awesome-vulnerable

A test site for Acunetix. It is vulnerable to SQL Injections, Cross-site Scripting (XSS), and more

A forum deliberately vulnerable to SQL Injections, directory traversal, and other web-based attacks

Vulnerable HTML5 test website for Acunetix Web Vulnerability Scanner.

This is a test and demonstration site

an example Java/Spring Web Application for use in DevSecOps scenarios and demonstrations. It includes some examples of bad and insecure code - which can be found using static and dynamic application security testing tools such as those provided by

Allsafe is an intentionally vulnerable application that contains various vulnerabilities.

Damn Vulnerable Android App (DVAA) is an Android application which contains intentional vulnerabilities

Damn Vulnerable FirefoxOS Application - a purposefully vulnerable application for demontrastion

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable

The insecure Android app for your hacking pleasure

A defective iPhone App for your hacking pleasure

PortableApps is the world's most popular portable software solution allowing you to take your favorite software with you

The Exploit Database is maintained by Offensive Security, an information security training company that provides various Information Security Certifications as well as high end penetration testing services

Provide our users with a wide assortment of current versions of familiar software, and their predecessors for free

Pick a software title... to downgrade to the version you love!

Virtual Hacking Lab

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

BugBountyHunter is a training platform created by bug bounty hunter zseano designed to help you learn all about web application vulnerabilities and how to get started.

The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities. The environment also includes examples demonstrating how such vulnerabilities are mitigated.

bee-box is a custom Linux VM pre-installed with bWAPP.

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

Cyber Range

The aim of this challenge is to identify the means by which an insider may accidentally or maliciously leak organisational secrets via seemingly innocent files

A new CTF based learning platform with user-contributed challenges

Scattered throughout the world in locked warehouses are briefcases filled with Cy Yombinator bearer bonds that could be worth billions comma billions of dollars. You will help steal the briefcases

Enigma Group has been providing its members a legal and safe security resource where they can develop their pen-testing skills on various challenges provided by this site

The code generates HTML in an unsafe way. Prove it by calling alert(1)

A built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF.

Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.

crAPI stands for “Completely Ridiculous API”. It simulates an API-driven, microservice-based web application that is a platform for vehicle owners. crAPI specializes in the common vulnerabilities that happen in modern API-based applications, including all those in the OWASP Top 10 for APIs.

VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs.

Vulnerable API for educational purposes

CTFs as you need them

Alright, this one isn’t exactly a vulnerable web app – but it’s another engaging way of learning to spot application security vulnerabilities, so we thought we’d throw it in

Build, Design and Test your network in a risk-free virtual environment and access the largest networking community to help.

This ‘cheesy’ vulnerable site is full of holes and aimed for those just starting to learn application security.

gRPC Goat is a "Vulnerable by Design" lab created to provide an interactive, hands-on playground for learning and practicing gRPC security.

Interactive lessions for several well-known web vulnerabilities.