awesome-vulnerable-apps
github.com/vavkamil/awesome-vulnerable-apps ↗Awesome Vulnerable Applications
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me xss injection resources from awesome-vulnerable-apps"
Installation instructions →What's inside
Mobile Security
- Allsafe
Allsafe is an intentionally vulnerable application that contains various vulnerabilities.
- AndroGoat
AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin.
- Android Security Testing
hpAndro1337 Application made in Kotlin with multiple vulnerabilities and a CTF.
- Damn Vulnerable Bank
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.
- DIVA Android
Damn Insecure and vulnerable App for Android.
- InjuredAndroid
A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
Cloud Security
- AWSGoat
A Damn Vulnerable AWS Infrastructure
- AzureGoat
A Damn Vulnerable Azure Infrastructure
- caponeme - Capital One Breach
Repository demonstrating the Capital One breach on your AWS account
- CdkGoat - Vulnerable AWS CDK Infra
CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository.
- Cfngoat - Vulnerable Cloudformation Template
Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository.
- CloudGoat
CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
OWASP Top 10
- bWAPP
This is just an instance of the OWASP bWAPP project as a docker container.
- clicker-service - simulate XSSXSS Injection
Docker container that intakes post and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
- CORS misconfiguration vulnerable LabCORS Misconfiguration
This Repository contains CORS misconfiguration related vulnerable codes.
- CORS-vulnerable-LabCORS Misconfiguration
Sample vulnerable code and its exploit code
- crApi
completely ridiculous API: crAPI will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but you'll be able to safely run it to educate/train yourself.
- docker-java-xxeXXE Injection
Docker image to test XXE attacks in java with tomcat.
Uncategorized
- CI/CD Goat
Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, catch the flags.
- Damn-Vulnerable-GraphQL-Application
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
- Damn Vulnerable RESTaurant
Intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
- Damn Vulnerable Thick Client
Damn Vulnerable Thick Client App developed in C# .NET
- dvws - Damn Vulnerable Web Services
Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
- Fuzzgoat
A vulnerable C program for testing fuzzers.
Online
- CTFtime
- Duck Store
- DVAIB
Damn Vulnerable AI Bank
- Gin & Juice Shop
- Hacker101 CTF
- Hack The Box
Technologies
- DVIDFirmware
Damn Vulnerable IoT Device
- DVNANode.js
Damn Vulnerable NodeJS Application
- DVRFFirmware
The Damn Vulnerable Router Firmware Project
- DVWPWordPress
Damn Vulnerable WordPress
- dvws-nodeNode.js
Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.
- exploit-workshopNode.js
A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
Vulnerable VMs
- Exploit Exercises
- Hackmyvm.eu
- Metasploitable3
Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.
Paid
Showing a sample of 95 resources. View the full list on GitHub →