Vulnerable Web Applications for learning

Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected  all vulnerable web applications and listed them below for reference:

S.No. Vulnerable Application Platform
1 SPI Dynamics (live) ASP
2 Cenzic (live) PHP
3 Watchfire (live) ASPX
4 Acunetix 1 (live) PHP
5 Acunetix 2 (live) ASP
6 Acunetix 3 (live) ASP.Net
7 PCTechtips Challenge (live)
8 Damn Vulnerable Web Application PHP/MySQL
9 Mutillidae PHP
10 The Butterfly Security Project PHP
11 Hacme Casino Ruby on Rails
12 Hacme Bank 2.0 ASP.NET (2.0)
13 Updated HackmeBank ASP.NET (2.0)
14 Hacme Books J2EE
15 Hacme Travel C++ (application client-server)
16 Hacme Shipping ColdFusion MX 7, MySQL
18 OWASP Vicnum PHP, Perl
19 OWASP InsecureWebApp JAVA
20 OWASP SiteGenerator ASP.NET
21 Moth
22 Stanford SecuriBench JAVA
23 SecuriBench Micro JAVA
24 BadStore Perl(CGI)
25 WebMaven/Buggy Bank (very old)
26 EnigmaGroup (live)
27 XSS Encoding Skills – x5s (Casaba Watcher)
28 Google – Gruyere (live) (previously Jarlsberg)
29 Exploit- DB Multi-platform
30 The Bodgeit Store JSP
31 LampSecurity PHP
32 hackxor Perl(CGI)
33 OWASP – Hackademic PHP
34 PHP

If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.


43 thoughts on “Vulnerable Web Applications for learning

  1. Pingback: uberVU - social comments
  2. Pingback: Googles nya “Twitter” är jättebuggigt… « Tom Aafloen bloggar om IT
  3. Pingback: Aplicaciones Web vulnerables, para aprender | Laboratorio de Seguridad
  4. The Web Security Dojo project ( is preloaded with several web app targets (and tools) for an easy no-install environment to get you started with learning web app security testing. Targets installed on localhost include Damn Vulnerable Web App (DVWA), Gruyere, Hacme Casino, OWASP InsecureWebApp, OWASP WebGoat, and w3af’s Test Environment. Plus there are tools like an exclusive speed-enhanced Burp Suite Free (permission from the author), sqlmap, w3af, etc.

    • Actually, these are deliberately vulnerable applications. They are used to teach security issues related to web applications. So the developers won’t be fixing the issues 🙂

  5. The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controlable and safe environment. On the left menu you can see all attack scenarios that are currently available. You can start by picking one!

    The URL for the Hackademic challenges is:

    This is a customized version of the OWASP Hackademic Challenges only for OWASP Appsec Europe 2011

    The competition starts on 21st April and will run for 4 weeks until 15th May.

    Each week a series of challenges are going to be released according to the schedule below:

    Week 1 (21st April)
    Week 2 (28th April)
    Week 3 (5th May)
    Week 4 (12th May)

  6. Pingback: 自己动手搭建缺陷Web App « 猪在笑
  7. Pingback: PenTesting Web Apps » Kirwin Computing
  8. Pingback: NightLion | Prep for the CEH v7 exam: Tune your Web Hacking Skills with these Live Hackable Simulation Environments
  9. Pingback: Net Secure » Frameworks para estudiar Pentesting
  10. Pingback: Re: [WEB SECURITY] vulnerable web application needed for testing | Net Cleaner
  11. Pingback: Nessus: Web Application Scanning | securitytoolkit
  12. Pingback: Vulnerable Web Applications for learning | msg1len Official Website
  13. Pingback: Examples « Selective Hardening
  14. Pingback: SQL-Injection Test Targets / Websites ~ Mattias Geniar
  15. Pingback: Hacking Lab - Trung Tâm Đào Tạo - Vietnam.1
  16. Pingback: List of fake web sites for testing – Security Blog
  17. Pingback: Reference pentesting – SK.SEO(서신강)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s