# Deliberately Vulnerable Web Applications > Search results for `deliberately vulnerable apps to practice hacking` on awesome-repositories.com. 117 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/deliberately-vulnerable-apps-to-practice-hacking **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/deliberately-vulnerable-apps-to-practice-hacking).** ## Results - [hack-with-github/awesome-hacking](https://awesome-repositories.com/repository/hack-with-github-awesome-hacking.md) (114,503 ⭐) — This project is a community-maintained, open-source knowledge base that serves as a structured index for cybersecurity resources. It provides a centralized directory of tools, frameworks, and documentation designed to assist security researchers, penetration testers, and developers in hardening digital infrastructure and navigating the security tooling ecosystem. The repository distinguishes itself through a collaborative curation model that relies on distributed user contributions to maintain an accurate and up-to-date registry of technical assets. By organizing information into structured m - [jaykali/maskphish](https://awesome-repositories.com/repository/jaykali-maskphish.md) (3,020 ⭐) — Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe - [ankit0183/wifi-hacking](https://awesome-repositories.com/repository/ankit0183-wifi-hacking.md) (2,561 ⭐) — This project is a wireless network security toolkit designed for monitoring wireless traffic and exploiting vulnerabilities in network authentication protocols. It provides a suite of tools for scanning networks, capturing authentication handshakes, and testing the security of wireless access points. The toolkit includes a password wordlist generator to create custom lists for offline key recovery and a handshake cracker to recover encrypted keys using brute-force methods. It also features a vulnerability scanner specifically for testing the security of the Wireless Protected Setup pin system - [carpedm20/awesome-hacking](https://awesome-repositories.com/repository/carpedm20-awesome-hacking.md) (15,722 ⭐) — This project is a comprehensive, community-curated directory of cybersecurity resources, tools, and educational materials. It functions as a centralized index for researchers and students to discover frameworks and utilities across the entire security lifecycle, ranging from initial vulnerability assessment to post-exploitation analysis. The repository distinguishes itself through a hierarchical taxonomy that organizes diverse security disciplines into a searchable, version-controlled knowledge base. Rather than hosting software directly, it utilizes a decentralized aggregation model that lin - [christophetd/log4shell-vulnerable-app](https://awesome-repositories.com/repository/christophetd-log4shell-vulnerable-app.md) (1,142 ⭐) — Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228). - [silentsignal/damn-vulnerable-stateful-web-app](https://awesome-repositories.com/repository/silentsignal-damn-vulnerable-stateful-web-app.md) (14 ⭐) — Short and simple vulnerable PHP web application that naïve scanners found to be perfectly safe - [digininja/dvwa](https://awesome-repositories.com/repository/digininja-dvwa.md) (13,229 ⭐) — DVWA is a vulnerable web application lab and penetration testing sandbox designed to simulate common security flaws. It serves as a training platform for the OWASP Top 10 security risks and functions as a PHP and MySQL security lab for practicing the identification and exploitation of web vulnerabilities. The project provides a graduated learning experience through configurable security levels that adjust the difficulty of the vulnerabilities. It also supports switching between different database engines to research how various storage systems respond to injection attacks. The application is - [trimstray/the-book-of-secret-knowledge](https://awesome-repositories.com/repository/trimstray-the-book-of-secret-knowledge.md) (228,641 ⭐) — This project serves as a centralized, community-driven repository of technical knowledge and administrative resources. It provides a structured taxonomy that aggregates disparate information into a searchable framework, supporting continuous learning and rapid problem-solving for system administrators and cybersecurity practitioners. By mapping resources across offensive security, infrastructure management, and software development, it offers a unified path for skill acquisition and professional reference. The project is defined by a command-line-first design philosophy, prioritizing terminal - [googlechrome/lighthouse](https://awesome-repositories.com/repository/googlechrome-lighthouse.md) (30,355 ⭐) — Lighthouse is an automated diagnostic tool that evaluates web pages against industry standards for performance, accessibility, and search engine optimization. It functions as a programmatic analysis engine and a command-line utility, allowing developers to integrate comprehensive web quality checks directly into continuous integration pipelines and local development workflows. The project distinguishes itself through a modular architecture that utilizes artifact-based data collection to ensure consistent analysis across different environments. It supports a headless execution mode for automat - [cr0hn/vulnerable-node](https://awesome-repositories.com/repository/cr0hn-vulnerable-node.md) (487 ⭐) — A very vulnerable web site written in NodeJS with the purpose of have a project with identified vulnerabilities to test the quality of security analyzers tools tools - [hadarmanor/public-vulnerabilities](https://awesome-repositories.com/repository/hadarmanor-public-vulnerabilities.md) (14 ⭐) — All my public vulnerabilities. - [appwrite/appwrite](https://awesome-repositories.com/repository/appwrite-appwrite.md) (56,318 ⭐) — Appwrite is a backend-as-a-service platform that provides a unified development environment for building full-stack applications. It integrates essential infrastructure components—including authentication, databases, storage, and serverless functions—into a single, centralized interface to simplify application development and resource management. The platform distinguishes itself through a container-based microservices architecture that ensures consistent execution across diverse infrastructure. It features a versatile connectivity layer that links frontend applications with third-party servi - [ethicalhack3r/dvwa](https://awesome-repositories.com/repository/ethicalhack3r-dvwa.md) (13,236 ⭐) — DVWA is a vulnerable web application sandbox and PHP security training environment. It serves as a deployable penetration testing target and an OWASP Top 10 lab designed for practicing exploits and simulating common web security vulnerabilities. The application allows users to adjust security difficulty levels to match their skill level and toggle between different SQL database engines to test how various systems handle injection attacks. It includes a mechanism to disable authentication, enabling automated security tools to interact directly with the environment. The project provides capabi - [chaitin/xray](https://awesome-repositories.com/repository/chaitin-xray.md) (11,612 ⭐) — Xray is a security assessment tool focused on web vulnerability scanning, attack surface mapping, and technology fingerprinting. It identifies common security flaws through automated scanning and semantic analysis, while verifying findings via a custom proof-of-concept execution engine. The system distinguishes itself with a containerized vulnerability testbed used to deploy pre-configured vulnerable applications. This environment allows for the simulation of specific vulnerabilities and edge-case scenarios to validate scanner accuracy and eliminate false positives. The platform covers a bro - [bishopfox/iam-vulnerable](https://awesome-repositories.com/repository/bishopfox-iam-vulnerable.md) (574 ⭐) — Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. - [aquasecurity/trivy](https://awesome-repositories.com/repository/aquasecurity-trivy.md) (36,462 ⭐) — Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations agai - [curl/curl](https://awesome-repositories.com/repository/curl-curl.md) (42,214 ⭐) — Curl is a command-line tool and portable library for transferring data across a wide range of network protocols. It functions as a unified engine that abstracts diverse communication standards, allowing users and developers to move files and information between servers using a consistent interface. The project provides both a versatile command-line client for terminal-based automation and a stable programmatic interface for integrating complex network operations into applications. The system is distinguished by its protocol-agnostic core and its ability to manage both synchronous and asynchro - [vulnerscom/nmap-vulners](https://awesome-repositories.com/repository/vulnerscom-nmap-vulners.md) (3,381 ⭐) — NSE script based on Vulners.com API - [qazbnm456/awesome-web-security](https://awesome-repositories.com/repository/qazbnm456-awesome-web-security.md) (13,097 ⭐) — This project serves as a comprehensive cybersecurity training platform and resource repository focused on web application security. It functions as a centralized hub for security practitioners, providing both a curated collection of technical documentation and research, and a system for deploying isolated, containerized environments to practice security analysis and exploitation techniques. The platform distinguishes itself by integrating automated data aggregation with hands-on, container-based orchestration. It maintains a current knowledge base of industry research and digital threats whil - [jekil/awesome-hacking](https://awesome-repositories.com/repository/jekil-awesome-hacking.md) (3,746 ⭐) — This project is a curated, version-controlled directory of software and resources designed for cybersecurity professionals and researchers. It functions as a centralized knowledge base that aggregates and organizes external security utilities into a structured taxonomy to facilitate discovery and access for specialized research and testing tasks. The repository distinguishes itself through a community-driven model where external resource locations are verified and maintained by contributors. By leveraging a distributed version control system, the project ensures the historical integrity and c - [wazehell/vulnerable-ad](https://awesome-repositories.com/repository/wazehell-vulnerable-ad.md) (2,307 ⭐) — Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab - [webgoat/webgoat](https://awesome-repositories.com/repository/webgoat-webgoat.md) (9,160 ⭐) — WebGoat is a deliberately insecure web application designed as an interactive security lab for learning how to identify and exploit common web vulnerabilities. It serves as a containerized sandbox that allows for the simulation and experimentation of web-based attacks and penetration testing techniques without risking production systems. The project functions as a learning lab that maps specific insecure coding patterns to structured lessons. It implements simulated server-side flaws to provide a hands-on environment for studying common security vulnerabilities and defensive coding practices. - [bookstackapp/bookstack](https://awesome-repositories.com/repository/bookstackapp-bookstack.md) (18,305 ⭐) — BookStack is a self-hosted knowledge base platform designed for organizing, storing, and managing structured documentation. It utilizes a hierarchical content model that arranges information into nested trees of books, chapters, and pages, supported by a dedicated search index for rapid retrieval across the entire knowledge base. The platform distinguishes itself through deep integration with enterprise identity providers, allowing organizations to centralize authentication and access control via LDAP, SAML, or OIDC. It provides extensive administrative control over the content lifecycle, inc - [anil-yelken/vulnerable-flask-app](https://awesome-repositories.com/repository/anil-yelken-vulnerable-flask-app.md) (0 ⭐) - [juice-shop/juice-shop](https://awesome-repositories.com/repository/juice-shop-juice-shop.md) (12,530 ⭐) — Juice Shop is a self-contained web application designed as a platform for cybersecurity education and security training. It functions as a controlled environment containing intentional security flaws, allowing users to practice offensive security techniques and defensive coding practices while tracking their progress through a live scoreboard. The platform serves as an industry-standard benchmark for evaluating the effectiveness and detection accuracy of automated security scanning tools. By hosting a standardized set of known vulnerabilities and common attack patterns, it provides a reliable - [hahwul/jwt-hack](https://awesome-repositories.com/repository/hahwul-jwt-hack.md) (998 ⭐) — JSON Web Token Hack Toolkit - [orange-cyberdefense/goad](https://awesome-repositories.com/repository/orange-cyberdefense-goad.md) (7,464 ⭐) — GOAD is an Ansible-based automation tool and infrastructure orchestrator used to deploy pre-configured networks of vulnerable Windows virtual machines. It serves as a security training environment for practicing Active Directory penetration testing, privilege escalation, and lateral movement across various cloud platforms and local virtualization hypervisors. The project distinguishes itself through a multi-provider infrastructure model and a system of infrastructure recipes that simulate intentional security misconfigurations. It supports the deployment of varied attack scenarios, including - [infobyte/faraday](https://awesome-repositories.com/repository/infobyte-faraday.md) (6,523 ⭐) — Faraday is a vulnerability management platform and security tool aggregator designed to centralize security findings from multiple scanners into a single dashboard. It utilizes a relational security database to catalog hosts, services, and security flaws, enabling users to track remediation and analyze organizational risk. The platform distinguishes itself through a plugin-based system that normalizes diverse security tool outputs into a unified data model. It supports deep integration with a wide array of scanners and CLI tools, intercepting shell command output or parsing report files to ag - [expo/expo](https://awesome-repositories.com/repository/expo-expo.md) (50,111 ⭐) — Expo is a universal mobile framework designed to build native iOS and Android applications from a single codebase using web-standard technologies. It provides a comprehensive development environment that includes a unified runtime for testing, cloud-based infrastructure for compiling and signing native binaries, and automated tools for managing the entire mobile release lifecycle, including app store submission. The framework distinguishes itself through a plugin-based native configuration engine that programmatically modifies project files, allowing developers to integrate native modules wit - [vulnerscom/burp-vulners-scanner](https://awesome-repositories.com/repository/vulnerscom-burp-vulners-scanner.md) (897 ⭐) — Vulnerability scanner based on vulners.com search API - [shellphish/how2heap](https://awesome-repositories.com/repository/shellphish-how2heap.md) (8,444 ⭐) — how2heap is an educational resource and technical testbed for learning heap-based vulnerabilities and memory allocator internals. It provides a collection of source code examples and binaries that serve as a laboratory for studying memory corruption techniques specifically targeting the glibc malloc implementation. The project focuses on the development of exploit primitives, such as tcache poisoning and double frees, to redirect program execution. It includes a suite of implementations for bypassing memory protections and manipulating heap metadata to achieve arbitrary memory writes. The fr - [mytechnotalent/embedded-hacking](https://awesome-repositories.com/repository/mytechnotalent-embedded-hacking.md) (203 ⭐) — A FREE comprehensive step-by-step embedded hacking course covering Embedded Software Development to Reverse Engineering. - [apsdehal/awesome-ctf](https://awesome-repositories.com/repository/apsdehal-awesome-ctf.md) (11,614 ⭐) — This project is a comprehensive directory of software utilities, frameworks, and educational resources designed for cybersecurity competitions and offensive security research. It serves as a centralized index for tools used in cryptography, forensics, reverse engineering, and web exploitation, while providing structured materials for training and skill development. The repository distinguishes itself through a community-driven maintenance model that aggregates and organizes technical resources into a searchable, hierarchical structure. It facilitates knowledge transfer by cataloging expert pr - [kamranahmedse/developer-roadmap](https://awesome-repositories.com/repository/kamranahmedse-developer-roadmap.md) (357,434 ⭐) — Developer Roadmap is a community-driven platform that provides structured, graph-based learning paths for software engineering. It serves as a comprehensive knowledge repository where technical domains are organized into visual sequences to guide professional skill acquisition and career growth. The project distinguishes itself through a collaborative ecosystem that enables users to contribute roadmaps, curate industry best practices, and maintain professional profiles. It integrates diagnostic assessment frameworks to evaluate technical proficiency, helping developers identify knowledge gaps - [geekshiv/smart-contract-hacking](https://awesome-repositories.com/repository/geekshiv-smart-contract-hacking.md) (241 ⭐) — List of resources to learn smart contract hacking. - [vulhub/vulhub](https://awesome-repositories.com/repository/vulhub-vulhub.md) (20,279 ⭐) — Vulhub is a collection of pre-configured, containerized applications designed to serve as a standardized platform for security research, vulnerability testing, and educational exploitation exercises. It functions as an orchestration framework that enables users to deploy isolated software environments for the purpose of practicing penetration testing and analyzing common security flaws in a controlled setting. The project utilizes an infrastructure-as-code pattern to define complex, multi-service software stacks, ensuring that testing targets remain consistent and reproducible. By leveraging - [chalarangelo/30-seconds-of-code](https://awesome-repositories.com/repository/chalarangelo-30-seconds-of-code.md) (128,121 ⭐) — 30-seconds-of-code is a comprehensive knowledge base and programming snippet library designed to support software engineering education and professional development. It provides a curated collection of reusable code units and technical guides that help developers master core language mechanics, design patterns, and architectural philosophies. The project distinguishes itself by offering a wide-ranging library of algorithmic solutions and web development patterns that are organized into modular, independently testable units. It emphasizes functional programming paradigms and declarative logic, - [rafaelgss/is-my-node-vulnerable](https://awesome-repositories.com/repository/rafaelgss-is-my-node-vulnerable.md) (328 ⭐) — package that checks if your Node.js installation is vulnerable to known security vulnerabilities - [farhanashrafdev/90daysofcybersecurity](https://awesome-repositories.com/repository/farhanashrafdev-90daysofcybersecurity.md) (13,409 ⭐) — 90DaysOfCyberSecurity is an open-source educational repository that provides a structured ninety-day learning roadmap for individuals pursuing a career in the security industry. The project organizes foundational security concepts, technical skills, and professional development tasks into a sequential, day-by-day curriculum designed for self-paced study. The repository functions as a community-driven knowledge base, leveraging version control to allow contributors to expand the curriculum with new tutorials, case studies, and study materials. It distinguishes itself by integrating a professio - [fincept-corporation/finceptterminal](https://awesome-repositories.com/repository/fincept-corporation-finceptterminal.md) (26,900 ⭐) — FinceptTerminal is a quantitative finance platform and financial engineering library designed for asset valuation, risk management, and fixed-income analytics. It provides a comprehensive suite for algorithmic trading and investment strategy automation, integrating specialized language model agents and node-based workflows to automate market research and alpha generation. The project distinguishes itself with a dedicated game theory analysis engine for calculating Nash equilibria and simulating strategic interactions in competitive markets. It also features a specialized credit risk modeling - [hmaverickadams/beginner-network-pentesting](https://awesome-repositories.com/repository/hmaverickadams-beginner-network-pentesting.md) (6,205 ⭐) — This is a hands-on lab environment for learning network penetration testing techniques, centered on setting up and attacking a vulnerable Active Directory network. The project provides a structured framework for practicing the full attack chain, from initial reconnaissance and scanning through exploitation, privilege escalation, lateral movement, and credential theft, all within isolated virtual machine labs. The lab environment is designed to simulate real-world attack scenarios, including the ability to compile and execute exploit code directly against targets without relying on Metasploit. - [coder/code-server](https://awesome-repositories.com/repository/coder-code-server.md) (78,024 ⭐) — This project provides a remote development platform that enables users to access a full-featured integrated development environment through a standard web browser. By decoupling the user interface from the server-side filesystem, it allows for persistent coding workspaces to be hosted on remote servers, virtual machines, or cloud-native infrastructure, ensuring a consistent development experience from any device. The platform distinguishes itself through a secure gateway architecture that manages traffic, authentication, and encryption at the edge. It utilizes persistent WebSocket connections - [gallopsled/pwntools](https://awesome-repositories.com/repository/gallopsled-pwntools.md) (13,271 ⭐) — Pwntools is a Python-based framework designed for rapid prototyping and automation in binary exploitation, reverse engineering, and security research. It serves as a comprehensive toolkit for interacting with local and remote processes, providing the primitives necessary to manage complex exploit workflows and streamline security analysis tasks. The framework distinguishes itself through its specialized capabilities for binary manipulation and automated exploit construction. It includes dedicated utilities for parsing executable file formats, assembling and disassembling machine code, and gen - [isislab/hack-night](https://awesome-repositories.com/repository/isislab-hack-night.md) (1,273 ⭐) — Hack Night is an open weekly training session run by the OSIRIS lab. - [carvesystems/vulnerable-graphql-api](https://awesome-repositories.com/repository/carvesystems-vulnerable-graphql-api.md) (62 ⭐) — A very vulnerable implementation of a GraphQL API. - [swisskyrepo/payloadsallthethings](https://awesome-repositories.com/repository/swisskyrepo-payloadsallthethings.md) (78,434 ⭐) — This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data i - [honojs/hono](https://awesome-repositories.com/repository/honojs-hono.md) (30,994 ⭐) — Hono is a lightweight web framework built on Web Standard APIs that executes across JavaScript runtimes including Cloudflare Workers, Deno, Bun, and Node.js. - [joe-shenouda/awesome-cyber-skills](https://awesome-repositories.com/repository/joe-shenouda-awesome-cyber-skills.md) (4,218 ⭐) - [danielmiessler/seclists](https://awesome-repositories.com/repository/danielmiessler-seclists.md) (71,596 ⭐) — SecLists is a centralized library of security assessment data designed to support vulnerability discovery and penetration testing. It functions as a comprehensive repository of wordlists, payloads, and testing methodologies used to audit software, firmware, and internet-connected hardware for technical vulnerabilities. The project distinguishes itself through a standardized taxonomy and a language-agnostic data format, which allows security tools to predictably ingest and utilize its assets regardless of the underlying programming environment. By decoupling raw testing data from execution log - [vitalysim/awesome-hacking-resources](https://awesome-repositories.com/repository/vitalysim-awesome-hacking-resources.md) (17,128 ⭐) — A collection of hacking / penetration testing resources to make you better!