
Context Information Security
|
|
|
This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.
|
WAVSEP - Web Application Vulnerability Scanner Evaluation Project
|
Shay Chen
|
|
|
|
|
WIVET- Web Input Vector Extractor Teaser |
|
|
|
|
WackoPicko
|
|
|
|
|
|
WebGoat |
OWASP |
|
|
|
WebGoatPHP
|
OWASP
|
|
|
|
Xtreme Vulnerable Web Application (XVWA)
|
@s4n7h0, @samanL33T
|
|
|
|
|
bWAPP |
|
|
|
|
dvws-node
|
@snoopysecurity
|
|
|
|
|
hackxor |
|
|
|
First 2 levels online, rest offline |
insecure-deserialisation-net-poc
|
Omer Levi Hevroni
|
|
|
A small webserver vulnerable to insecure deserialization
|
jwtdemo
|
Sjoerd Langkemper (Sjord)
|
|
Practice hacking JWT tokens.
|
|
play-webgoat
|
|
|
|
|
twitterlike
|
Sakti Dwi Cahyono
|
|
|
|
vulnerable-api
|
Matthew Valdes
|
|
|
|
websheep
|
Younes Jaaidi (yjaaidi)
|
|
Websheep is an app based on a willingly vulnerable ReSTful APIs.
|
Online
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
Acuart |
Acunetix |
|
|
Art shopping |
|
Acublog |
Acunetix |
|
|
Blog |
|
Acuforum |
Acunetix |
|
|
Forum |
|
Altoro Mutual
|
IBM/Watchfire
|
|
|
Log in with jsmith/demo1234 or admin/admin
|
|
AuthLab
|
digininja (Robin Wood)
|
|
|
|
|
BGA Vulnerable BANK App |
BGA Security |
|
|
|
|
CloudGoat
|
Rhino Security Labs
|
|
|
|
|
Crack Me Bank |
Trustwave |
|
|
|
Cyber Scavenger Hunt
|
Arthur Kay
|
|
A simple scavenger hunt to learn about pentesting a website or web application.
|
|
|
Damn Vulnerable Serverless App (DVSA)
|
Protego Labs
|
|
|
|
|
Defend the Web |
Luke [flabbyrabbit] |
|
|
Formerly HackThis |
|
Enigma Group |
Enigma Group |
|
|
|
Firing Range
|
Google
|
|
|
|
|
Game of Hacks |
Checkmarx |
|
|
|
|
Gruyere |
Google |
|
|
|
|
Hack.me |
eLearnSecurity |
|
|
Beta |
HackThis
|
Luke Ward (0x6C77)
|
|
|
|
|
HackThisSite HackThisSite |
|
|
|
Basic & Realistic (web) Missions |
|
HackYourselfFirst |
Troy Hunt |
|
|
|
|
Hackademic Challenges Project |
OWASP |
|
|
|
Hackazon
|
Rapid7 (NTObjectives)
|
|
|
|
|
Hacker Challenge |
PCTechtips |
|
|
|
|
Hacking Lab |
Hacking Lab |
|
|
|
|
Netsparker Test App .NET |
Netsparker |
|
|
|
|
Netsparker Test App PHP |
Netsparker |
|
|
|
|
OWASP Juice Shop
|
OWASP
|
|
Do not use these instances for massive attacks/scans! Demo hosts latest released version. Preview hosts snapshot of upcoming release.
|
|
OWASP Serverless Goat
|
OWASP
|
|
|
|
|
Pentester Academy |
|
|
|
|
Race The Web
|
insp3ctre
|
|
|
|
|
Security Tweets |
Acunetix |
|
|
HTML5 |
|
Solyd - Introdução ao Hacking e Pentest |
Solyd |
|
|
In Portuguese (Português) - Free online trainning with free online lab |
|
Vicnum Project |
|
|
|
|
|
Web Scanner Test Site |
Rapid7 appspider (was NTOSpider) |
|
|
(testuser/testpass) |
|
XSS Test Suite |
|
|
|
|
|
Zero Bank |
Micro Focus (was HP/SpiDynamics) |
|
|
(admin/admin) |
|
hackxor |
albinowax |
|
|
Web application hacking game via missions, based on real vulnerabilities. |
VM-ISO
| App. URL | Author | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
(OWASP) Broken Web Applications Project (BWA) |
OWASP - Chuck Willis |
|
|
|
|
BadStore |
|
|
|
|
|
Bee-Box |
|
|
|
|
|
Drunk Admin Web Hacking Challenge |
|
|
|
|
|
Exploit.co.il Vuln Web App |
|
|
|
|
|
GameOver |
|
|
|
|
|
Hackxor |
|
|
|
|
|
Hacme Bank Prebuilt VM |
|
|
|
|
|
Kioptrix4 |
|
|
|
|
|
LAMPSecurity |
|
|
|
|
|
Metasploitable 2 |
|
|
|
|
Metasploitable 3
|
|
|
|
|
|
Moth |
|
|
|
|
|
PHDays I-Bank |
|
|
|
|
|
PentesterLab - The Exercises |
|
|
|
|
Pixi (OWASP)
|
thedeadrobots
|
|
|
|
|
Samurai WTF |
|
|
|
|
|
Sauron |
|
|
|
|
|
Virtual Hacking Lab |
|
|
|
|
Vulnado
|
ScaleSec
|
|
|
Purposely vulnerable Java application to help lead secure coding workshops
|
|
Web Security Dojo |
|
|
|
|
|
WordPress CD] |
ethicalhack3r |
|
|
|
|
XXE |
|
|
|