Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

awesome-vulnerable-apps

Awesome Vulnerable Applications
https://github.com/vavkamil/awesome-vulnerable-apps

LogSnare - A playground for testing, preventing, and logging IDOR vulnerabilities.
GitHub Actions Goat - Deliberately Vulnerable GitHub Actions CI/CD Environment
dvws - Damn Vulnerable Web Services - Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
Fuzzgoat - A vulnerable C program for testing fuzzers.
wavsep - The Web Application Vulnerability Scanner Evaluation Project
leaky-repo - Benchmarking repo for secrets scanning
OWASP SKF labs - Repo for all the OWASP-SKF Docker lab examples
Vulnserver - Vulnerable server used for learning software exploitation
Damn-Vulnerable-GraphQL-Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
Vulnerable-nginx - An intentionally vulnerable NGINX setup
Raspwn OS - The intentionally vulnerable image for the Raspberry Pi.
python_security - This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs
OWASP-VWAD - The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
Vulhub
VulnDoge - Web app for hunters
CI/CD Goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, catch the flags.
Damn Vulnerable Thick Client - Damn Vulnerable Thick Client App developed in C# .NET
Damn Vulnerable RESTaurant - Intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
VulnerableLightApp - .NET vulnerable REST API
Hacker101 CTF
Web Security Academy
Hack The Box
Try Hack Me
CTFtime
PWNABLE.KR
XSS game
Gin & Juice Shop
PentesterLab
Vulhub
Exploit Exercises
Metasploitable3 - Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.
Hackmyvm.eu
Kubernetes Goat - Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
CloudGoat - CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
CdkGoat - Vulnerable AWS CDK Infra - CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository.
Cfngoat - Vulnerable Cloudformation Template - Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository.
TerraGoat - Vulnerable Terraform Infra - TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
caponeme - Capital One Breach - Repository demonstrating the Capital One breach on your AWS account
WrongSecrets - WrongSecrets is "Vulnerable by Design" to show how to not handle secrets in Docker, Kubernetes and in the cloud (AWS/GCP/Azure).
AWSGoat - A Damn Vulnerable AWS Infrastructure
AzureGoat - A Damn Vulnerable Azure Infrastructure
IAM Vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
Sadcloud - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
CNAPPgoat - CNAPPgoat is a multi-cloud, vulnerable-by-design environment deployment tool.
vulnerable-sso - vulnerable single sign on
Allsafe - Allsafe is an intentionally vulnerable application that contains various vulnerabilities.
InsecureBankv2 - Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities.
Vulnerable Kext - A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation.
InjuredAndroid - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
Damn Vulnerable Bank - Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.
InsecureShop - An Intentionally designed Vulnerable Android Application built in Kotlin.
AndroGoat - AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin.
DIVA Android - Damn Insecure and vulnerable App for Android.
OVAA - Oversecured Vulnerable Android App.
Vuldroid - Android Application covering various static and dynamic vulnerabilities.
Android Security Testing - hpAndro1337 Application made in Kotlin with multiple vulnerabilities and a CTF.
Owasp Juice shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
DVWA - Damn Vulnerable Web Application (DVWA)
DSVW - Damn Small Vulnerable Web
bWAPP - This is just an instance of the OWASP bWAPP project as a docker container.
Xtreme Vulnerable Web Application - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
lazyweb - This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.
OWASP Mutillidae II - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
Pentest_lab - Local penetration testing lab using docker-compose.
VulnLab - A vulnerable web application lab using Docker
WebGoat - WebGoat is a deliberately insecure application by OWASP for training purpose
VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
Yet Another Vulnerability Database - Yet Another Vulnerability Database
clicker-service - simulate XSS - Docker container that intakes post and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
XSSworm.dev - Self-replication contest
xssed - A set of XSS vulnerable PHP scripts for testing
xssable - A vulnerable blogging platform used to demonstrate XSS vulnerabilities.
SSRF_Vulnerable_Lab - This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack
CORS-vulnerable-Lab - Sample vulnerable code and its exploit code
CORS misconfiguration vulnerable Lab - This Repository contains CORS misconfiguration related vulnerable codes.
XXE Lab - A simple web app with a XXE vulnerability.
docker-java-xxe - Docker image to test XXE attacks in java with tomcat.
Varnish HTTP/2 Request Smuggling - This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.
DVWP - Damn Vulnerable WordPress
exploit-workshop - A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
DVNA - Damn Vulnerable NodeJS Application
Extreme Vulnerable Node Application - Extreme Vulnerable Node Application
dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.
DVRF - The Damn Vulnerable Router Firmware Project
OWASP IoT Goat - IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
DVID - Damn Vulnerable IoT Device
![CC0

Programming Languages

PHP 13 Python 11 Java 8 C 5 HTML 4 JavaScript 4 CSS 3 HCL 3 VCL 2 Dockerfile 2

Keywords

security 10 hacking 6 devsecops 6 owasp 6 appsec 5 vulnerabilities 5 vulnerable 5 pentesting 4 owasp-top-10 4 vulnerable-application 4 android-security 4 application-security 4 ctf 3 android 3 vulnerable-web-app 3 vulnerability 3 penetration-testing 3 aws-security 3 vulnerable-android-apps 3 cloud-security 3 exploitation 3 docker 3 pentest 2 api 2 docker-compose 2 vulnerable-web-application 2 infosec 2 php 2 cloudsecurity 2 javascript 2 cloudformation 2 bug-bounty 2 mobile-security 2 web-security 2 bugbounty 2 testing 2 vulnerable-app 2 hackerone-reports 1 infrastructure 1 frida-scripts 1 frida 1 k8s 1 forthebadge 1 kubernetes 1 dynamic-analysis 1 certificate 1 bypass 1 kubernetes-goat 1 terraform 1 goat 1