OWASP Vulnerable Web Applications Directory
Author(s): psiinon, kingthorin, raulsiles
Contributor(s): bkimminich, S3DFX-CYBER, yrprey, arthurakay, HarshitVerma109, ritorhymes, commjoen, hblankenship, noraj, preetkaran20, ebell451, PauloASilva, Aif4thah, AlexandraC0, alexcolb, codeXanu, Commando-X, dhower7, drfoofoo, interference-security, LBartolini, mal-tee, markdenihan, mike386, mrtlgz, msudol, nbaars, njmulsqb, OSTEsayed, pentesttools-com, rcowsill, roottusk, sadicann, SamanthaGroves, snoopysecurity, subhashdasyam, yjaaidi
Contributor(s): bkimminich, S3DFX-CYBER, yrprey, arthurakay, HarshitVerma109, ritorhymes, commjoen, hblankenship, noraj, preetkaran20, ebell451, PauloASilva, Aif4thah, AlexandraC0, alexcolb, codeXanu, Commando-X, dhower7, drfoofoo, interference-security, LBartolini, mal-tee, markdenihan, mike386, mrtlgz, msudol, nbaars, njmulsqb, OSTEsayed, pentesttools-com, rcowsill, roottusk, sadicann, SamanthaGroves, snoopysecurity, subhashdasyam, yjaaidi
Random App of the Day
| App. URL | Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
AndroGoat
309 |
satishpatnayak |
|
Last commit: 2025-11-22
|
VWAD
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.
The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail 
The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and Containerized (Docker images, VMs, ISOs). Each list has been ordered alphabetically.
A brief description of the OWASP VWAD project is available here.
On-line Resources Used
Other Vulnerable Web-app Compilations
Mobile
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
AndroGoat
309 |
satishpatnayak |
|
Last commit: 2025-11-22
|
|
|
DIVA Android
1069 |
Payatu |
|
DIVA (Damn Insecure and Vulnerable App) is an intentionally vulnerable Android application designed to help security professionals and developers learn about Android security vulnerabilities. Last commit: 2016-01-15 
|
|
|
Damn Vulnerable Bank
729 |
Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade |
|
Last commit: 2023-12-13
|
|
|
Goatlin
36 |
Checkmarx |
|
Last commit: 2022-01-06
|
|
|
InjuredAndroid
732 |
B3nac |
|
A vulnerable Android application with CTF-style challenges focused on Android security. Last commit: 2021-06-25 
|
|
|
InsecureBankv2
1393 |
Dinesh Shetty |
|
Vulnerable Android application for security enthusiasts and developers to learn about Android insecurities. Showcases various security vulnerabilities in Android banking applications. Last commit: 2019-11-21 
|
|
|
MSTG CrackMes
12664 |
OWASP |
Last commit: 2026-01-17
|
||
|
MSTG Hacking Playground
654 |
OWASP |
Last commit: 2022-10-31
|
||
|
Vuln-Bank
545 |
Al-Amir Badmus |
|
A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment. Last commit: 2025-11-23 
|
Offline
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
.NET Goat
245 |
OWASP |
|
Original main repo: https://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET. Last commit: 2014-02-22 
|
|
|
AI-Goat
314 |
fhammon, Guanwei Hu |
|
AI Goat uses the Vicuna LLM which derived from Meta's LLaMA and coupled with ChatGPT's response data. When installing AI Goat the LLM binary is downloaded from third party locally on your computer. Last commit: 2024-08-22 
|
|
|
Altoro Mutual (AltoroJ)
279 |
IBM/Watchfire |
|
Log in with jsmith/demo1234 or admin/admin Last commit: 2024-07-23 
|
|
|
AuthLab
98 |
digininja (Robin Wood) |
|
Last commit: 2023-01-30
|
|
|
BodgeIt Store
281 |
Simon Bennetts (psiinon) |
|
Last commit: 2024-08-13
|
|
| Bricks | OWASP |
|
||
|
Broken Crystals
180 |
NeuraLegion |
|
Last commit: 2026-01-14
|
|
|
BugGPT
0 |
attacker-codeninja |
|
BugGPT is an intentionally vulnerable application generator for educational security training purposes. Last commit: 2024-10-23 
|
|
| Butterfly Security Project |
|
Last updated in 2008 |
||
|
CVWA - Conviso Vulnerable Web Application
63 |
Conviso AppSec |
|
Last commit: 2025-07-16
|
|
|
CloudGoat
3445 |
Rhino Security Labs |
|
Last commit: 2025-09-18
|
|
|
CryptOMG
193 |
SpiderLabs |
|
Last commit: 2015-06-25
|
|
|
Cyclone Transfers
5 |
|
Last commit: 2013-10-17
|
||
|
DIWA - Deliberately Insecure Web Application
71 |
Tim Steufmehl |
|
A Deliberately Insecure Web Application Last commit: 2020-01-09 
|
|
|
Damn Small Vulnerable Web (DSVW)
854 |
Miroslav Stampar |
|
Last commit: 2025-12-21
|
|
|
Damn Vulnerable Application Scanner (DVAS)
6 |
Andrea Valenza, Enrico Russo, Gabriele Costa |
|
An intentionally vulnerable web application scanner Last commit: 2021-04-25 
|
|
|
Damn Vulnerable C# Application (API)
79 |
Appsecco |
|
Last commit: 2022-12-07
|
|
|
Damn Vulnerable Electron App (DVEA)
17 |
Najam Ul Saqib (cybersoldier) |
|
A deliberately insecure ElectronJS application Last commit: 2024-11-23 
|
|
|
Damn Vulnerable File Upload - DVFU
101 |
Thin Ba Shane (@art0flunam00n) |
|
Last commit: 2018-05-26
|
|
|
Damn Vulnerable Functions as a Service (DVFaaS)
136 |
we45 (Abhay Bhargav) |
|
Last commit: 2019-01-23
|
|
|
Damn Vulnerable GraphQL Application (DVGA)
1675 |
Dolev Farhi <[email protected]>, Connor McKinnon |
|
Last commit: 2025-05-24
|
|
|
Damn Vulnerable Infrastructure (DVI)
5 |
Lorenzo Bartolini, Gabriele Costa |
|
A fully simulated and self-hosted Damn Vulnerable Infrastructure with routers, subnetworks, Scada and many other vulnerable containers. It simulates an Energy Management System inside a University Campus. Last commit: 2025-11-11 
|
|
|
Damn Vulnerable LLM Agent
351 |
Reversec Labs |
|
Last commit: 2025-06-25
|
|
|
Damn Vulnerable Node Application - DVNA
20 |
Claudio Lacayo |
|
Last commit: 2015-12-22
|
|
|
Damn Vulnerable NodeJS Application - DVNA
757 |
@appsecco |
|
Different project from the old DVNA Last commit: 2023-11-08 
|
|
|
Damn Vulnerable OAuth 2.0 Applications
324 |
Koen Buyens |
|
A set of vulnerable applications which show Oauth2.0 vulnerabilities. Last commit: 2018-09-15 
|
|
|
Damn Vulnerable Python Web Application - DVPWA
183 |
Oleksandr Kovalchuk |
|
Last commit: 2022-11-04
|
|
|
Damn Vulnerable Restaurant
879 |
theowni |
|
Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers. Last commit: 2026-01-03 
|
|
|
Damn Vulnerable Serverless App (DVSA)
544 |
Protego Labs |
|
Last commit: 2023-09-12
|
|
|
Damn Vulnerable Stateful WebApp
14 |
dnet |
|
Last commit: 2015-12-04
|
|
|
Damn Vulnerable Web Application - DVWA
12470 |
RandomStorm |
|
Last commit: 2026-01-08
|
|
|
Damn Vulnerable Web Services
457 |
snoopysecurity |
|
Last commit: 2021-12-06
|
|
|
Damn Vulnerable Web Sockets
356 |
@appsecco |
|
Last commit: 2025-12-19
|
|
|
DjangoGoat
45 |
Red and Black |
|
Last commit: 2019-08-18
|
|
|
EKS Goat
35 |
OWASP |
|
AWS EKS Security Lab and activity. Last commit: 2025-12-11 
|
|
|
EasyBuggy
256 |
Kohei Tamura |
|
Last commit: 2026-01-11
|
|
|
Extreme Vulnerable Node Application
95 |
vegabird |
|
Last commit: 2018-02-08
|
|
|
FFUF.me
69 |
adamtlangley |
|
Target practice for ffuf Last commit: 2021-08-10 
|
|
|
Generic-University
416 |
Katie Paxton-Fear |
|
Last commit: 2022-11-14
|
|
|
Goof
534 |
Snyk |
|
online - via Heroku deploy Last commit: 2023-05-24 
|
|
| Gruyere |
|
|||
|
Hackademic Challenges Project
324 |
OWASP |
|
Last commit: 2017-02-24
|
|
|
Hackazon
1014 |
Rapid7 (NTObjectives) |
|
Last commit: 2021-03-11
|
|
| Hackxor | albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
|
|
Hammer
21 |
iknowjason |
|
Includes manual build and docker options. Last commit: 2022-04-26 
|
|
| LAMPSecurity |
|
|||
|
Magical Code Injection Rainbow - MCIR
445 |
SpiderLabs |
|
Last commit: 2020-08-07
|
|
|
Marathon
66 |
Christian Schneider |
|
Vulnerable demo application Last commit: 2025-06-15 
|
|
|
Mutillidae
1458 |
|
Last commit: 2025-08-03
|
||
|
NoSQL Injection Lab
134 |
@digininja |
|
Last commit: 2020-07-22
|
|
|
NoSQL Injection Vulnerable App (NIVA)
19 |
Anton Abashkin |
|
Last commit: 2022-11-21
|
|
|
NodeGoat
2002 |
OWASP |
|
Last commit: 2023-06-21
|
|
|
NodeVulnerable
482 |
cr0hn |
|
Last commit: 2024-04-29
|
|
|
OSTE-Vulnerable-Web-Application
16 |
(OSTE)Oudjani seyyid taqi eddine |
|
Vulnerable web application Last commit: 2023-12-15 
|
|
|
OWASP Damn Vulnerable Web Sockets (DVWS)
356 |
Abhineet Jayaraj (@xploresec) |
|
Last commit: 2025-12-19
|
|
|
OWASP Juice Shop
12323 |
OWASP |
|
Last commit: 2026-01-05
|
|
|
OWASP SKF Labs
462 |
[email protected] and [email protected] |
|
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs. Last commit: 2024-08-02 
|
|
|
OWASP VulnerableApp
355 |
Karan Preet Singh Sasan |
|
Last commit: 2025-12-31
|
|
|
OWASP VulnerableApp-facade
49 |
Karan Preet Singh Sasan |
|
Last commit: 2023-12-04
|
|
| Peruggia |
|
|||
|
Pixi
132 |
OWASP |
|
Last commit: 2020-03-31
|
|
| Puzzlemall |
|
|||
|
PyGoat
296 |
Ade Yoseman |
|
Last commit: 2026-01-11
|
|
|
Race The Web
628 |
insp3ctre |
Last commit: 2019-10-16
|
||
|
Rails Goat
907 |
OWASP |
|
Last commit: 2026-01-13
|
|
|
SQL injection test environment
352 |
|
SQLmap Project Last commit: 2022-04-14 
|
||
|
SQLI-labs
5697 |
|
Last commit: 2014-10-31
|
||
|
SQLol
123 |
|
Last commit: 2013-07-19
|
||
|
SSRF Vuln Lab
746 |
incredibleindishell, Mohammed Farhan |
|
Last commit: 2023-08-21
|
|
|
Scriptease
1 |
|
A vulnerable JavaScript SPA (no back end) that demonstrates several client-side security flaws (XSS, open redirect, prototype pollution, ReDoS, request hijacking, etc.) It showcases a diverse set of sources and sinks for taint analysis, uses two alternative bundlers (Webpack, Vite), and includes lazy-loaded modules Last commit: 2026-01-02 
|
||
|
SecDevLabs
969 |
Globo |
|
Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app. Last commit: 2024-09-25 
|
|
|
Security Shepherd
1418 |
OWASP |
|
Last commit: 2025-10-15
|
|
|
TicketMagpie
20 |
|
Last commit: 2017-05-11
|
||
|
Tiredful API
577 |
@payatu |
|
Last commit: 2020-09-07
|
|
|
UnSAFE Bank
166 |
lucideus |
|
Web, Android and iOS application Last commit: 2025-09-29 
|
|
|
Varnish HTTP/2 Request Smuggling
56 |
Detectify |
|
A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021. Last commit: 2021-08-26 
|
|
|
VulnLab
475 |
Yavuzlar (siberyavuzlar.com) |
|
A web vulnerability lab project developed by Yavuzlar. Last commit: 2025-02-02 
|
|
|
Vulnerable Java Web Application
270 |
Cyber Security and Privacy Foundation |
|
Last commit: 2024-06-20
|
|
|
Vulnerable Node Express
21 |
Zachary Conger |
|
SQLi and XSS Last commit: 2023-11-16 
|
|
|
Vulnerable OTP App
85 |
mddanish |
|
Last commit: 2019-11-13
|
|
|
Vulnerable SAML App
54 |
yogisec |
|
Last commit: 2020-11-02
|
|
|
VulnerableLightApp
51 |
Michael Vacarella |
|
Vulnerable API for educational purposes Last commit: 2026-01-07 
|
|
|
VulnerableXsltConsoleApplication
10 |
Context Information Security |
|
This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files. Last commit: 2017-09-25 
|
|
|
WAVSEP - Web Application Vulnerability Scanner Evaluation Project
14 |
Shay Chen & The ZAP Dev Team |
|
Last commit: 2025-09-08
|
|
| WIVET- Web Input Vector Extractor Teaser | ||||
|
WackoPicko
343 |
|
Last commit: 2021-11-17
|
||
|
WebGoat
8860 |
OWASP |
|
Last commit: 2025-11-02
|
|
|
WebGoatPHP
146 |
OWASP |
|
Last commit: 2025-04-28
|
|
|
Weird Proxies - Labs
1853 |
Green Dog (GrrrDog) |
|
Last commit: 2023-11-04
|
|
|
WrongSecrets
1388 |
Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars) |
|
OWASP WrongSecrets is a vulnerable app used to show how to not use secrets. Last commit: 2026-01-15 
|
|
|
XXE Lab
229 |
Joshua Barone |
|
Last commit: 2021-11-10
|
|
|
Xtreme Vulnerable Web Application (XVWA)
1746 |
@s4n7h0, @samanL33T |
|
Last commit: 2020-09-12
|
|
| Yrprey | Fernando Mengali, Vagner Mengali |
|
Framework created in NextJs (TypeScript) and PHP/MySQL with OWASP TOP 10 API vulnerabilities of 2019 and 2023. Yrprey can was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (Appsec). |
|
| YrpreyBlog | Fernando Mengali |
|
A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities. |
|
| YrpreyC | Fernando Mengali |
|
YrpreyC is a framework written in the C language that contains vulnerabilities related to memory issues, categorized as overflows |
|
| YrpreyC++ | Fernando Mengali |
|
YrpreyC++ is a framework written in the C++ language that contains vulnerabilities related to memory issues, categorized as overflows |
|
| YrpreyPHP | Fernando Mengali |
|
A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities. YrpreyPHP was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (AppSec). |
|
| YrpreyPathTraversal | Fernando Mengali |
|
YrpreyPathTraversal is a framework written in PHP, with examples of exploiting Path Traversal and Local File Inclusion vulnerabilities in different ways. |
|
|
Zero Health
33 |
Aliyu G. Yisa |
|
Zero trust. Zero security. Total exposure. A deliberately vulnerable health tech platform with AI Chatbot for learning about application security and ethical hacking. It contains vulnerabilities from OWASP top 10 Web, API and AI/LLM Security Vulnerabilities. Highly vulnerable, never use in production. Last commit: 2025-06-15 
|
|
| bWAPP |
|
|||
|
crAPI
1408 |
OWASP |
|
OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security teams practice API security testing including BOLA, BFLA, mass assignment, and authentication flaws. Last commit: 2025-11-13 
|
|
|
dvws-node
499 |
@snoopysecurity |
|
Last commit: 2026-01-14
|
|
|
gRPC Goat
50 |
rootxjs |
|
Vulnerable by Design lab for learning and practicing gRPC security. Last commit: 2025-09-22 
|
|
|
insecure-deserialisation-net-poc
20 |
Omer Levi Hevroni |
|
A small webserver vulnerable to insecure deserialization Last commit: 2017-11-30 
|
|
|
jwtdemo
116 |
Sjoerd Langkemper (Sjord) |
|
Practice hacking JWT tokens. Last commit: 2022-09-08 
|
|
|
play-webgoat
18 |
|
Last commit: 2026-01-06
|
||
|
twitterlike
4 |
Sakti Dwi Cahyono |
|
Last commit: 2013-10-16
|
|
|
vAPI
1322 |
Tushar Kulkarni |
|
vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises Last commit: 2025-01-10 
|
|
|
vuln-node.js-express.js-app
41 |
SirAppSec |
|
A Very Vulnerable Node.js Express.js Web Application and API. Used for testing Security tools, Application security and penetration testing. Using Swagger, Sqlite, Sequelize. Last commit: 2024-08-26 
|
|
|
vulnerable-api
70 |
Matthew Valdes |
|
Last commit: 2016-06-29
|
|
|
websheep
57 |
Younes Jaaidi (yjaaidi) |
|
Websheep is an app based on a willingly vulnerable ReSTful APIs. Last commit: 2022-12-21 
|
|
| ypreyAPINodeJS | Fernando Mengali |
|
yrpreyAPINodeJS is a vulnerable framework written in NodeJS and based on the OWASP TOP 10 API. |
|
| ypreyAPIPython | Fernando Mengali |
|
ypreyAPIPython is a vulnerable framework written in Python and based on the OWASP TOP 10 API. |
|
| ypreyPollsPHP | Fernando Mengali |
|
ypreyPollsPHP is a vulnerable framework written in PHP with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyASPC | Fernando Mengali |
|
yrpreyASPC is a vulnerable framework written in ASP and C with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities. |
|
| yrpreyASPCPlus | Fernando Mengali |
|
yrpreyASPCPlus is a vulnerable framework written in ASP and C++ with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities. |
|
| yrpreyFinance | Fernando Mengali |
|
yrpreyFinance is a vulnerable framework written in PHP with a financial management scenario, based on the OWASP TOP 10 |
|
| yrpreyLibrary | Fernando Mengali |
|
yrpreyLibrary is a vulnerable framework written in PHP, based on the OWASP TOP 10 |
|
| yrpreyPollsNodeJS | Fernando Mengali |
|
yrpreyPollsNodeJS is a vulnerable framework written in NodeJS with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyPollsPerl | Fernando Mengali |
|
yrpreyPollsPerl is a vulnerable framework written in Perl with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyPollsPython | Fernando Mengali |
|
yrpreyPollsPython is a vulnerable framework written in Python with a polls management scenario, based on the OWASP TOP 10 |
|
| yrpreyTasks | Fernando Mengali |
|
yrpreyTasks is a vulnerable framework written in PHP with a task management scenario, based on the OWASP TOP 10 |
|
| yrpreyTasksNodeJS | Fernando Mengali |
|
yrpreyTasksNodeJS is a vulnerable framework written in NodeJS with a task management scenario, based on the OWASP TOP 10 |
|
| yrpreyTasksPython | Fernando Mengali |
|
yrpreyTasksPython is a vulnerable framework written in Python with a task management scenario, based on the OWASP TOP 10 |
Online
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
| AWS CTF Challenge | AWS Security Team |
|
Capture-the-flag challenges for AWS |
|
|
AWS Infrastructure Pentest Lab
3439 |
AWS Security Team |
|
Hands-on lab for AWS infrastructure pentesting Last commit: 2025-09-18
|
|
| AWS Security Workshop | AWS Security Team |
|
Interactive workshop covering AWS security best practices |
|
| Acuart | Acunetix |
|
Art shopping |
|
|
Altoro Mutual (AltoroJ)
279 |
IBM/Watchfire |
|
Log in with jsmith/demo1234 or admin/admin Last commit: 2024-07-23
|
|
|
AuthLab
98 |
digininja (Robin Wood) |
|
Last commit: 2023-01-30
|
|
| Azure AD CTF Challenge | Azure Security Team |
|
Capture-the-flag challenges for Azure AD |
|
|
Azure Infrastructure Workshop
615 |
Azure Security Team |
|
Interactive workshop covering Azure security best practices Last commit: 2023-06-01 
|
|
|
Broken Crystals
180 |
NeuraLegion |
|
Last commit: 2026-01-14
|
|
| CTFLearn | @ctflearn | |||
|
Cyber Scavenger Hunt
15 |
Arthur Kay |
|
A simple scavenger hunt to learn about pentesting a website or web application. Last commit: 2022-07-19 
|
|
| Damn Vulnerable AI Bank (DVAIB) | Subhash Dasyam |
|
Hands-on AI security training platform for prompt injection and jailbreaking, realistic attack scenarios, achievements, and leaderboard. |
|
|
Damn Vulnerable RESTaurant (DV-REST)
879 |
theowni |
|
An intentionally vulnerable API training game for developers, ethical hackers, and security engineers. Designed as a CTF-style playground to learn, detect, exploit, and remediate API security vulnerabilities using a FastAPI-based application. Supports local Docker deployment and online execution via GitHub Codespaces. Last commit: 2026-01-03 
|
|
| Defend the Web | Luke [flabbyrabbit] |
Formerly HackThis |
||
| Duck Store | DonAsako |
|
Duck Store is an intentionally vulnerable web app for training purposes on how to find classic and business logic vulns dedicated to developers, ethical hackers, and security engineers. |
|
|
EntraGoat
865 |
Azure Security Team |
|
A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack challenges. Last commit: 2026-01-15 
|
|
|
FFUF.me
69 |
adamtlangley |
|
Target practice for ffuf Last commit: 2021-08-10
|
|
|
Firing Range
1404 |
Last commit: 2018-11-08
|
|||
| Gandalf | Lakera |
|
A game designed to challenge your ability to interact with large language models (LLMs) and test prompt injection skills. Your goal is to trick Gandalf into revealing the secret password. |
|
| Gin & Juice Shop | PortSwigger |
|
A hosted always-online demo app with realistic technologies. |
|
| Gruyere |
|
|||
| HackTheBox | HackTheBox |
|
Online platform featuring vulnerable machines and challenges for penetration testing practice. Includes retired machines, active challenges, and Pro Labs. |
|
|
HackThis
46 |
Luke Ward (0x6C77) |
|
Last commit: 2018-08-31
|
|
| HackThisSite | HackThisSite Staff |
|
Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others. |
|
| HackXpert | theXSSrat |
|
||
| HackYourselfFirst | Troy Hunt | |||
| Hacking Lab | Hacking Lab | |||
| Hackxor | albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
|
| Kubernetes CTF Challenge | Kubernetes Security Team |
|
Capture-the-flag challenges for Kubernetes |
|
|
Kubernetes Security Workshop
5365 |
Kubernetes Security Team |
|
Interactive workshop covering Kubernetes security best practices Last commit: 2025-11-18 
|
|
| Netsparker Test App .NET | Netsparker |
|
||
| Netsparker Test App PHP | Netsparker |
|
||
|
OWASP Juice Shop
12323 |
OWASP |
|
Last commit: 2026-01-05
|
|
|
OWASP SKF Labs
462 |
[email protected] and [email protected] |
|
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs. Last commit: 2024-08-02
|
|
| Pentest-Ground | Pentest-Tools.com |
|
Suite of vulnerable web apps to practice |
|
|
PyGoat
296 |
Ade Yoseman |
|
Last commit: 2026-01-11
|
|
| Root Me | Root-Me |
Root-Me is a non-profit organization aimed at providing an outstanding learning platform for ethical hacking. It offers hundreds of challenges and virtual environments. |
||
| Security Tweets | Acunetix |
HTML5 |
||
| Solyd - Introdução ao Hacking e Pentest | Solyd |
|
In Portuguese (Português) - Free online training with free online lab |
|
| TryHackMe | TryHackMe |
|
Online platform for learning cyber security through hands-on exercises and labs. Features virtual rooms with vulnerable machines and guided learning paths. |
|
|
Vuln-Bank
545 |
Al-Amir Badmus |
|
A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment. Last commit: 2025-11-23
|
|
| Zero Bank | Micro Focus Fortify (was HP/SpiDynamics) |
(username/password) |
VM-ISO
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
| Bee-Box |
|
|||
|
BodgeIt Store
281 |
Simon Bennetts (psiinon) |
|
Last commit: 2024-08-13
|
|
|
CI/CD Goat
2177 |
Cider |
|
Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags. Last commit: 2024-07-11 
|
|
|
CloudGoat
3445 |
Rhino Security Labs |
|
Last commit: 2025-09-18
|
|
|
DIWA - Deliberately Insecure Web Application
71 |
Tim Steufmehl |
|
A Deliberately Insecure Web Application Last commit: 2020-01-09
|
|
|
Damn Vulnerable C# Application (API)
79 |
Appsecco |
|
Last commit: 2022-12-07
|
|
|
Damn Vulnerable GraphQL Application (DVGA)
1675 |
Dolev Farhi <[email protected]>, Connor McKinnon |
|
Last commit: 2025-05-24
|
|
|
Damn Vulnerable LLM Agent
351 |
Reversec Labs |
|
Last commit: 2025-06-25
|
|
|
Damn Vulnerable RESTaurant (DV-REST)
879 |
theowni |
|
An intentionally vulnerable API training game for developers, ethical hackers, and security engineers. Designed as a CTF-style playground to learn, detect, exploit, and remediate API security vulnerabilities using a FastAPI-based application. Supports local Docker deployment and online execution via GitHub Codespaces. Last commit: 2026-01-03
|
|
|
Damn Vulnerable Web Application - DVWA
12470 |
RandomStorm |
|
Last commit: 2026-01-08
|
|
|
EKS Goat
35 |
OWASP |
|
AWS EKS Security Lab and activity. Last commit: 2025-12-11
|
|
| Exploit.co.il Vuln Web App |
|
|||
|
FFUF.me
69 |
adamtlangley |
|
Target practice for ffuf Last commit: 2021-08-10
|
|
|
Game of Active Directory
7326 |
Orange-Cyberdefense |
|
Requires a considerably powerful system Last commit: 2025-07-16 
|
|
| GameOver |
|
|||
|
Generic-University
416 |
Katie Paxton-Fear |
|
Last commit: 2022-11-14
|
|
|
Goof
534 |
Snyk |
|
online - via Heroku deploy Last commit: 2023-05-24
|
|
|
Google Security Testbeds
58 |
|
This project aims to provide a central repository for testbeds contents usable to assert the quality and functionality of security scanners. This includes 0-day and 1-day scanning capabilities. Covering various CVEs, weak credentials across various services, exposed UI for various services. Last commit: 2026-01-16 
|
||
| Hackxor | albinowax |
|
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities. |
|
|
Kubernetes Infrastructure Pentest Lab
268 |
Kubernetes Security Team |
|
Hands-on lab for Kubernetes infrastructure pentesting Last commit: 2026-01-14 
|
|
| LAMPSecurity |
|
|||
|
Log4Shell sample vulnerable application
1135 |
Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed |
|
CVE-2021-44228 Last commit: 2022-12-14 
|
|
| Metasploitable 2 |
|
|||
|
Metasploitable 3
5398 |
|
Last commit: 2025-02-13
|
||
| Moth |
|
|||
|
NoSQL Injection Vulnerable App (NIVA)
19 |
Anton Abashkin |
|
Last commit: 2022-11-21
|
|
|
OWASP Juice Shop
12323 |
OWASP |
|
Last commit: 2026-01-05
|
|
| PentesterLab - The Exercises |
|
|||
|
Pixi
132 |
OWASP |
|
Last commit: 2020-03-31
|
|
|
PyGoat
296 |
Ade Yoseman |
|
Last commit: 2026-01-11
|
|
| Samurai WTF |
|
|||
| Sauron |
|
|||
|
Security Labs & POCs
448 |
DataDog |
|
Last commit: 2025-08-18
|
|
|
Template Injection Playground
57 |
Hackmanit and Maximilian Hildebrand |
|
Last commit: 2026-01-03
|
|
|
VAmPI
1160 |
erev0s |
|
Last commit: 2024-11-25
|
|
| Virtual Hacking Lab |
|
|||
|
Vuln-Bank
545 |
Al-Amir Badmus |
|
A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment. Last commit: 2025-11-23
|
|
|
Vulnado
191 |
ScaleSec |
|
Purposely vulnerable Java application to help lead secure coding workshops Last commit: 2020-06-02 
|
|
|
Wayfarer
1 |
SamuraiWTF |
|
Last commit: 2023-08-24
|
|
| Web Security Dojo |
|
|||
|
Weird Proxies - Labs
1853 |
Green Dog (GrrrDog) |
|
Last commit: 2023-11-04
|
|
| XXE |
|
|||
|
XXE Lab
229 |
Joshua Barone |
|
Last commit: 2021-11-10
|
|
|
Zero Health
33 |
Aliyu G. Yisa |
|
Zero trust. Zero security. Total exposure. A deliberately vulnerable health tech platform with AI Chatbot for learning about application security and ethical hacking. It contains vulnerabilities from OWASP top 10 Web, API and AI/LLM Security Vulnerabilities. Highly vulnerable, never use in production. Last commit: 2025-06-15
|
|
|
crAPI
1408 |
OWASP |
|
OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security teams practice API security testing including BOLA, BFLA, mass assignment, and authentication flaws. Last commit: 2025-11-13
|
|
|
c{api}tal
316 |
Checkmarx |
|
Last commit: 2024-04-05
|
|
|
dvws-node
499 |
@snoopysecurity |
|
Last commit: 2026-01-14
|
|
|
gRPC Goat
50 |
rootxjs |
|
Vulnerable by Design lab for learning and practicing gRPC security. Last commit: 2025-09-22
|
|
|
vuln-node.js-express.js-app
41 |
SirAppSec |
|
A Very Vulnerable Node.js Express.js Web Application and API. Used for testing Security tools, Application security and penetration testing. Using Swagger, Sqlite, Sequelize. Last commit: 2024-08-26
|
Platform
| App. URL |
Author(s) | Reference(s) | Technology(ies) | Note(s) |
|---|---|---|---|---|
|
Google Security Testbeds
58 |
|
This project aims to provide a central repository for testbeds contents usable to assert the quality and functionality of security scanners. This includes 0-day and 1-day scanning capabilities. Covering various CVEs, weak credentials across various services, exposed UI for various services. Last commit: 2026-01-16
|
||
| HackTheBox | HackTheBox |
|
Online platform featuring vulnerable machines and challenges for penetration testing practice. Includes retired machines, active challenges, and Pro Labs. |
|
| TryHackMe | TryHackMe |
|
Online platform for learning cyber security through hands-on exercises and labs. Features virtual rooms with vulnerable machines and guided learning paths. |