Firmware

• VulnDoge - Web app for hunters
• LogSnare - A playground for testing, preventing, and logging IDOR vulnerabilities.
• GitHub Actions Goat - Deliberately Vulnerable GitHub Actions CI/CD Environment
• dvws - Damn Vulnerable Web Services - Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
• Fuzzgoat - A vulnerable C program for testing fuzzers.
• wavsep - The Web Application Vulnerability Scanner Evaluation Project
• leaky-repo - Benchmarking repo for secrets scanning
• OWASP SKF labs - Repo for all the OWASP-SKF Docker lab examples
• Vulnserver - Vulnerable server used for learning software exploitation
• Damn-Vulnerable-GraphQL-Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
• Vulnerable-nginx - An intentionally vulnerable NGINX setup
• Raspwn OS - The intentionally vulnerable image for the Raspberry Pi.
• python_security - This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs
• OWASP-VWAD - The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
• CI/CD Goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, catch the flags.
• Damn Vulnerable Thick Client - Damn Vulnerable Thick Client App developed in C# .NET
• Damn Vulnerable RESTaurant - Intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
• VulnerableLightApp - .NET vulnerable REST API

• DSVW - Damn Small Vulnerable Web
• bWAPP - This is just an instance of the OWASP bWAPP project as a docker container.
• Xtreme Vulnerable Web Application - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
• lazyweb - This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.
• OWASP Mutillidae II - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
• Pentest_lab - Local penetration testing lab using docker-compose.
• VulnLab - A vulnerable web application lab using Docker
• WebGoat - WebGoat is a deliberately insecure application by OWASP for training purpose
• VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
• Owasp Juice shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

SQL Injection

• Yet Another Vulnerability Database - Yet Another Vulnerability Database

XSS Injection

• clicker-service - simulate XSS - Docker container that intakes post and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
• XSSworm.dev - Self-replication contest
• xssed - A set of XSS vulnerable PHP scripts for testing
• xssable - A vulnerable blogging platform used to demonstrate XSS vulnerabilities.

Server Side Request Forgery

• SSRF_Vulnerable_Lab - This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

CORS Misconfiguration

• CORS-vulnerable-Lab - Sample vulnerable code and its exploit code
• CORS misconfiguration vulnerable Lab - This Repository contains CORS misconfiguration related vulnerable codes.

XXE Injection

• XXE Lab - A simple web app with a XXE vulnerability.
• docker-java-xxe - Docker image to test XXE attacks in java with tomcat.

Request Smuggling

• Varnish HTTP/2 Request Smuggling - This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.

WordPress

• DVWP - Damn Vulnerable WordPress

Node.js

• exploit-workshop - A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
• DVNA - Damn Vulnerable NodeJS Application
• Extreme Vulnerable Node Application - Extreme Vulnerable Node Application
• dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.

Firmware

• DVRF - The Damn Vulnerable Router Firmware Project
• OWASP IoT Goat - IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
• DVID - Damn Vulnerable IoT Device