Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.
Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected all vulnerable web applications and listed them below for reference:
If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.
Security Thoughts 
You forgot about http://enigmagroup.org they have over 160 vulnerable web applications on their site for learning. They also have help forums, mentor system, and IRC for live help with the missions.
Here is the site setup for Casaba Watcher — http://www.nottrusted.com/watcher/
Oh and Casaba x5s — http://www.nottrusted.com/x5s/
Web Application Exploits and Defenses – tutorial aimed at general developers
http://jarlsberg.appspot.com
Very awesome post! Honest..
Here is one that is done by Microsoft. The funny thing is that it wasnt meant to be used for security testing
http://trade-spf.gdsdemo.com/
http://msdn.microsoft.com/en-us/netframework/bb499684.aspx
The Web Security Dojo project (http://dojo.mavensecurity.com) is preloaded with several web app targets (and tools) for an easy no-install environment to get you started with learning web app security testing. Targets installed on localhost include Damn Vulnerable Web App (DVWA), Gruyere, Hacme Casino, OWASP InsecureWebApp, OWASP WebGoat, and w3af’s Test Environment. Plus there are tools like an exclusive speed-enhanced Burp Suite Free (permission from the author), sqlmap, w3af, etc.
Great read hopefully they can fix these vulnerabilities soon.
Actually, these are deliberately vulnerable applications. They are used to teach security issues related to web applications. So the developers won’t be fixing the issues 🙂
The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controlable and safe environment. On the left menu you can see all attack scenarios that are currently available. You can start by picking one!
The URL for the Hackademic challenges is: http://www.hackademic.eu
This is a customized version of the OWASP Hackademic Challenges only for OWASP Appsec Europe 2011
The competition starts on 21st April and will run for 4 weeks until 15th May.
Each week a series of challenges are going to be released according to the schedule below:
Week 1 (21st April)
Week 2 (28th April)
Week 3 (5th May)
Week 4 (12th May)
http://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
you forgot Sony on this list.
Haha,
Yes, it should be pretty high on the list here.
Good compilation, thanks!
Glad you like it.
Great read hopefully they can fix these vulnerabilities soon
intersting list , thank you
Top 10 vulnerable applications on your network
http://rocketviews.com/watch?416aO901fuUagic
if you are looking for a nice starting place OWASP Broken Web Apps VM has a bunch of these all in one distro — https://code.google.com/p/owaspbwa/wiki/ProjectSummary
Fantastic list of resources. The Accunetix links seem to be broken.
http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/
OWASP Security Shepherd
The “Damn Vulnerable Web App” is my favourite 🙂
OWASP Bricks is also a nice one –
http://sechow.com/bricks
https://www.owasp.org/index.php/OWASP_Bricks
If this list is still maintained feel free to add “Juice Shop”:
Homepage: http://bkimminich.github.io/juice-shop
Sources: https://github.com/bkimminich/juice-shop
It’s written entirely in JavaScript using Angular, Node and Express. As far as I know it is the first vulnerable Single Page Application with a RESTful backend using full-stack JavaScript.
Thanks! Will add the same.
does anyone know of a vulnerable test app/VM that uses sql server?
does anyone know of a vulnerable test app/VM that uses sql server? and is not obsolete like with .net 1.0 dependencies.
Web Security Dojo (https://dojo.mavensecurity.com) is a single VM that has several vulnerable web apps that use mysql (such as DVWA, OWASP Insecure Web App, Hacme Casino, etc). Everything is pre-configured and ready to go. It includes common web app pen testing tools, like sqlmap. Sorry, no MS SQL targets however.