Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Vulnerable Web Apps for PenTesting

This is the list of intentionally vulnerable applications that need to be installed locally:

  • Badstore: is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. The demo software is distributed as an ISO image.
  • BodgeIT: The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
  • Butterfly: The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities. The environment also includes examples demonstrating how such vulnerabilities are mitigated.
  • DVWA: The Damn Vulnerable Web App is a PHP/MySQL deliberately vulnerable application. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • A vulnerable web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system.
  • Exploit-Db: Exploit-DB is not really a deliberately vulnerable application, but keeps an archive of vulnerable public domain web applications.
  • ExploitMe Mobile Android Labs: This is an open source project by SecurityCompass demonstrating Android mobile hacking. The labs will help learn you about
    • Parameter manipulation of mobile traffic
    • Encryption of traffic
    • Password lock screens
    • File system access permissions
    • Insecure storage of files
    • Insecure logging
  • ExploitMe Mobile iPhone Labs: This is an open source project by SecurityCompass demonstrating iPhone mobile hacking. The labs will teach you about:
    • Parameter manipulation of mobile traffic
    • Encryption of traffic
    • Password lock screens
    • File system access permissions
    • Insecure storage of files
    • Insecure logging
  • Hackme Bank: Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software.
  • Hackme Books: Foundstone Hacme Books is a learning platform for secure software development.
  • Hackme Casino: Foundstone Hacme Casino™ is a learning platform for secure software development.
  • Hackme Shipping: Hacme Shipping is a web-based shipping application developed to demonstrate common web application hacking techniques.
  • Hackme Travel: Hacme Travel is designed to create secure software.
  • Hackxor: Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism and difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, …
  • LampSecurity: LAMPSecurity is a series of vulnerable virtual machine images along with complementary documentation designed to teach Linux, Apache, PHP and MySql security.
  • Mutillidae: Mutillidae is a Deliberately Vulnerable Set Of PHP Scripts that implement the OWASP Top 10.
  • OWASP iGoat: The iGoat tool is a learning tool, primarily meant for iOS developers. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting  them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful. Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them.
  • OWASP GoatDroid: This is the Android equivalent to the iGoat Project. This project will help educate Android developers on security issues they’ll encounter when writing applications. 
  • OWASP InsecureWebApp: InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling. InsecureWebApp is primarily a teaching aid to challenge and improve secure design and coding skills.
  • OWASP Vicnum: Vicnum is flexible web app showing vulnerabilities such as cross site scripting, SQL injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.
  • OWASP WebGoat: Webgoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, students must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
  • Pandemobium:  Pandemobium is a collection of open source intentionally-flawed mobile applications that are intended to be used by developers and security analysts to explore mobile application security topics.
  • Peruggia: Peruggia is designed as a safe, legal environment to learn about and try common attacks on web applications. Peruggia looks similar to an image gallery, but contains several controlled vulnerabilities to practice on.
  • PuzzleMall: Puzzlemall is a vulnerable web application designed for training purposes. It is prone to a variety of session puzzle exposures. 
  • SQLoL: SQLol is a deliberately vulnerable PHP application. It allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw.
  • WackoPicko: WackoPicko is a vulnerable web application written in PHP used to test web application vulnerability scanners
  • Webmaven: WebMaven (better known as Buggy Bank) was an interactive learning environment for web application security. It emulated various security flaws for the user to find. This enabled users to safely & legally practice web application vulnerability assessment techniques. In addition, users could benchmark their security audit tools to ensure they perform as advertised.


This is a list of collections of vulnerable applications:
  • Dojo: The Web Security Dojo project comes preloaded with several web app targets and tools for an easy no-install environment to get you started with learning web app security testing.
  • Moth: Moth is a VMware image with a set of vulnerable web applications and scripts, that you may use for testing web application security scanners, testing static code analysis tools (SCA), giving an introductory course to web application security
  • OWASP BWA: The OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a virtual machine.
  • Stanford Securitybench: Stanford Securibench a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. All the benchmarks are Java J2EE applications that can be run on a Web server.


This is a list of online applications that can be used for testing and learning. I did not include tool vendor websites, since it is not clear if these can be used by anyone (usually there is a statement that they can only be used for demonstrating the capabilities of the tool sold by that vendor):
  • Enigma Group: Enigma Group provides a series of challenges for people to test their pen-testing skills.
  • Google Gruyere: Google Gruyere shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:
    • How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
    • How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
  • HACKME Game: this is software security (web applications) learning game, intended to help raise awareness and interest in the subject of software security as well as train developers.
  • OWASP HackAcademic: The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. This is both an online and downloadable project. A customized version for Appsec Europe is online at
  • p0wnlabs: Online versions of vulnerable applications and distributions.
  • Watcher Test Pages: Test pages for the Watcher tool, a Fiddler add-on which aims to assist penetration testers in passively finding Web-application vulnerabilities.
  • X5S Test Page: A small working example of how to use the x5s tool to detect encoding and transformation issues that can lead to XSS vulnerabilities.


Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!