OWASP VulnerableApp

VulnerableApp Logo

OWASP Incubator License Java CI with Gradle PRs Welcome

As Web Applications are becoming popular these days, there comes a dire need to secure them. Although there are several Vulnerability Scanning Tools, however while developing these tools, developers need to test them. Moreover, they also need to know how well is the Vulnerability Scanning tool performing. As of now, there are little or no such vulnerable applications existing for testing such tools. There are Deliberately Vulnerable Applications existing in the market but they are not written with such an intent and hence lag extensibility, e.g. adding new vulnerabilities is quite difficult. Hence, the developers resort to writing their own vulnerable applications, which usually causes productivity loss and the pain to rework.

VulnerableApp is built keeping these factors in mind. This project is scalable, extensible, easier to integrate and easier to learn. As solving the above issue requires addition of various vulnerabilities, hence it becomes a very good platform to learn various security vulnerabilities.

New react based User Interface

VulnerableApp-facade UI

Legacy User Interface

Owasp Vulnerable Graphic Representation

Future Goal

Going further, this application might becomes a database for vulnerabilities. Hence, in future, it can be used for hosting CTFs and can also become a compliance/benchmark for Vulnerability Scanning tools.

Project Setup

Setup Guide

Technologies used

  • Java8
  • Spring Boot
  • Vanilla Javascript

Note: we are not limited to these technologies and if required, open to expand to other technologies.

Currently handled Vulnerability types

  1. JWT Vulnerability
  2. Command Injection
  3. File Upload Vulnerability
  4. Path Traversal Vulnerability
  5. SQL Injection
    1. Error Based SQLi
    2. Union Based SQLi
    3. Blind SQLi
  6. XSS
    1. Persistent XSS
    2. Reflected XSS
  7. XXE
  8. Open Redirect
    1. Http 3xx Status code based

Contributing to Project

Contributing to open source is always good from learning perspective as open source is the community to collaborate and grow together.

We really appreciate contributions to this project. As this project is in it’s initial phase, we have not set any guidelines. So, feel free to shoot a mail at [email protected] or raise an issue and we will try our best to onboard you to this project. If you are already onboarded, we actively welcome your Pull Requests. Visit Design Documentation for internal implementation details.

You can also raise an issue, in case you are looking for learning some kind of vulnerability which is not present in VulnerableApp. We will try to add that vulnerability ASAP!

Documentation in other languages

  1. Russian
  2. Chinese
  3. Hindi
  4. Punjabi


Please raise an issue or send an email to [email protected] for any queries. We will try to resolve the issues ASAP.

Other details

  1. Documentation
  2. Overview Video


  1. Overview of Owasp-VulnerableApp - Medium article
  2. Overview of Owasp-VulnerableApp - Blogspot post


Vision for the project:

The overall vision for the project is to implement a Platform capability such that it is easier to write vulnerable code and exposing that through an API and UI.

Usage of the project:

This Project mainly targets 4 type of audience:

  • Developers of Vulnerability Scanning tools
  • New Vulnerability finders (for faster demonstration of the vulnerability)
  • Security enthusiasts, Students who want to learn more about Security
  • CTF organizers (A Platform to Host CTF by choosing vulnerabilities present in the project)

Initial high level plan:

Basic idea for this project is to build an extensible framework which is driven by the configuration and developers who want to introduce new vulnerable code into the project need to do minimal boilerplate code and also the learning curve for configurations is minimum.

Looking at it, the first approach which comes into my mind is to give a framework similar to Spring i.e. something like annotation driven framework for including a vulnerability type and also for adding a new vulnerability to existing vulnerability type and also adding User Interface for the same.

  • Milestone 1: Alpha release - Building extensible backend Platform
  • Milestone 2: Beta release - Building extensible User Interface
  • Milestone 3: Gamma release - Addition of 50 vulnerabilities using the above mentioned Platform
  • Milestone 4: Release 1
  • Milestone 5: Dev lifecycle integration

Current State

For know about the current state please go to Git Repository and also visit issues section for new enhancements,tech-debts and bugs.


This is hard to estimate as this depends on the number of contributers but as of now i had already build some of the pieces of Backend platform and i have started building frontend platform but addition of 50 vulnerabilities can take quite a lot time. So Plan is to release this Project is near July 31 2020.


Technologies used in this project are:


  1. Java-8
  2. SpringBoot
  3. Vanilla Javascript
  4. Vanilla CSS

But we are not limited to above technologies and can extend to new Horizons. Incase you have any idea on technology and how it can suit us, please reach out to us on our Slack-Channel.


There are many, please visit Issues for more information.