Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rarecoil/awesome-dva

A curated list of "damn vulnerable apps" and exploitable VMs / wargames. See contributing.md for information.
https://github.com/rarecoil/awesome-dva

List: awesome-dva

awesome-list owasp owasp-vwad

Last synced: 3 months ago
JSON representation

A curated list of "damn vulnerable apps" and exploitable VMs / wargames. See contributing.md for information.

Awesome Lists containing this project

README 

        
# awesome-dva [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)



DVA (no, not [D.VA](https://playoverwatch.com/en-us/heroes/dva/)), or **d**amn **v**ulnerable **a**pps, are web applications and VMs that exist

to help infosec students and practitioners hone exploitation skills in an environment that is not

competitive like a CTF or online like a wargame. This is a list of various downloadable applications

and wargames.



This is a port of [OWASP VWAD](https://github.com/OWASP/OWASP-VWAD) to the [Awesome list framework](https://github.com/sindresorhus/awesome). See [/scripts/update-dva.js](https://github.com/rarecoil/awesome-dva) for the script that ports this from VWAD to Markdown. To contribute, contribute upstream to OWASP-VWAD and this will

be updated. OWASP uses CC-BY-SA 3.0, so this is CC-BY-SA 4.0.



## Table of Contents

* [Downloadable Applications](#downloadable-applications)

* [ISOs / Virtual Machines](#isos-and-virtual-machines)



## Downloadable Applications

* [BadStore](http://www.badstore.net/) — Perl(CGI)

* [BodgeIt Store](https://github.com/psiinon/bodgeit) — Java

* [Bricks](http://sechow.com/bricks/index.html) — PHP

* [Butterfly Security Project](http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/) — PHP — Last updated in 2008

* [bWAPP](http://www.itsecgames.com/) — PHP

* [CryptOMG](https://github.com/SpiderLabs/CryptOMG) — PHP

* [Cyclone Transfers](https://github.com/fridaygoldsmith/bwa_cyclone_transfers) — Ruby on Rails

* [Damn Vulnerable File Upload - DVFU](https://github.com/LunaM00n/File-Upload-Lab) — PHP

* [Damn Vulnerable Node Application - DVNA](https://github.com/isp1r0/DVNA) — Node.js

* [Damn Vulnerable NodeJS Application - DVNA](https://github.com/appsecco/dvna) — Node.js — Different project from the old DVNA

* [Damn Vulnerable Stateful WebApp](https://github.com/silentsignal/damn-vulnerable-stateful-web-app) — PHP

* [Damn Vulnerable Web Application - DVWA](http://www.dvwa.co.uk/) — PHP

* [Damn Vulnerable Web Services - DVWS](http://dvws.secureideas.net/) — PHP

* [Damn Vulnerable Web Services](https://github.com/snoopysecurity/dvws) — Web Services

* [Damn Vulnerable Web Sockets](https://github.com/interference-security/DVWS) — Web Sockets

* [Extreme Vulnerable Node Application](https://github.com/vegabird/xvna) — NodeJS

* [Gruyere](http://google-gruyere.appspot.com/) — Python

* [Hackademic Challenges Project](https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project) — PHP

* [Hacme Bank - Android](http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx)

* [Hacme Bank](http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx) — .NET

* [Hacme Books](http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx) — Java

* [Hacme Casino](http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx) — Ruby on Rails

* [Hacme Shipping](http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx) — ColdFusion

* [Hacme Travel](http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx) — C++

* [hackxor](http://hackxor.sourceforge.net/cgi-bin/index.pl) — First 2 levels online, rest offline

* [Juice Shop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project) — Javascript

* [LampSecurity](http://sourceforge.net/projects/lampsecurity/) — PHP

* [Magical Code Injection Rainbow - MCIR](https://github.com/SpiderLabs/MCIR)

* [Mutillidae](http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10) — PHP

* [.NET Goat](https://github.com/jerryhoff/WebGoat.NET) — C#

* [NodeGoat](https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project) — Node.js

* [NodeVulnerable](https://github.com/cr0hn/vulnerable-node) — Node.js

* [NoSQL Injection Lab](https://digi.ninja/projects/nosqli_lab.php) — PHP and MongoDB

* [Peruggia](http://peruggia.sourceforge.net/) — PHP

* [Puzzlemall](https://code.google.com/p/puzzlemall/) — Java

* [Rails Goat](https://www.owasp.org/index.php/OWASP_Rails_Goat_Project) — Ruby on Rails

* [SecuriBench](http://suif.stanford.edu/%7Elivshits/securibench/) — Java

* [SecuriBench Micro](http://suif.stanford.edu/%7Elivshits/work/securibench-micro/) — Java

* [Security Shepherd](https://www.owasp.org/index.php/OWASP_Security_Shepherd) — Java

* [SQL injection test environment](https://github.com/sqlmapproject/testenv) — PHP — SQLmap Project

* [SQLI-labs](https://github.com/Audi-1/sqli-labs) — PHP

* [SQLol](https://github.com/SpiderLabs/SQLol) — PHP

* [TicketMagpie](https://github.com/dhatanian/ticketmagpie) — Java

* [twitterlike](https://github.com/sakti/twitterlike) — PHP

* [vulnerable-api](https://github.com/mattvaldes/vulnerable-api) — Python

* [VulnApp](http://www.nth-dimension.org.uk/blog.php?id=88) — .NET

* [Vulnerable Java Web Application](https://github.com/CSPF-Founder/JavaVulnerableLab/) — Java

* [Vulnerable OTP App](https://github.com/mddanish/Vulnerable-OTP-Application) — PHP and Google OTP

* [Vulnerable Web App](http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/)

* [WackoPicko](https://github.com/adamdoupe/WackoPicko) — PHP

* [WAVSEP - Web Application Vulnerability Scanner Evaluation Project](https://github.com/sectooladdict/wavsep) — Java

* [WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) — Java

* [WebGoatPHP](https://www.owasp.org/index.php/WebGoatPHP) — PHP

* [WIVET- Web Input Vector Extractor Teaser](https://code.google.com/p/wivet/)

* [Xtreme Vulnerable Web Application (XVWA)](https://github.com/s4n7h0/xvwa) — PHP and MySQL

* [Tiredful API](https://github.com/payatu/Tiredful-API) — Python and Django



## ISOs and Virtual Machines

* [BadStore](http://www.badstore.net/) — ISO

* [Bee-Box](http://sourceforge.net/projects/bwapp/files/bee-box/) — VMware

* [(OWASP) Broken Web Applications Project (BWA)](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project) — VMware

* [Drunk Admin Web Hacking Challenge](https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/) — VMware

* [Exploit.co.il Vuln Web App](http://exploit.co.il/projects/vuln-web-app/) — VMware

* [GameOver](http://sourceforge.net/projects/null-gameover/) — VMware

* [Hackxor](http://hackxor.sourceforge.net/cgi-bin/index.pl) — VMware

* [Hacme Bank Prebuilt VM](http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/) — VMware

* [Kioptrix4](http://www.kioptrix.com/blog/?p=604) — VMware and Hyper-V

* [LAMPSecurity](http://sourceforge.net/projects/lampsecurity/) — VMware

* [Metasploitable 2](https://community.rapid7.com/docs/DOC-1875) — VMware

* [Metasploitable 3](https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities) — VMware

* [Moth](http://www.bonsai-sec.com/en/research/moth.php) — VMware

* [PentesterLab - The Exercises](https://www.pentesterlab.com/exercises/) — ISO and PDF

* [PHDays I-Bank](http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html) — VMware

* [Pixi (OWASP)](https://hub.docker.com/r/deadrobots/pixi/) — Docker and MEAN Stack

* [Samurai WTF](http://www.samurai-wtf.org/) — ISO

* [Sauron](http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html) — Quemu

* [Virtual Hacking Lab](http://sourceforge.net/projects/virtualhacking/) — ZIP

* [Web Security Dojo](http://www.mavensecurity.com/web_security_dojo/) — VMware and VirtualBox

* [WordPress CD](http://www.ethicalhack3r.co.uk/wordpress-cd/) — VirtualBox

* [XXE](http://xxe.sourceforge.net/) — VMware