(LAST UPDATE: 2013-10-20)
LAST UPDATE: Since October 18, 2013, this list of vulnerable web applications has been moved to a new OWASP project: "OWASP Vulnerable Web Applications Directory (VWAD) Project".
While teaching web application security and penetration testing, one of the most prevalent questions from the audience at the end of every week is: "How and where can I (legally) put in practice all the knowledge and test all the different tools we have covered during the training (while preparing for the next real-world engagement)?" Along the years I have been providing multiple references to the attendees (including the option of testing real-world vulnerable open-source web applications) and mentioned several times that I had a pending blog post listing all them together... Today is the day! ;)... and I will be able to refer people here in future training sessions.
Shameless plug: I will be teaching the 6-day SANS SEC575
training, "SEC575: Mobile Device Security and Ethical Hacking", in Abu
Dhabi, UAE (Apr 26, 2014 - May 1, 2014) and Berlin,
Germany (Jun 16-21, 2014).
While teaching web application security and penetration testing, one of the most prevalent questions from the audience at the end of every week is: "How and where can I (legally) put in practice all the knowledge and test all the different tools we have covered during the training (while preparing for the next real-world engagement)?" Along the years I have been providing multiple references to the attendees (including the option of testing real-world vulnerable open-source web applications) and mentioned several times that I had a pending blog post listing all them together... Today is the day! ;)... and I will be able to refer people here in future training sessions.
This blog post provides an extensive and updated list (as of October 20, 2011) of vulnerable web applications you can test your web hacking knowledge, pen-testing tools, skills, and kung-fu on, with an added bonus... without going to jail :) The vulnerable web applications have been classified in three categories: offline, VMs/ISOs, and online. Each list has been ordered alphabetically.
Offline: The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).
- The BodgeIt Store (Java): http://code.google.com/p/bodgeit/ (download)
- OWASP Bricks (PHP): http://sechow.com/bricks/index.html (download & docs)
- The ButterFly Security Project (PHP): http://sourceforge.net/projects/thebutterflytmp/ (download)
- bWAPP - an extremely buggy web application! (PHP): http://www.itsecgames.com (download) (docs)
- Damn Vulnerable Web Application - DVWA (PHP): http://www.dvwa.co.uk (download)
- Damn Vulnerable Web Services - DVWS (PHP): http://dvws.secureideas.net (download)
- OWASP Hackademic Challenges Project (PHP): https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project (download)
- Google Gruyere (Python): http://google-gruyere.appspot.com (download)
- Hacme Bank (.NET): http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx (download)
- Hacme Books (Java): http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx (download)
- Hacme Casino (Ruby on Rails): http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx (download)
- Hacme Shipping (ColdFusion): http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx (download)
- Hacme Travel (C++): http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx (download)
- OWASP Insecure Web App Project (Java): https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project (download - orphaned)
- Mutillidae (PHP): http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 (download)
- OWASP .NET Goat (C#): https://owasp.codeplex.com (download)
- Peruggia (PHP): http://peruggia.sourceforge.net (download)
- Puzzlemall (Java): https://code.google.com/p/puzzlemall/ (download) (docs)
- Stanford Securibench (Java) & Micro: http://suif.stanford.edu/~livshits/securibench/ (download)
- SQLI-labs (PHP): https://github.com/Audi-1/sqli-labs (download) (blog)
- SQLol (PHP): https://github.com/SpiderLabs/SQLol (download)
- OWASP Vicnum Project (Perl & PHP): https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project (download)
- VulnApp (.NET): http://www.nth-dimension.org.uk/blog.php?id=88 (CVS download & vulns)
- WackoPicko (PHP): https://github.com/adamdoupe/WackoPicko (download) (whitepaper)
- OWASP WebGoat (Java): https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project (download) (guide)
- OWASP ZAP WAVE - Web Application Vulnerability Examples (Java): http://code.google.com/p/zaproxy/downloads/list
- Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): https://code.google.com/p/wavsep/ (download) (docs)
- WIVET - Web Input Vector Extractor Teaser: https://code.google.com/p/wivet/ (download) (tests)
- BadStore (ISO): http://www.badstore.net (download - registration required)
- Bee-Box (bWAPP VMware): http://sourceforge.net/projects/bwapp/files/bee-box/
- OWASP BWA - Broken Web Applications Project (VMware - list): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project (download)
- Drunk Admin Web Hacking Challenge (VMware): https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ (download)
- Exploit.co.il Vuln Web App (VMware): http://exploit.co.il/projects/vuln-web-app/ (download)
- GameOver (VMware): http://sourceforge.net/projects/null-gameover/ (download)
- Hackxor (VMware): http://hackxor.sourceforge.net/cgi-bin/index.pl (download) (hints&tips)
- Hacme Bank Prebuilt VM (VMware): http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ (download)
- Kioptrix4 (VMware & Hyper-V): http://www.kioptrix.com/blog/?p=604 (download)
- LAMPSecurity (VMware): http://sourceforge.net/projects/lampsecurity/ (download) (doc)
- Metasploitable (VMware): http://blog.metasploit.com/2010/05/introducing-metasploitable.html (download - torrent) (doc)
- Metasploitable 2 (VMware): https://community.rapid7.com/docs/DOC-1875 (download)
- Moth (VMware): http://www.bonsai-sec.com/en/research/moth.php (download)
- PentesterLab - The Exercises (ISO & PDF): https://www.pentesterlab.com/exercises/
- PHDays I-Bank (VMware): http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html (download)
- Samurai WTF (ISO - list): http://www.samurai-wtf.org (download)
- Sauron (Quemu) [Spanish]: http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html (solutions)
- UltimateLAMP (VMware - list): http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/ (download)
- Virtual Hacking Lab (ZIP): http://sourceforge.net/projects/virtualhacking/ (download)
- Web Security Dojo (VMware, VirtualBox - list): http://www.mavensecurity.com/web_security_dojo/ (download)
- Acunetix:
- http://testasp.vulnweb.com (Forum - ASP)
- http://testaspnet.vulnweb.com (Blog - .NET)
- http://testphp.vulnweb.com (Art shopping - PHP)
- Cenzic CrackMeBank: http://crackme.cenzic.com
- Google Gruyere (Python): http://google-gruyere.appspot.com/start
- Hacking-Lab (eg. OWASP Top 10): https://www.hacking-lab.com/events/registerform.html?eventid=245
- Hack.me (beta): https://hack.me
- HackThisSite (HTS - Basic & Realistic (web) Missions): http://www.hackthissite.org
- Hackxor online demo: http://hackxor.sourceforge.net/cgi-bin/index.pl#demo (algo/smurf)
- HP/SpiDynamics Free Bank Online: http://zero.webappsecurity.com (admin/admin)
- IBM/Watchfire AltoroMutual: http://demo.testfire.net (jsmith/Demo1234)
- NTOSpider Web Scanner Test Site: http://www.webscantest.com (testuser/testpass)
- OWASP Hackademic Challenges Project - Live (PHP - Joomla): http://hackademic1.teilar.gr
- Pentester Academy: http://pentesteracademylab.appspot.com
Updates: (Thanks to everybody that sent me new vulnerable web-apps)
2011-10-31: Added VulnApp (.NET) & Sauron (Quemu).
2012-06-17: Added Metasploitable 2, Positive Hack Days (PHDays) I-Bank, and Hacme Bank Prebuilt VM.
2012-07-23: Added GameOver, Virtual Hacking Lab, and Hacking-Lab.
2012-12-19: Added SQLol, SQLI-labs, and WIVET.
2012-12-27: Hack.me (beta).
2013-01-21: bWAPP.
2013-01-31: Drunk Admin Web Hacking Challenge, Hackxor online demo, Kioptrix4, and check The Hacker Games (VM) - some new additions via vulnhub.com.
2013-03-15: DVWS.
2013-09-09: Added PentesterLab and OWASP Bricks (thanks to m0wgli).
2013-10-08: Added Pentester Academy (thanks to m0wgli) and Bee-Box, and updated bWAPP homepage.
2013-10-20: List moved to OWASP VWAD project.
NOTE: WAVE and Wapsec main goal is to evaluate the features, quality, and accuracy of automatic web application vulnerability scanners. WIVET main goal is to statistically analyze web link extractors.
Image source: http://www.headhacker.net/wp-content/uploads/2010/04/get-out-of-jail.jpg