Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rarecoil/awesome-dva

A curated list of "damn vulnerable apps" and exploitable VMs / wargames. See contributing.md for information.
https://github.com/rarecoil/awesome-dva

List: awesome-dva

awesome-list owasp owasp-vwad

Last synced: 16 days ago
JSON representation

A curated list of "damn vulnerable apps" and exploitable VMs / wargames. See contributing.md for information.

Awesome Lists containing this project

README

        

# awesome-dva [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)

DVA (no, not [D.VA](https://playoverwatch.com/en-us/heroes/dva/)), or **d**amn **v**ulnerable **a**pps, are web applications and VMs that exist
to help infosec students and practitioners hone exploitation skills in an environment that is not
competitive like a CTF or online like a wargame. This is a list of various downloadable applications
and wargames.

This is a port of [OWASP VWAD](https://github.com/OWASP/OWASP-VWAD) to the [Awesome list framework](https://github.com/sindresorhus/awesome). See [/scripts/update-dva.js](https://github.com/rarecoil/awesome-dva) for the script that ports this from VWAD to Markdown. To contribute, contribute upstream to OWASP-VWAD and this will
be updated. OWASP uses CC-BY-SA 3.0, so this is CC-BY-SA 4.0.

## Table of Contents
* [Downloadable Applications](#downloadable-applications)
* [ISOs / Virtual Machines](#isos-and-virtual-machines)

## Downloadable Applications
* [BadStore](http://www.badstore.net/) — Perl(CGI)
* [BodgeIt Store](https://github.com/psiinon/bodgeit) — Java
* [Bricks](http://sechow.com/bricks/index.html) — PHP
* [Butterfly Security Project](http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/) — PHP — Last updated in 2008
* [bWAPP](http://www.itsecgames.com/) — PHP
* [CryptOMG](https://github.com/SpiderLabs/CryptOMG) — PHP
* [Cyclone Transfers](https://github.com/fridaygoldsmith/bwa_cyclone_transfers) — Ruby on Rails
* [Damn Vulnerable File Upload - DVFU](https://github.com/LunaM00n/File-Upload-Lab) — PHP
* [Damn Vulnerable Node Application - DVNA](https://github.com/isp1r0/DVNA) — Node.js
* [Damn Vulnerable NodeJS Application - DVNA](https://github.com/appsecco/dvna) — Node.js — Different project from the old DVNA
* [Damn Vulnerable Stateful WebApp](https://github.com/silentsignal/damn-vulnerable-stateful-web-app) — PHP
* [Damn Vulnerable Web Application - DVWA](http://www.dvwa.co.uk/) — PHP
* [Damn Vulnerable Web Services - DVWS](http://dvws.secureideas.net/) — PHP
* [Damn Vulnerable Web Services](https://github.com/snoopysecurity/dvws) — Web Services
* [Damn Vulnerable Web Sockets](https://github.com/interference-security/DVWS) — Web Sockets
* [Extreme Vulnerable Node Application](https://github.com/vegabird/xvna) — NodeJS
* [Gruyere](http://google-gruyere.appspot.com/) — Python
* [Hackademic Challenges Project](https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project) — PHP
* [Hacme Bank - Android](http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx)
* [Hacme Bank](http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx) — .NET
* [Hacme Books](http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx) — Java
* [Hacme Casino](http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx) — Ruby on Rails
* [Hacme Shipping](http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx) — ColdFusion
* [Hacme Travel](http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx) — C++
* [hackxor](http://hackxor.sourceforge.net/cgi-bin/index.pl) — First 2 levels online, rest offline
* [Juice Shop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project) — Javascript
* [LampSecurity](http://sourceforge.net/projects/lampsecurity/) — PHP
* [Magical Code Injection Rainbow - MCIR](https://github.com/SpiderLabs/MCIR)
* [Mutillidae](http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10) — PHP
* [.NET Goat](https://github.com/jerryhoff/WebGoat.NET) — C#
* [NodeGoat](https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project) — Node.js
* [NodeVulnerable](https://github.com/cr0hn/vulnerable-node) — Node.js
* [NoSQL Injection Lab](https://digi.ninja/projects/nosqli_lab.php) — PHP and MongoDB
* [Peruggia](http://peruggia.sourceforge.net/) — PHP
* [Puzzlemall](https://code.google.com/p/puzzlemall/) — Java
* [Rails Goat](https://www.owasp.org/index.php/OWASP_Rails_Goat_Project) — Ruby on Rails
* [SecuriBench](http://suif.stanford.edu/%7Elivshits/securibench/) — Java
* [SecuriBench Micro](http://suif.stanford.edu/%7Elivshits/work/securibench-micro/) — Java
* [Security Shepherd](https://www.owasp.org/index.php/OWASP_Security_Shepherd) — Java
* [SQL injection test environment](https://github.com/sqlmapproject/testenv) — PHP — SQLmap Project
* [SQLI-labs](https://github.com/Audi-1/sqli-labs) — PHP
* [SQLol](https://github.com/SpiderLabs/SQLol) — PHP
* [TicketMagpie](https://github.com/dhatanian/ticketmagpie) — Java
* [twitterlike](https://github.com/sakti/twitterlike) — PHP
* [vulnerable-api](https://github.com/mattvaldes/vulnerable-api) — Python
* [VulnApp](http://www.nth-dimension.org.uk/blog.php?id=88) — .NET
* [Vulnerable Java Web Application](https://github.com/CSPF-Founder/JavaVulnerableLab/) — Java
* [Vulnerable OTP App](https://github.com/mddanish/Vulnerable-OTP-Application) — PHP and Google OTP
* [Vulnerable Web App](http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/)
* [WackoPicko](https://github.com/adamdoupe/WackoPicko) — PHP
* [WAVSEP - Web Application Vulnerability Scanner Evaluation Project](https://github.com/sectooladdict/wavsep) — Java
* [WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) — Java
* [WebGoatPHP](https://www.owasp.org/index.php/WebGoatPHP) — PHP
* [WIVET- Web Input Vector Extractor Teaser](https://code.google.com/p/wivet/)
* [Xtreme Vulnerable Web Application (XVWA)](https://github.com/s4n7h0/xvwa) — PHP and MySQL
* [Tiredful API](https://github.com/payatu/Tiredful-API) — Python and Django

## ISOs and Virtual Machines
* [BadStore](http://www.badstore.net/) — ISO
* [Bee-Box](http://sourceforge.net/projects/bwapp/files/bee-box/) — VMware
* [(OWASP) Broken Web Applications Project (BWA)](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project) — VMware
* [Drunk Admin Web Hacking Challenge](https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/) — VMware
* [Exploit.co.il Vuln Web App](http://exploit.co.il/projects/vuln-web-app/) — VMware
* [GameOver](http://sourceforge.net/projects/null-gameover/) — VMware
* [Hackxor](http://hackxor.sourceforge.net/cgi-bin/index.pl) — VMware
* [Hacme Bank Prebuilt VM](http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/) — VMware
* [Kioptrix4](http://www.kioptrix.com/blog/?p=604) — VMware and Hyper-V
* [LAMPSecurity](http://sourceforge.net/projects/lampsecurity/) — VMware
* [Metasploitable 2](https://community.rapid7.com/docs/DOC-1875) — VMware
* [Metasploitable 3](https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities) — VMware
* [Moth](http://www.bonsai-sec.com/en/research/moth.php) — VMware
* [PentesterLab - The Exercises](https://www.pentesterlab.com/exercises/) — ISO and PDF
* [PHDays I-Bank](http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html) — VMware
* [Pixi (OWASP)](https://hub.docker.com/r/deadrobots/pixi/) — Docker and MEAN Stack
* [Samurai WTF](http://www.samurai-wtf.org/) — ISO
* [Sauron](http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html) — Quemu
* [Virtual Hacking Lab](http://sourceforge.net/projects/virtualhacking/) — ZIP
* [Web Security Dojo](http://www.mavensecurity.com/web_security_dojo/) — VMware and VirtualBox
* [WordPress CD](http://www.ethicalhack3r.co.uk/wordpress-cd/) — VirtualBox
* [XXE](http://xxe.sourceforge.net/) — VMware