Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-vulnerable-apps
Awesome Vulnerable Applications
https://github.com/vavkamil/awesome-vulnerable-apps
Last synced: 5 days ago
JSON representation
-
Uncategorized
-
Firmware
- VulnDoge - Web app for hunters
- LogSnare - A playground for testing, preventing, and logging IDOR vulnerabilities.
- GitHub Actions Goat - Deliberately Vulnerable GitHub Actions CI/CD Environment
- dvws - Damn Vulnerable Web Services - Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
- Fuzzgoat - A vulnerable C program for testing fuzzers.
- wavsep - The Web Application Vulnerability Scanner Evaluation Project
- leaky-repo - Benchmarking repo for secrets scanning
- OWASP SKF labs - Repo for all the OWASP-SKF Docker lab examples
- Vulnserver - Vulnerable server used for learning software exploitation
- Damn-Vulnerable-GraphQL-Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
- Vulnerable-nginx - An intentionally vulnerable NGINX setup
- Raspwn OS - The intentionally vulnerable image for the Raspberry Pi.
- python_security - This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs
- OWASP-VWAD - The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
- CI/CD Goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, catch the flags.
- Damn Vulnerable Thick Client - Damn Vulnerable Thick Client App developed in C# .NET
- Damn Vulnerable RESTaurant - Intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
- VulnerableLightApp - .NET vulnerable REST API
-
-
Online
-
Paid
-
Vulnerable VMs
- Exploit Exercises
- Hackmyvm.eu
- Metasploitable3 - Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.
- Exploit Exercises
- Vulhub
-
Cloud Security
- Kubernetes Goat - Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
- CloudGoat - CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
- CdkGoat - Vulnerable AWS CDK Infra - CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository.
- Cfngoat - Vulnerable Cloudformation Template - Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository.
- TerraGoat - Vulnerable Terraform Infra - TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
- caponeme - Capital One Breach - Repository demonstrating the Capital One breach on your AWS account
- AWSGoat - A Damn Vulnerable AWS Infrastructure
- AzureGoat - A Damn Vulnerable Azure Infrastructure
- IAM Vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
- Sadcloud - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
- Unguard - An insecure cloud-native microservices demo application for Kubernetes
-
SSO - Single Sign On
- vulnerable-sso - vulnerable single sign on
-
Mobile Security
- Allsafe - Allsafe is an intentionally vulnerable application that contains various vulnerabilities.
- InsecureBankv2 - Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities.
- Vulnerable Kext - A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation.
- InjuredAndroid - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
- Damn Vulnerable Bank - Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.
- InsecureShop - An Intentionally designed Vulnerable Android Application built in Kotlin.
- AndroGoat - AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin.
- DIVA Android - Damn Insecure and vulnerable App for Android.
- OVAA - Oversecured Vulnerable Android App.
- Vuldroid - Android Application covering various static and dynamic vulnerabilities.
- Android Security Testing - hpAndro1337 Application made in Kotlin with multiple vulnerabilities and a CTF.
-
OWASP Top 10
-
- DSVW - Damn Small Vulnerable Web
- bWAPP - This is just an instance of the OWASP bWAPP project as a docker container.
- Xtreme Vulnerable Web Application - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
- lazyweb - This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.
- OWASP Mutillidae II - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
- Pentest_lab - Local penetration testing lab using docker-compose.
- VulnLab - A vulnerable web application lab using Docker
- WebGoat - WebGoat is a deliberately insecure application by OWASP for training purpose
- VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
- DVWA - Damn Vulnerable Web Application (DVWA)
- Owasp Juice shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
-
SQL Injection
- Yet Another Vulnerability Database - Yet Another Vulnerability Database
-
XSS Injection
- clicker-service - simulate XSS - Docker container that intakes post and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
- XSSworm.dev - Self-replication contest
- xssed - A set of XSS vulnerable PHP scripts for testing
- xssable - A vulnerable blogging platform used to demonstrate XSS vulnerabilities.
-
Server Side Request Forgery
- SSRF_Vulnerable_Lab - This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack
-
CORS Misconfiguration
- CORS-vulnerable-Lab - Sample vulnerable code and its exploit code
- CORS misconfiguration vulnerable Lab - This Repository contains CORS misconfiguration related vulnerable codes.
-
XXE Injection
- XXE Lab - A simple web app with a XXE vulnerability.
- docker-java-xxe - Docker image to test XXE attacks in java with tomcat.
-
Request Smuggling
- Varnish HTTP/2 Request Smuggling - This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.
-
-
Technologies
-
WordPress
- DVWP - Damn Vulnerable WordPress
-
Node.js
- exploit-workshop - A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
- DVNA - Damn Vulnerable NodeJS Application
- Extreme Vulnerable Node Application - Extreme Vulnerable Node Application
- dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.
-
Firmware
- DVRF - The Damn Vulnerable Router Firmware Project
- OWASP IoT Goat - IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
- DVID - Damn Vulnerable IoT Device
-
Categories
Sub Categories
Keywords
security
9
devsecops
6
vulnerabilities
5
owasp
5
hacking
5
vulnerable-application
4
android-security
4
vulnerable
4
appsec
4
docker
3
owasp-top-10
3
pentesting
3
aws-security
3
vulnerable-web-app
3
vulnerability
3
penetration-testing
3
application-security
3
exploitation
3
vulnerable-android-apps
3
android
3
cloud-security
3
docker-compose
2
web-security
2
pentest
2
cloudsecurity
2
bugbounty
2
vulnerable-app
2
bug-bounty
2
mobile-security
2
api
2
infosec
2
cloudformation
2
ctf
2
kubernetes
2
vulnerable-web-application
2
testing
2
cloud-native
2
php
2
kubernetes-goat
1
kubernetes-security
1
k8s
1
infrastructure
1
redteam
1
aws-cdk
1
azure-security
1
gcp-security
1
goat
1
terraform
1
exploits
1
microservices
1