{"id":13542407,"url":"https://github.com/vavkamil/awesome-vulnerable-apps","last_synced_at":"2025-04-02T10:30:45.394Z","repository":{"id":38417359,"uuid":"210446743","full_name":"vavkamil/awesome-vulnerable-apps","owner":"vavkamil","description":"Awesome Vulnerable Applications","archived":false,"fork":false,"pushed_at":"2024-05-17T13:14:12.000Z","size":99,"stargazers_count":854,"open_issues_count":3,"forks_count":145,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-05-23T07:08:16.664Z","etag":null,"topics":["awesome","awesome-list","bug","bugbounty","hacking","penetration-testing","security","vulnerable","vulnerable-applications"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vavkamil.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-09-23T20:30:57.000Z","updated_at":"2024-06-01T13:17:53.505Z","dependencies_parsed_at":"2024-03-28T15:15:01.223Z","dependency_job_id":"00404410-d32b-4734-9ae6-577b0ebc66ac","html_url":"https://github.com/vavkamil/awesome-vulnerable-apps","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2Fawesome-vulnerable-apps","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2Fawesome-vulnerable-apps/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2Fawesome-vulnerable-apps/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2Fawesome-vulnerable-apps/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vavkamil","download_url":"https://codeload.github.com/vavkamil/awesome-vulnerable-apps/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246796783,"owners_count":20835446,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","awesome-list","bug","bugbounty","hacking","penetration-testing","security","vulnerable","vulnerable-applications"],"created_at":"2024-08-01T10:01:06.513Z","updated_at":"2025-04-02T10:30:45.098Z","avatar_url":"https://github.com/vavkamil.png","language":null,"funding_links":[],"categories":["Miscellaneous","Others","Other Lists"],"sub_categories":["Uncategorized","TeX Lists"],"readme":"# Awesome Vulnerable Applications [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n\n\u003e A curated list of various vulnerable by design applications\n\n\n## Contents\n\n- [Online](#Online)\n- [Paid](#Paid)\n- [Vulnerable VMs](#Vulnerable-VMs)\n- [Cloud Security](#Cloud-Security)\n- [SSO - Single Sign On](#SSO-Single-Sign-On)\n- [Mobile Security](#Mobile-Security)\n- [OWASP Top 10](#OWASP-Top-10)\n    - [SQL Injection](#SQL-Injection)\n    - [XSS Injection](#XSS-Injection)\n    - [Server Side Request Forgery](#Server-Side-Request-Forgery)\n    - [CORS Misconfiguration](#CORS-Misconfiguration)\n    - [XXE Injection](#XXE-Injection)\n    - [Request Smuggling](#Request-Smuggling)\n- [Technologies](#Technologies)\n    - [WordPress](#WordPress)\n    - [Node.js](#Node.js)\n    - [Firmware](#Firmware)\n- [Uncategorized](#Uncategorized)\n\n---\n\n## Online\n\nOnline vulnerable app and CTFs\n\n- [Hacker101 CTF](https://ctf.hacker101.com/)\n- [Web Security Academy](https://portswigger.net/web-security)\n- [Hack The Box](https://www.hackthebox.eu/)\n- [Try Hack Me](https://tryhackme.com/)\n- [CTFtime](https://ctftime.org/)\n- [PWNABLE.KR](http://pwnable.kr/)\n- [XSS game](https://xss-game.appspot.com)\n- [Gin \u0026 Juice Shop](https://ginandjuice.shop/)\n\n## Paid\n\nPaid tranining courses\n\n- [PentesterLab](https://pentesterlab.com/)\n\n## Vulnerable VMs\n\n- [Vulhub](https://github.com/vulhub/vulhub)\n- [Exploit Exercises](https://exploit-exercises.lains.space/)\n- [Metasploitable3](https://github.com/rapid7/metasploitable3) - Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.\n- [Hackmyvm.eu](https://hackmyvm.eu/)\n\n## Cloud Security\n\n- [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat) - Kubernetes Goat is \"Vulnerable by Design\" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.\n- [CloudGoat](https://github.com/RhinoSecurityLabs/cloudgoat) - CloudGoat is Rhino Security Labs' \"Vulnerable by Design\" AWS deployment tool\n- [CdkGoat - Vulnerable AWS CDK Infra](https://github.com/bridgecrewio/cdkgoat) - CdkGoat is Bridgecrew's \"Vulnerable by Design\" AWS CDK repository. \n- [Cfngoat - Vulnerable Cloudformation Template](https://github.com/bridgecrewio/cfngoat) - Cfngoat is Bridgecrew's \"Vulnerable by Design\" Cloudformation repository.\n- [TerraGoat - Vulnerable Terraform Infra](https://github.com/bridgecrewio/terragoat) - TerraGoat is Bridgecrew's \"Vulnerable by Design\" Terraform repository.\n- [caponeme - Capital One Breach](https://github.com/avishayil/caponeme) - Repository demonstrating the Capital One breach on your AWS account\n- [WrongSecrets](https://github.com/commjoen/wrongsecrets) - WrongSecrets is \"Vulnerable by Design\" to show how to not handle secrets in Docker, Kubernetes and in the cloud (AWS/GCP/Azure).\n- [AWSGoat](https://github.com/ine-labs/AWSGoat) - A Damn Vulnerable AWS Infrastructure\n- [AzureGoat](https://github.com/ine-labs/AzureGoat) - A Damn Vulnerable Azure Infrastructure\n- [IAM Vulnerable](https://github.com/BishopFox/iam-vulnerable) - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.\n- [Sadcloud](https://github.com/nccgroup/sadcloud) - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure \n- [CNAPPgoat](https://github.com/ermetic-research/cnappgoat) - CNAPPgoat is a multi-cloud, vulnerable-by-design environment deployment tool. \n- [Unguard](https://github.com/dynatrace-oss/unguard) - An insecure cloud-native microservices demo application for Kubernetes\n\n## SSO - Single Sign On\n\n- [vulnerable-sso](https://github.com/dogangcr/vulnerable-sso) - vulnerable single sign on\n\n## Mobile Security\n\n- [Allsafe](https://github.com/t0thkr1s/allsafe) - Allsafe is an intentionally vulnerable application that contains various vulnerabilities.\n- [InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) - Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities.\n- [Vulnerable Kext](https://github.com/ant4g0nist/Vulnerable-Kext) - A WIP \"Vulnerable by Design\" kext for iOS/macOS to play \u0026 learn *OS kernel exploitation.\n- [InjuredAndroid](https://github.com/B3nac/InjuredAndroid) - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style. \n- [Damn Vulnerable Bank](https://github.com/rewanthtammana/Damn-Vulnerable-Bank) -  Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.\n- [InsecureShop](https://github.com/optiv/InsecureShop) - An Intentionally designed Vulnerable Android Application built in Kotlin. \n- [AndroGoat](https://github.com/satishpatnayak/AndroGoat) - AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin.\n- [DIVA Android](https://github.com/payatu/diva-android) - Damn Insecure and vulnerable App for Android.\n- [OVAA](https://github.com/oversecured/ovaa) - Oversecured Vulnerable Android App.\n- [Vuldroid](https://github.com/jaiswalakshansh/Vuldroid) - Android Application covering various static and dynamic vulnerabilities.\n- [Android Security Testing](https://github.com/RavikumarRamesh/hpAndro1337) - hpAndro1337 Application made in Kotlin with multiple vulnerabilities and a CTF.\n\n## OWASP Top 10\n\n- [Owasp Juice shop](https://github.com/bkimminich/juice-shop) - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application\n- [DVWA](https://github.com/ethicalhack3r/DVWA) - Damn Vulnerable Web Application (DVWA)\n- [DSVW](https://github.com/stamparm/DSVW) - Damn Small Vulnerable Web\n- [bWAPP](https://github.com/raesene/bWAPP) - This is just an instance of the OWASP bWAPP project as a docker container.\n- [Xtreme Vulnerable Web Application](https://github.com/s4n7h0/xvwa) - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.\n- [lazyweb](https://github.com/RamadhanAmizudin/lazyweb) - This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.\n- [OWASP Mutillidae II](https://github.com/webpwnized/mutillidae) - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.\n- [Pentest_lab](https://github.com/oliverwiegers/pentest_lab) - Local penetration testing lab using docker-compose.\n- [VulnLab](https://github.com/Yavuzlar/VulnLab) - A vulnerable web application lab using Docker\n- [WebGoat](https://github.com/WebGoat/WebGoat) - WebGoat is a deliberately insecure application by OWASP for training purpose\n- [VAmPI](https://github.com/erev0s/VAmPI) - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing \n\n### SQL Injection\n\n- [Yet Another Vulnerability Database](https://github.com/rtfpessoa/yavdb) - Yet Another Vulnerability Database\n\n### XSS Injection\n\n- [clicker-service - simulate XSS](https://gitlab.com/r00k/clicker-service) - Docker container that intakes post and then \"clicks\" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).\n- [XSSworm.dev](https://github.com/vavkamil/XSSworm.dev) - Self-replication contest\n- [xssed](https://github.com/aj00200/xssed) - A set of XSS vulnerable PHP scripts for testing\n- [xssable](https://github.com/kiwicom/xssable) - A vulnerable blogging platform used to demonstrate XSS vulnerabilities.\n\n### Server Side Request Forgery\n\n- [SSRF_Vulnerable_Lab](https://github.com/incredibleindishell/SSRF_Vulnerable_Lab) - This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack\n\n### CORS Misconfiguration\n\n- [CORS-vulnerable-Lab](https://github.com/incredibleindishell/CORS-vulnerable-Lab) - Sample vulnerable code and its exploit code\n- [CORS misconfiguration vulnerable Lab](https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database) - This Repository contains CORS misconfiguration related vulnerable codes.\n\n### XXE Injection\n\n- [XXE Lab](https://github.com/jbarone/xxelab) - A simple web app with a XXE vulnerability.\n- [docker-java-xxe](https://github.com/pimps/docker-java-xxe) - Docker image to test XXE attacks in java with tomcat.\n\n\n### Request Smuggling\n\n- [Varnish HTTP/2 Request Smuggling](https://github.com/detectify/Varnish-H2-Request-Smuggling) - This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.\n\n## Technologies\n\n### WordPress\n\n- [DVWP](https://github.com/vavkamil/dvwp) - Damn Vulnerable WordPress\n\n### Node.js\n\n- [exploit-workshop](https://github.com/snyk/exploit-workshop) - A step by step workshop to exploit various vulnerabilities in Node.js and Java applications\n- [DVNA](https://github.com/appsecco/dvna) - Damn Vulnerable NodeJS Application\n- [Extreme Vulnerable Node Application](https://github.com/vegabird/xvna) - Extreme Vulnerable Node Application\n- [dvws-node](https://github.com/snoopysecurity/dvws-node) - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.\n\n### Firmware\n\n- [DVRF](https://github.com/praetorian-code/DVRF) - The Damn Vulnerable Router Firmware Project\n- [OWASP IoT Goat](https://github.com/OWASP/IoTGoat) - IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.\n- [DVID](https://github.com/Vulcainreo/DVID) -  Damn Vulnerable IoT Device\n\n## Uncategorized\n\n- [LogSnare](https://github.com/sea-erkin/log-snare) - A playground for testing, preventing, and logging IDOR vulnerabilities.\n- [GitHub Actions Goat](https://github.com/step-security/github-actions-goat) - Deliberately Vulnerable GitHub Actions CI/CD Environment\n- [dvws - Damn Vulnerable Web Services](https://github.com/snoopysecurity/dvws) - Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.\n- [Fuzzgoat](https://github.com/fuzzstati0n/fuzzgoat) - A vulnerable C program for testing fuzzers.\n- [wavsep](https://github.com/sectooladdict/wavsep) - The Web Application Vulnerability Scanner Evaluation Project\n- [leaky-repo](https://github.com/Plazmaz/leaky-repo) - Benchmarking repo for secrets scanning\n- [OWASP SKF labs](https://github.com/blabla1337/skf-labs) - Repo for all the OWASP-SKF Docker lab examples\n- [Vulnserver](https://github.com/stephenbradshaw/vulnserver) - Vulnerable server used for learning software exploitation\n- [Damn-Vulnerable-GraphQL-Application](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application) - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.\n- [Vulnerable-nginx](https://github.com/detectify/vulnerable-nginx) - An intentionally vulnerable NGINX setup \n- [Raspwn OS](https://github.com/alphacharlie/raspwn/) - The intentionally vulnerable image for the Raspberry Pi.\n- [python_security](https://github.com/gbleaney/python_security) - This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs \n- [OWASP-VWAD](https://github.com/OWASP/OWASP-VWAD) - The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available. \n- [Vulhub](https://github.com/vulhub/vulhub) - Vulhub is an open-source collection of pre-built vulnerable docker environments. \n- [VulnDoge](https://github.com/burpOverflow/VulnDoge) - Web app for hunters \n- [CI/CD Goat](https://github.com/cider-security-research/cicd-goat) - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, catch the flags.\n- [Damn Vulnerable Thick Client](https://github.com/srini0x00/dvta) - Damn Vulnerable Thick Client App developed in C# .NET \n- [Damn Vulnerable RESTaurant](https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game) - Intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.\n- [VulnerableLightApp](https://github.com/Aif4thah/VulnerableLightApp) - .NET vulnerable REST API\n\n## Contribute\n\nContributions welcome! Read the [contribution guidelines](contributing.md) first.\n\n## License\n\n[![CC0](https://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](https://creativecommons.org/publicdomain/zero/1.0)\n\nTo the extent possible under law, vavkamil has waived all copyright and\nrelated or neighboring rights to this work.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvavkamil%2Fawesome-vulnerable-apps","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvavkamil%2Fawesome-vulnerable-apps","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvavkamil%2Fawesome-vulnerable-apps/lists"}