# Awesome Vulnerable [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome) ![CI](https://github.com/kaiiyer/awesome-vulnerable/workflows/CI/badge.svg) Octocat *A curated list of VULNERABLE APPS and SYSTEMS which can be used as PENETRATION TESTING PRACTICE LAB. This list aims to help starters as well as pros to test out and enhance their penetration skills.* # Contents - [Vulnerable Web Applications](#Vulnerable-Web-Applications) - [Sites by Vendors of Security Testing Software](#Sites-by-Vendors-of-Security-Testing-Software) - [Sites for Downloading Older Versions of Various Software](Sites-for-Downloading-Older-Versions-of-Various-Software) - [Sites for Improving Your Hacking Skills](Sites-for-Improving-Your-Hacking-Skills) - [Labs](#Labs) - [Mobile Apps](#Mobile-Apps) ## Vulnerable Web Applications - [BadStore](https://www.vulnhub.com/entry/badstore-123,41/) - Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques. - [BodgeIt Store](http://code.google.com/p/bodgeit/) - The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing. - [Butterfly Security Project](http://thebutterflytmp.sourceforge.net/) - The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities. The environment also includes examples demonstrating how such vulnerabilities are mitigated. - [bWAPP](http://sourceforge.net/projects/bwapp/files/bee-box/) - bee-box is a custom Linux VM pre-installed with bWAPP. - [CloudGoat](https://github.com/RhinoSecurityLabs/cloudgoat.git) - CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool - [Commix ](https://github.com/stasinopoulos/commix-testbed) - A collection of web pages, vulnerable to command injection flaws. - [CryptOMG ](https://github.com/SpiderLabs/CryptOMG) - CryptOMG is a configurable CTF style test bed that highlights common flaws in cryptographic implementations. - [Damn Vulnerable Cloud Application](https://github.com/m6a-UdS/dvca.git) - Damn Vulnerable Cloud Application - [Damn Vulnerable Node Application(DVNA)](https://github.com/appsecco/dvna) - Damn Vulnerable NodeJS Application - [Damn Vulnerable Web App (DVWA) ](http://www.dvwa.co.uk/) - Damn Vulnerablbe Web Application - [Damn Vulnerable Web Services (DVWS) ](https://github.com/snoopysecurity/dvws) - Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. - [Foundstone Hackme Bank ](https://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx) - Free McAfee tools to aid in your security protection. - [Foundstone Hackme Books ](https://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx) - Free McAfee tools to aid in your security protection. - [Foundstone Hackme Casino ](httsp://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx)- Free McAfee tools to aid in your security protection. - [Foundstone Hackme Shipping ](https://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx) - Free McAfee tools to aid in your security protection. - [Foundstone Hackme Travel ](https://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx) - Free McAfee tools to aid in your security protection. - [GameOver ](https://sourceforge.net/projects/null-gameover/) - Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work. - [hackxor ](https://hackxor.sourceforge.net/cgi-bin/index.pl) - Hackxor is a realistic web application hacking game, designed to help players of all abilities develop their skills. All the missions are based on real vulnerabilities I've personally found while doing pentests, bug bounty hunting, and research. - [Hackazon ](https://github.com/rapid7/hackazon) - A modern vulnerable web app - [LAMPSecurity](http://sourceforge.net/projects/lampsecurity/) - LAMPSecurity training is designed to be a series of vulnerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security. - [OWASP Mantra](https://sourceforge.net/projects/getmantra/) - Free and Open Source Browser based Security Framework, is a collection of free and open source tools integrated into a web browser, which can become handy for penetration testers, web application developers, security professionals etc. - [NOWASP / Mutillidae 2](https://github.com/webpwnized/mutillidae) - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. - [OWASP BWA ](http://code.google.com/p/owaspbwa/) - A collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware vSphere Hypervisor (ESXi) products (along with their older and commercial products). - [OWASP Hackademic ](https://github.com/Hackademic/hackademic/) - Project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. - [OWASP SiteGenerator ](https://www.owasp.org/index.php/Owasp_SiteGenerator) - OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, Javascript, Flash, Java, etc). - [OWASP Bricks ](https://sourceforge.net/projects/owaspbricks/) - Web application security learning platform built on PHP and MySQL - [OWASP Security Shepherd ](https://www.owasp.org/index.php/OWASP_Security_Shepherd) - OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic - [PentesterLab ](https://pentesterlab.com/) - We make learning web hacking easier! - [SecuriBench ](https://suif.stanford.edu/~livshits/securibench/) - Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java. - [SentinelTestbed ](https://github.com/dobin/SentinelTestbed) - Vulnerable web site. Used to test sentinel features. - [SocketToMe](http://digi.ninja/projects/sockettome.php) - It combines chat, a simple number guessing game and a few other hidden features. - [sqli-labs](https://github.com/Audi-1/sqli-labs) - SQLI labs to test error based, Blind boolean based, Time based. - [MCIR (Magical Code Injection Rainbow)](https://github.com/SpiderLabs/MCIR) - The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds. - [sqlilabs](https://github.com/himadriganguly/sqlilabs) - Lab set-up for learning SQL Injection Techniques - [VulnApp](https://www.nth-dimension.org.uk/blog.php?id=88) - ASP.net application implementing some of the most common applications we come across on our penetration testing engagements - [PuzzleMall](https://code.google.com/p/puzzlemall/) - A vulnerable web application for practicing session puzzling - [WackoPicko](https://github.com/adamdoupe/WackoPicko) - WackoPicko is a vulnerable web application used to test web application vulnerability scanners. - [WebGoat.NET](https://github.com/jerryhoff/WebGoat.NET/) - This web application is a learning platform that attempts to teach about common web security flaws. It contains generic security flaws that apply to most web applications - [WebSecurity Dojo](https://www.mavensecurity.com/web_security_dojo/) - A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo - [XVWA](https://github.com/s4n7h0/xvwa) - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. - [Zap WAVE](https://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip) - An easy to use integrated penetration testing tool for finding vulnerabilities in web applications ### Sites for Downloading Older Versions of Various Software - [Exploit-DB ](http://www.exploit-db.com/) - The Exploit Database is maintained by Offensive Security, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. - [Old Apps ](http://www.oldapps.com/) - Provide our users with a wide assortment of current versions of familiar software, and their predecessors for free. - [Old Version ](http://www.oldversion.com/) - Pick a software title... to downgrade to the version you love! - [VirtualHacking Repo ](sourceforge.net/projects/virtualhacking/files/apps%40realworld/) - Virtual Hacking Lab - [All Version](http://www.PortableApps.com/) - PortableApps is the world's most popular portable software solution allowing you to take your favorite software with you. ## Sites by Vendors of Security Testing Software - [Acunetix acuforum ](https://testasp.vulnweb.com/) - A forum deliberately vulnerable to SQL Injections, directory traversal, and other web-based attacks - [Acunetix acublog ](https://testaspnet.vulnweb.com/) - A test site for Acunetix. It is vulnerable to SQL Injections, Cross-site Scripting (XSS), and more - [Acunetix acuart ](https://testphp.vulnweb.com/) -This is an example PHP application, which is intentionally vulnerable to web attacks. It is intended to help you test Acunetix - [Cenzic crackmebank ](http://crackme.cenzic.com) - This is a test and demonstration site - [HP freebank ](http://zero.webappsecurity.com) - The Free Online Bank Web site is published by Micro Focus Fortify for the sole purpose of demonstrating the functionality and effectiveness of Micro Focus Fortify’s WebInspect products in detecting and reporting Web application vulnerabilities. - [IBM altoromutual ](http://demo.testfire.net/) - The AltoroJ website is published by IBM Corporation for the sole purpose of demonstrating the effectiveness of IBM products in detecting web application vulnerabilities and website defects - [Mavituna testsparker ](http://aspnet.testsparker.com) - This is a test and demonstration site for Netsparker - [Mavituna testsparker ](http://php.testsparker.com) - This is a test and demonstration site for Netsparker , Next Generation Web Application Security Scanner. Start Netsparker to scan this web site and let it find the vulnerabilities. - [NTOSpider Test Site ](http://www.webscantest.com/) - This site is setup to test automated Web Application scanners like AppSpider ## Sites for Improving Your Hacking Skills - [Embedded Security CTF ](https://microcorruption.com) - [EnigmaGroup ](http://www.enigmagroup.org/) - [Escape ](http://escape.alf.nu/) - [Google Gruyere ](http://google-gruyere.appspot.com/) - [Gh0st Lab ](http://www.gh0st.net/) - [Hack The Box](https://www.hackthebox.eu) - An online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field - [TryHackMe](https://tryhackme.com/) - Cyber Security training made easy. A comfortable experience to learn by designing prebuilt courses which include virtual machines (VM) hosted in the cloud ready to be deployed - [Hack This Site ](http://www.hackthissite.org/) - [HackThis ](http://www.hackthis.co.uk/) - [HackQuest ](http://www.hackquest.com/) - [Hack.me ](https://hack.me) - [Hacking-Lab ](https://www.hacking-lab.com) - [Hacker Challenge ](http://www.dareyourmind.net/) - [Hacker Test ](http://www.hackertest.net/) - [hACME Game ](http://www.hacmegame.org/) - [Halls Of Valhalla ](http://halls-of-valhalla.org/beta/challenges) - [Hax.Tor ](http://hax.tor.hu/) - [Metasploit Unleashed ](https://www.offensive-security.com/metasploit-unleashed/) - [OverTheWire ](http://www.overthewire.org/wargames/) - [PentestIT ](https://lab.pentestit.ru/) - Penetration testing laboratories "Test lab" emulate an IT infrastructure of real companies and are created for a legal pen testing and improving penetration testing skills. - [CSC Play on Demand ](https://pod.cybersecuritychallenge.org.uk/) - [pwn0 ](https://pwn0.com/home.php) - [RootContest ](http://rootcontest.com/) - [Root Me ](http://www.root-me.org/?lang=en) - [Security Treasure Hunt ](http://www.securitytreasurehunt.com/) - [Smash The Stack ](http://www.smashthestack.org/) - [SQLZoo ](http://sqlzoo.net/hack/) - [TheBlackSheep and Erik ](http://www.bright-shadows.net/) - Offers you hundreds of challenges in the fields of programming, JavaScript, PHP, Java, steganography, cryptography and others - [ThisIsLegal ](http://thisislegal.com/) - A hacker wargames site with much more such as forums and tutorials. - [Try2Hack ](http://www.try2hack.nl/) - This site provides several security-oriented challenges for your entertainment. It is actually one of the oldest challenge sites still around - [XSS: Can You XSS This? ](http://canyouxssthis.com/HTMLSanitizer/) - Use HTMLSanitizer to protect your Web Apps - [XSS Game ](https://xss-game.appspot.com/) - Learn to find and exploit XSS bugs - [XSS: ProgPHP ](http://xss.progphp.com/) - Next-Gen Domain Registration. Progphp.com is coming soon ! ### Labs - [CTFd ](https://github.com/isislab/CTFd) - CTFs as you need them - [Mellivora ](https://github.com/Nakiami/mellivora) - Mellivora is a CTF engine written in PHP - [Metasploitable2 ](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/) - Metasploitable is an intentionally vulnerable Linux virtual machine - [NightShade ](https://github.com/UnrealAkama/NightShade) - A simple capture the flag framework. - [MCIR ](https://github.com/SpiderLabs/MCIR) - The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds. - [Vagrant ](https://www.vagrantup.com/) - Development Environments Made Easy - [NETinVM ](https://informatica.uv.es/~carlos/docencia/netinvm/) - A tool for teaching and learning about systems, networks and security - [SmartOS ](https://smartos.org/) - Converged Container and Virtual Machine Hypervisor - [SmartDataCenter ](https://github.com/joyent/sdc) - Joyent Triton DataCenter: a cloud management platform with first class support for containers. - [vSphere Hypervisor ](https://www.vmware.com/products/vsphere-hypervisor/) - vSphere Hypervisor is a bare-metal hypervisor that virtualizes servers; allowing you to consolidate your applications while saving time and money managing your IT infrastructure. - [GNS3 ](http://sourceforge.net/projects/gns-3/) - Build, Design and Test your network in a risk-free virtual environment and access the largest networking community to help. - [OCCP ](https://opencyberchallenge.net/) - A free, configurable, open-source virtualization platform for cyber security educators and challenge event coordinators. - [XAMPP ](https://www.apachefriends.org/index.html) - XAMPP is a completely free, easy to install Apache distribution containing MariaDB, PHP, and Perl. The XAMPP open source package has been set up to be incredibly easy to install and to use. ## Mobile Apps - [Damn Vulnerable Android App (DVAA) ](https://code.google.com/p/dvaa/) - Damn Vulnerable Android App (DVAA) is an Android application which contains intentional vulnerabilities - [Damn Vulnerable FirefoxOS Application (DVFA) ](https://github.com/arroway/dvfa) - Damn Vulnerable FirefoxOS Application - a purposefully vulnerable application for demontrastion - [Damn Vulnerable iOS App (DVIA) ](damnvulnerableiosapp.com/) - Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable - [ExploitMe Mobile Android Labs ](https://securitycompass.github.io/AndroidLabs/) - The insecure Android app for your hacking pleasure - [ExploitMe Mobile iPhone Labs ](https://securitycompass.github.io/iPhoneLabs/) - A defective iPhone App for your hacking pleasure - [Hacme Bank Android ](https://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx) - Free McAfee tools to aid in your security protection. - [InsecureBank ](https://www.paladion.net/downloadapp.html) - Cyber Tales by Paladion - [NcN Wargame ](https://github.com/NocONName/Wargame_NcN2012) - No cON Name 2012 Challenges - [OWASP iGoat ](https://code.google.com/p/owasp-igoat/) - The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them. - [OWASP Goatdroid ](https://github.com/jackMannino/OWASP-GoatDroid-Project) - OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security ### Here are some of the ways to contribute to this project: Add your name to the CONTRIBUTORS.md file Add any new useful links to resources with respect to pentesting and vulnerable testintg environments Make a pull request and wait for it to be merged! ## Getting started Fork this repository (Click the Fork button in the top right of this page, click your Profile Image) Clone your fork down to your local machine git clone https://github.com/your-username/awesome-vulnerable.git Create a branch git checkout -b branch-name Make your changes (choose from any task below) Commit and push git add . git commit -m 'Commit message' git push origin branch-name Create a new pull request from your forked repository (Click the New Pull Request button located at the top of your repo) Wait for your PR review and merge approval! Star this repository if you had fun! Contributions are always appreciated