OWASP Vulnerable Web Applications Directory

Random App of the Day

App. URL Author Reference(s) Technology(ies) Note(s)
insecure-deserialisation-net-poc
GitHub stars
Omer Levi Hevroni
GitHub contributors
  • .NET
  • JSON
  • yoserial.NET
A small webserver vulnerable to insecure deserialization
GitHub last commit

VWAD

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail :grinning:

The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 here.

A brief description of the OWASP VWAD project is available here.

The associated GitHub repository is available here.

Open Hub Stats


On-line Resources Used

Other Vulnerable Web-app Compilations


Mobile

App. URL Author Reference(s) Technology(ies) Note(s)
AndroGoat
GitHub stars
satishpatnayak
GitHub contributors
  • Kotlin
  • Android

GitHub last commit
Damn Vulnerable Bank
GitHub stars
Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade
GitHub contributors
  • android

GitHub last commit
Goatlin
GitHub stars
Checkmarx
GitHub contributors
  • Kotlin
  • Android
  • API
  • REST

GitHub last commit
MSTG CrackMes
GitHub stars
OWASP
GitHub contributors

GitHub last commit
MSTG Hacking Playground
GitHub stars
OWASP
GitHub contributors

GitHub last commit

Offline

App. URL Author Reference(s) Technology(ies) Note(s)
.NET Goat
GitHub stars
OWASP
GitHub contributors
  • C#
Original main repo: https://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.
GitHub last commit
Altoro Mutual (AltoroJ)
GitHub stars
IBM/Watchfire
GitHub contributors
  • J2EE
Log in with jsmith/demo1234 or admin/admin
GitHub last commit
AuthLab
GitHub stars
digininja (Robin Wood)
GitHub contributors
  • GO

GitHub last commit
BodgeIt Store
GitHub stars
Simon Bennetts (psiinon)
GitHub contributors
  • Java

GitHub last commit
Bricks
OWASP
  • PHP

Broken Crystals
GitHub stars
NeuraLegion
GitHub contributors
  • react
  • Node
  • Swagger

GitHub last commit
Butterfly Security Project

  • PHP
Last updated in 2008
CVWA - Conviso Vulnerable Web Application
GitHub stars
Conviso AppSec
GitHub contributors
  • PHP

GitHub last commit
CloudGoat
GitHub stars
Rhino Security Labs
GitHub contributors
  • Python
  • AWS

GitHub last commit
CryptOMG
GitHub stars
SpiderLabs
GitHub contributors
  • PHP

GitHub last commit
Cyclone Transfers
GitHub stars

GitHub contributors
  • Ruby on Rails

GitHub last commit
DIWA - Deliberately Insecure Web Application
GitHub stars
Tim Steufmehl
GitHub contributors
  • PHP
  • Docker
A Deliberately Insecure Web Application
GitHub last commit
Damn Small Vulnerable Web (DSVW)
GitHub stars
Miroslav Stampar
GitHub contributors
  • Python

GitHub last commit
Damn Vulnerable Application Scanner (DVAS)
GitHub stars
Andrea Valenza, Enrico Russo, Gabriele Costa
GitHub contributors
  • PHP
An intentionally vulnerable web application scanner
GitHub last commit
Damn Vulnerable Electron App (DVEA)
GitHub stars
Najam Ul Saqib (cybersoldier)
GitHub contributors
  • ElectronJS
A deliberately insecure ElectronJS application
GitHub last commit
Damn Vulnerable File Upload - DVFU
GitHub stars
Thin Ba Shane (@art0flunam00n)
GitHub contributors
  • PHP

GitHub last commit
Damn Vulnerable Functions as a Service (DVFaaS)
GitHub stars
we45 (Abhay Bhargav)
GitHub contributors
  • Python
  • AWS

GitHub last commit
Damn Vulnerable GraphQL Application (DVGA)
GitHub stars
Dolev Farhi <[email protected]>, Connor McKinnon
GitHub contributors
  • Python
  • HTML
  • Javascript
  • GraphQL
  • SQLAlchemy
  • docker

GitHub last commit
Damn Vulnerable Node Application - DVNA
GitHub stars
Claudio Lacayo
GitHub contributors
  • Node.js

GitHub last commit
Damn Vulnerable NodeJS Application - DVNA
GitHub stars
@appsecco
GitHub contributors
  • Node.js
Different project from the old DVNA
GitHub last commit
Damn Vulnerable OAuth 2.0 Applications
GitHub stars
Koen Buyens
GitHub contributors
  • MEAN
  • Docker
  • OAuth 2.0
A set of vulnerable applications which show Oauth2.0 vulnerabilities.
GitHub last commit
Damn Vulnerable Python Web Application - DVPWA
GitHub stars
Oleksandr Kovalchuk
GitHub contributors
  • Python
  • Docker

GitHub last commit
Damn Vulnerable Restaurant
GitHub stars
theowni
GitHub contributors
  • Python
  • Docker
Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
GitHub last commit
Damn Vulnerable Serverless App (DVSA)
GitHub stars
Protego Labs
GitHub contributors
  • Node
  • AWS
  • Azure

GitHub last commit
Damn Vulnerable Stateful WebApp
GitHub stars
dnet
GitHub contributors
  • PHP

GitHub last commit
Damn Vulnerable Web Application - DVWA
GitHub stars
RandomStorm
GitHub contributors
  • PHP

GitHub last commit
Damn Vulnerable Web Services
GitHub stars
snoopysecurity
GitHub contributors
  • Web Services

GitHub last commit
Damn Vulnerable Web Sockets
GitHub stars
@appsecco
GitHub contributors
  • Web Sockets

GitHub last commit
DjangoGoat
GitHub stars
Red and Black
GitHub contributors
  • Python
  • Django

GitHub last commit
EasyBuggy
GitHub stars
Kohei Tamura
GitHub contributors
  • Java

GitHub last commit
Extreme Vulnerable Node Application
GitHub stars
vegabird
GitHub contributors
  • NodeJS

GitHub last commit
FFUF.me
GitHub stars
adamtlangley
GitHub contributors
  • PHP
  • Docker
Target practice for ffuf
GitHub last commit
Generic-University
GitHub stars
Katie Paxton-Fear
GitHub contributors
  • PHP
  • docker
  • API
  • GraphQL
  • MySQL
  • Laravel

GitHub last commit
Goof
GitHub stars
Snyk
GitHub contributors
  • NodeJS
online - via Heroku deploy
GitHub last commit
Gruyere
Google
  • Python

Hackademic Challenges Project
GitHub stars
OWASP
GitHub contributors
  • PHP
  • Joomla

GitHub last commit
Hackazon
GitHub stars
Rapid7 (NTObjectives)
GitHub contributors
  • AJAX
  • JSON
  • XML
  • GwT
  • AMF

GitHub last commit
Hackxor
albinowax
  • VMware
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
Hacme Bank
McAfee / Foundstone
  • .NET

Hacme Bank - Android
McAfee / Foundstone

Hacme Books
McAfee / Foundstone
  • Java

Hacme Casino
McAfee / Foundstone
  • Ruby on Rails

Hacme Shipping
McAfee / Foundstone
  • ColdFusion

Hacme Travel
McAfee / Foundstone
  • C++

Hammer
GitHub stars
iknowjason
GitHub contributors
  • Ruby on Rails
Includes manual build and docker options.
GitHub last commit
LAMPSecurity

  • VMware
  • PHP

Magical Code Injection Rainbow - MCIR
GitHub stars
SpiderLabs
GitHub contributors
  • PHP

GitHub last commit
Marathon
GitHub stars
Christian Schneider
GitHub contributors
  • JAVA
  • Docker
Vulnerable demo application
GitHub last commit
Mutillidae
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
NoSQL Injection Lab
GitHub stars
@digininja
GitHub contributors
  • PHP
  • MongoDB

GitHub last commit
NoSQL Injection Vulnerable App (NIVA)
GitHub stars
Anton Abashkin
GitHub contributors
  • Java
  • MongoDB

GitHub last commit
NodeGoat
GitHub stars
OWASP
GitHub contributors
  • Node.js

GitHub last commit
NodeVulnerable
GitHub stars
cr0hn
GitHub contributors
  • Node.js

GitHub last commit
OSTE-Vulnerable-Web-Application
GitHub stars
(OSTE)Oudjani seyyid taqi eddine
GitHub contributors
  • PHP
Vulnerable web application
GitHub last commit
OWASP Damn Vulnerable Web Sockets (DVWS)
GitHub stars
Abhineet Jayaraj (@xploresec)
GitHub contributors
  • PHP
  • HTML
  • Javascript
  • WebSockets

GitHub last commit
OWASP Juice Shop
GitHub stars
OWASP
GitHub contributors
  • TypeScript
  • JavaScript
  • Angular
  • Node.js

GitHub last commit
OWASP SKF Labs
GitHub stars
[email protected] and [email protected]
GitHub contributors
  • Python
  • HTML
  • Javascript
  • GraphQL
  • Ruby
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
GitHub last commit
OWASP VulnerableApp
GitHub stars
Karan Preet Singh Sasan
GitHub contributors
  • Java
  • Javascript
  • Spring-Boot

GitHub last commit
OWASP VulnerableApp-facade
GitHub stars
Karan Preet Singh Sasan
GitHub contributors
  • Typescript
  • Javascript
  • Docker

GitHub last commit
Peruggia

  • PHP

Pixi
GitHub stars
OWASP
GitHub contributors
  • Node.js
  • Swagger
  • docker

GitHub last commit
Puzzlemall

  • Java

PyGoat
GitHub stars
Ade Yoseman
GitHub contributors
  • Python

GitHub last commit
Race The Web
GitHub stars
insp3ctre
GitHub contributors

GitHub last commit
Rails Goat
GitHub stars
OWASP
GitHub contributors
  • Ruby on Rails

GitHub last commit
SQL injection test environment
GitHub stars

GitHub contributors
  • PHP
SQLmap Project
GitHub last commit
SQLI-labs
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
SQLol
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
SSRF Vuln Lab
GitHub stars
incredibleindishell, Mohammed Farhan
GitHub contributors
  • PHP

GitHub last commit
SecDevLabs
GitHub stars
Globo
GitHub contributors
  • Go
  • NodeJS
  • Python
  • PHP
  • React
  • Angular/Spring
  • Dart/Flutter
Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app.
GitHub last commit
Security Shepherd
GitHub stars
OWASP
GitHub contributors
  • Java

GitHub last commit
TicketMagpie
GitHub stars

GitHub contributors
  • Java

GitHub last commit
Tiredful API
GitHub stars
@payatu
GitHub contributors
  • Python
  • Django

GitHub last commit
UnSAFE Bank
GitHub stars
lucideus
GitHub contributors
  • Docker
Web, Android and iOS application
GitHub last commit
Varnish HTTP/2 Request Smuggling
GitHub stars
Detectify
GitHub contributors
  • Varnish
  • HTTP/2
A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021.
GitHub last commit
VulnLab
GitHub stars
Yavuzlar (siberyavuzlar.com)
GitHub contributors
  • PHP
  • Docker
A web vulnerability lab project developed by Yavuzlar.
GitHub last commit
Vulnerable Java Web Application
GitHub stars
Cyber Security and Privacy Foundation
GitHub contributors
  • Java

GitHub last commit
Vulnerable Node Express
GitHub stars
Zachary Conger
GitHub contributors
  • Node.js
  • Express
SQLi and XSS
GitHub last commit
Vulnerable OTP App
GitHub stars
mddanish
GitHub contributors
  • PHP
  • Google OTP

GitHub last commit
Vulnerable SAML App
GitHub stars
yogisec
GitHub contributors
  • Python

GitHub last commit
VulnerableLightApp
GitHub stars
Michael Vacarella
GitHub contributors
  • .NET
  • C#
  • AspNetCore
Vulnerable API for educational purposes
GitHub last commit
VulnerableXsltConsoleApplication
GitHub stars
Context Information Security
GitHub contributors
  • .Net
This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.
GitHub last commit
WAVSEP - Web Application Vulnerability Scanner Evaluation Project
GitHub stars
Shay Chen
GitHub contributors
  • Java

GitHub last commit
WIVET- Web Input Vector Extractor Teaser


WackoPicko
GitHub stars

GitHub contributors
  • PHP

GitHub last commit
WebGoat
GitHub stars
OWASP
GitHub contributors
  • Java

GitHub last commit
WebGoatPHP
GitHub stars
OWASP
GitHub contributors
  • PHP

GitHub last commit
WrongSecrets
GitHub stars
Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars)
GitHub contributors
  • JavaScript
  • Java
  • Hashicorp Vault
  • Kubernetes
  • Docker
  • AWS
  • GCP
OWASP WrongSecrets is a vulnerable app used to show how to not use secrets.
GitHub last commit
XXE Lab
GitHub stars
Joshua Barone
GitHub contributors
  • docker
  • vagrant

GitHub last commit
Xtreme Vulnerable Web Application (XVWA)
GitHub stars
@s4n7h0, @samanL33T
GitHub contributors
  • PHP
  • MySQL

GitHub last commit
Yrprey
Fernando Mengali, Vagner Mengali
  • PHP
  • TypeScript
  • NextJs
Framework created in NextJs (TypeScript) and PHP/MySQL with OWASP TOP 10 API vulnerabilities of 2019 and 2023. Yrprey can was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (Appsec).
YrpreyPHP
Fernando Mengali
  • PHP
  • CSS
  • Bootstrap
  • MySQL
A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities. YrpreyPHP was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (AppSec).
bWAPP

  • PHP

crAPI
GitHub stars
OWASP
GitHub contributors
  • Go
  • nginx

GitHub last commit
dvws-node
GitHub stars
@snoopysecurity
GitHub contributors
  • Web Services
  • NodeJS

GitHub last commit
insecure-deserialisation-net-poc
GitHub stars
Omer Levi Hevroni
GitHub contributors
  • .NET
  • JSON
  • yoserial.NET
A small webserver vulnerable to insecure deserialization
GitHub last commit
jwtdemo
GitHub stars
Sjoerd Langkemper (Sjord)
GitHub contributors
  • PHP
Practice hacking JWT tokens.
GitHub last commit
play-webgoat
GitHub stars

GitHub contributors
  • Java
  • Scala
  • Play Framework

GitHub last commit
twitterlike
GitHub stars
Sakti Dwi Cahyono
GitHub contributors
  • PHP

GitHub last commit
vAPI
GitHub stars
Tushar Kulkarni
GitHub contributors
  • PHP
vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises
GitHub last commit
vulnerable-api
GitHub stars
Matthew Valdes
GitHub contributors
  • Python

GitHub last commit
websheep
GitHub stars
Younes Jaaidi (yjaaidi)
GitHub contributors
  • Angular
  • JavaScript
  • Node
Websheep is an app based on a willingly vulnerable ReSTful APIs.
GitHub last commit

Online

App. URL Author Reference(s) Technology(ies) Note(s)
Acuart
Acunetix
  • PHP
Art shopping
Altoro Mutual (AltoroJ)
GitHub stars
IBM/Watchfire
GitHub contributors
  • J2EE
Log in with jsmith/demo1234 or admin/admin
GitHub last commit
AuthLab
GitHub stars
digininja (Robin Wood)
GitHub contributors
  • GO

GitHub last commit
BGA Vulnerable BANK App
BGA Security
  • .NET

Broken Crystals
GitHub stars
NeuraLegion
GitHub contributors
  • react
  • Node
  • Swagger

GitHub last commit
CTFLearn
@ctflearn

Cyber Scavenger Hunt
GitHub stars
Arthur Kay
GitHub contributors
  • Javacript
  • React
A simple scavenger hunt to learn about pentesting a website or web application.
GitHub last commit
Defend the Web
Luke [flabbyrabbit]
Formerly HackThis
FFUF.me
GitHub stars
adamtlangley
GitHub contributors
  • PHP
  • Docker
Target practice for ffuf
GitHub last commit
Firing Range
GitHub stars
Google
GitHub contributors

GitHub last commit
Game of Hacks
Checkmarx
  • Node
  • Express.js

Gin & Juice Shop
PortSwigger
  • JavaScript
  • AngularJS
  • React
  • CSRF
A hosted always-online demo app with realistic technologies.
Gruyere
Google
  • Python

Hack.me
eLearnSecurity
Beta
HackThis
GitHub stars
Luke Ward (0x6C77)
GitHub contributors
  • PHP

GitHub last commit
HackThisSite
HackThisSite Staff
  • PHP
  • Perl
  • JavaScript
  • API
  • Binaries
Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others.
HackXpert
theXSSrat
  • PHP

HackYourselfFirst
Troy Hunt

Hacking Lab
Hacking Lab

Hackxor
albinowax
  • VMware
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
Netsparker Test App .NET
Netsparker
  • ASP.NET

Netsparker Test App PHP
Netsparker
  • PHP

OWASP Juice Shop
GitHub stars
OWASP
GitHub contributors
  • TypeScript
  • JavaScript
  • Angular
  • Node.js

GitHub last commit
OWASP SKF Labs
GitHub stars
[email protected] and [email protected]
GitHub contributors
  • Python
  • HTML
  • Javascript
  • GraphQL
  • Ruby
You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.
GitHub last commit
Pentest-Ground
Pentest-Tools.com
  • PHP
  • Docker
Suite of vulnerable web apps to practice
Pentester Academy


PyGoat
GitHub stars
Ade Yoseman
GitHub contributors
  • Python

GitHub last commit
Security Tweets
Acunetix
HTML5
Solyd - Introdução ao Hacking e Pentest
Solyd
  • PHP
  • Linux
In Portuguese (Português) - Free online trainning with free online lab
Zero Bank
Micro Focus Fortify (was HP/SpiDynamics)
(username/password)

VM-ISO

App. URL Author Reference(s) Technology(ies) Note(s)
Bee-Box

  • VMware

BodgeIt Store
GitHub stars
Simon Bennetts (psiinon)
GitHub contributors
  • Java

GitHub last commit
Broken Web Applications Project (BWA) - OWASP
OWASP - Chuck Willis
  • VMware

CI/CD Goat
GitHub stars
Cider
GitHub contributors
  • Gitea
  • Jenkins
  • GitLab
  • Docker
Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.
GitHub last commit
CloudGoat
GitHub stars
Rhino Security Labs
GitHub contributors
  • Python
  • AWS

GitHub last commit
DIWA - Deliberately Insecure Web Application
GitHub stars
Tim Steufmehl
GitHub contributors
  • PHP
  • Docker
A Deliberately Insecure Web Application
GitHub last commit
Damn Vulnerable GraphQL Application (DVGA)
GitHub stars
Dolev Farhi <[email protected]>, Connor McKinnon
GitHub contributors
  • Python
  • HTML
  • Javascript
  • GraphQL
  • SQLAlchemy
  • docker

GitHub last commit
Damn Vulnerable Web Application - DVWA
GitHub stars
RandomStorm
GitHub contributors
  • PHP

GitHub last commit
Exploit.co.il Vuln Web App

  • VMware

FFUF.me
GitHub stars
adamtlangley
GitHub contributors
  • PHP
  • Docker
Target practice for ffuf
GitHub last commit
Game of Active Directory
GitHub stars
Orange-Cyberdefense
GitHub contributors
  • Windows
  • Active Directory
Requires a considerably powerful system
GitHub last commit
GameOver

  • VMware

Generic-University
GitHub stars
Katie Paxton-Fear
GitHub contributors
  • PHP
  • docker
  • API
  • GraphQL
  • MySQL
  • Laravel

GitHub last commit
Goof
GitHub stars
Snyk
GitHub contributors
  • NodeJS
online - via Heroku deploy
GitHub last commit
Hackxor
albinowax
  • VMware
First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.
LAMPSecurity

  • VMware
  • PHP

Log4Shell sample vulnerable application
GitHub stars
Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed
GitHub contributors
  • Spring Boot
  • Log4j
  • Java
CVE-2021-44228
GitHub last commit
Metasploitable 2

  • VMware

Metasploitable 3
GitHub stars

GitHub contributors
  • VMware

GitHub last commit
Moth

  • VMware

NoSQL Injection Vulnerable App (NIVA)
GitHub stars
Anton Abashkin
GitHub contributors
  • Java
  • MongoDB

GitHub last commit
OWASP Juice Shop
GitHub stars
OWASP
GitHub contributors
  • TypeScript
  • JavaScript
  • Angular
  • Node.js

GitHub last commit
PentesterLab - The Exercises

  • ISO
  • PDF

Pixi
GitHub stars
OWASP
GitHub contributors
  • Node.js
  • Swagger
  • docker

GitHub last commit
PyGoat
GitHub stars
Ade Yoseman
GitHub contributors
  • Python

GitHub last commit
Samurai WTF

  • ISO

Sauron

  • Quemu

Security Labs & POCs
GitHub stars
DataDog
GitHub contributors
  • docker
  • Kubernetes
  • PiPy
  • OpenSSL
  • JWT

GitHub last commit
VAmPI
GitHub stars
erev0s
GitHub contributors
  • python
  • docker
  • OpenAPI

GitHub last commit
Virtual Hacking Lab

  • ZIP

Vulnado
GitHub stars
ScaleSec
GitHub contributors
  • Java
  • Docker
Purposely vulnerable Java application to help lead secure coding workshops
GitHub last commit
Web Security Dojo

  • VMware
  • VirtualBox

XXE

  • VMware

XXE Lab
GitHub stars
Joshua Barone
GitHub contributors
  • docker
  • vagrant

GitHub last commit
crAPI
GitHub stars
OWASP
GitHub contributors
  • Go
  • nginx

GitHub last commit
dvws-node
GitHub stars
@snoopysecurity
GitHub contributors
  • Web Services
  • NodeJS

GitHub last commit