Vulnerable Web Applications for learning

Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected  all vulnerable web applications and listed them below for reference:

S.No. Vulnerable Application Platform
1 SPI Dynamics (live) ASP
2 Cenzic (live) PHP
3 Watchfire (live) ASPX
4 Acunetix 1 (live) PHP
5 Acunetix 2 (live) ASP
6 Acunetix 3 (live) ASP.Net
7 PCTechtips Challenge (live)
8 Damn Vulnerable Web Application PHP/MySQL
9 Mutillidae PHP
10 The Butterfly Security Project PHP
11 Hacme Casino Ruby on Rails
12 Hacme Bank 2.0 ASP.NET (2.0)
13 Updated HackmeBank ASP.NET (2.0)
14 Hacme Books J2EE
15 Hacme Travel C++ (application client-server)
16 Hacme Shipping ColdFusion MX 7, MySQL
18 OWASP Vicnum PHP, Perl
19 OWASP InsecureWebApp JAVA
20 OWASP SiteGenerator ASP.NET
21 Moth
22 Stanford SecuriBench JAVA
23 SecuriBench Micro JAVA
24 BadStore Perl(CGI)
25 WebMaven/Buggy Bank (very old)
26 EnigmaGroup (live)
27 XSS Encoding Skills – x5s (Casaba Watcher)
28 Google – Gruyere (live) (previously Jarlsberg)
29 Exploit- DB Multi-platform
30 The Bodgeit Store JSP
31 LampSecurity PHP
32 hackxor Perl(CGI)
33 OWASP – Hackademic PHP
34 PHP

If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.

About these ads

34 responses to this post.

  1. Social comments and analytics for this post…

    This post was mentioned on Twitter by washalsec: new blogpost : Vuln Web Applications for learning


  2. You forgot about they have over 160 vulnerable web applications on their site for learning. They also have help forums, mentor system, and IRC for live help with the missions.


  3. Posted by Andre Gironda on April 11, 2010 at 9:29 am

    Here is the site setup for Casaba Watcher —


  4. Posted by Andre Gironda on April 11, 2010 at 9:31 am

    Oh and Casaba x5s —


  5. [...] osäkra webbsystem som man kan öva på, t.ex. OWASP WebGoat, Foundstones HackMe-serie etc. Här finns en ganska färsk lista på 24 stycken för den som har för mycket tid [...]


  6. Posted by Bruce Leban on May 11, 2010 at 11:15 am

    Web Application Exploits and Defenses – tutorial aimed at general developers


  7. Very awesome post! Honest..


  8. Here is one that is done by Microsoft. The funny thing is that it wasnt meant to be used for security testing


  9. The Web Security Dojo project ( is preloaded with several web app targets (and tools) for an easy no-install environment to get you started with learning web app security testing. Targets installed on localhost include Damn Vulnerable Web App (DVWA), Gruyere, Hacme Casino, OWASP InsecureWebApp, OWASP WebGoat, and w3af’s Test Environment. Plus there are tools like an exclusive speed-enhanced Burp Suite Free (permission from the author), sqlmap, w3af, etc.


  10. Great read hopefully they can fix these vulnerabilities soon.


    • Posted by Wasim Halani on March 22, 2011 at 11:19 am

      Actually, these are deliberately vulnerable applications. They are used to teach security issues related to web applications. So the developers won’t be fixing the issues :)


  11. The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controlable and safe environment. On the left menu you can see all attack scenarios that are currently available. You can start by picking one!

    The URL for the Hackademic challenges is:

    This is a customized version of the OWASP Hackademic Challenges only for OWASP Appsec Europe 2011

    The competition starts on 21st April and will run for 4 weeks until 15th May.

    Each week a series of challenges are going to be released according to the schedule below:

    Week 1 (21st April)
    Week 2 (28th April)
    Week 3 (5th May)
    Week 4 (12th May)


  12. Posted by a on May 1, 2011 at 11:29 pm

    you forgot Sony on this list.


  13. [...] Google的第一条搜索结果总会给我们带来惊喜,这次搜索也不例外,本文也就是对这篇文章作了一些简单的加工和整理。 [...]


  14. Good compilation, thanks!


  15. [...] One of the projects I will be working on this summer is developing a “Break In Lab” for students to test their hacking skills. As such finding well supported platforms to perform pen-tests on is a must. Here is a list compiled by [...]


  16. Great read hopefully they can fix these vulnerabilities soon


  17. [...] Como de este tipo (los webs) hay muchos, aquí hay una buena lista. [...]


  18. intersting list , thank you


  19. Posted by Invar on March 3, 2012 at 3:10 am

    Top 10 vulnerable applications on your network


  20. Posted by Quarp on March 26, 2012 at 10:54 pm

    if you are looking for a nice starting place OWASP Broken Web Apps VM has a bunch of these all in one distro —


  21. [...] how.  This page has a list of vulnerable web applications that can be used for learning purposes  Also, check out the Maven Security Dojo  The [...]


  22. Posted by Steve Steiner on May 1, 2012 at 11:27 pm

    Fantastic list of resources. The Accunetix links seem to be broken.


  23. [...] Original Post Share this:TwitterFacebookLike this:LikeBe the first to like this. This entry was posted in Archive. Bookmark the permalink. [...]


  24. Posted by Shepherd on October 10, 2012 at 5:09 am

    OWASP Security Shepherd


  25. The “Damn Vulnerable Web App” is my favourite :)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 299 other followers

%d bloggers like this: