Security Operations for Vulnerable Applications

Penetration Testing Practice Lab - Vulnerable Apps/Systems

Collection of URLs for vulnerable web applications and systems for cybersecurity practice.

Damn Vulnerable Linux (DVL)

Linux-based operating system intentionally vulnerable for cybersecurity practice.

awesome-vulnerable-apps

A list of vulnerable applications for testing and learning

LAMPSecurity Training

A series of vulnerable virtual machine images with documentation to teach Linux, Apache, PHP, MySQL security.

SecGame #1: Sauron

A Linux-based environment for penetration testing and vulnerability exploitation

OWASP Bricks

Deliberately vulnerable web application for security professionals to practice attack techniques.

0l4bs Cross-site scripting labs

A collection of 20 cross-site scripting challenges covering various XSS attack vectors and filtering bypass techniques for educational purposes.

Damn Small Vulnerable Web

A deliberately vulnerable web application written in under 100 lines of Python code for educational purposes and web security testing.

Damn Vulnerable Web Services

An intentionally vulnerable web application containing multiple web service security flaws designed for educational purposes and security testing practice.

damnvulnerable.me

A deliberately vulnerable web application containing DOM-based XSS, CSRF, and other web vulnerabilities for security testing and educational purposes.

DVTA - Vulnerable Thick Client Application

DVTA is a Vulnerable Thick Client Application with various security vulnerabilities.

Xtreme Vulnerable Web Application (XVWA)

XVWA is an intentionally vulnerable PHP/MySQL web application designed for security education, containing multiple common web vulnerabilities for hands-on learning and practice.

Hackazon

Hackazon is a vulnerable web application storefront designed for security professionals to practice testing modern web technologies and identifying common vulnerabilities.

BodgeIt Store

Vulnerable web application for beginners in penetration testing.

DIVA Android

DIVA Android is an intentionally vulnerable Android application designed to teach security professionals and developers about mobile application security flaws through hands-on learning.

OVAA (Oversecured Vulnerable Android App)

OVAA is an intentionally vulnerable Android application that aggregates common platform security vulnerabilities for educational and security testing purposes.

OWASP Damn Vulnerable Web Sockets (DVWS)

A deliberately vulnerable web application that uses WebSocket communication to provide a training environment for learning about WebSocket-related security vulnerabilities.

AzureGoat

AzureGoat is a deliberately vulnerable Azure cloud infrastructure that incorporates OWASP Top 10 vulnerabilities and Azure service misconfigurations for security training and penetration testing practice.

HackSys Extreme Vulnerable Driver (HEVD)

A Windows kernel driver intentionally designed with various vulnerabilities to help security researchers practice kernel exploitation techniques.

Damn Vulnerable GraphQL Application

A deliberately vulnerable GraphQL application designed for security testing and educational purposes, containing multiple intentional flaws for learning GraphQL attack and defense techniques.

SentinelTestbed

A vulnerable web site for testing Sentinel features

InsecureBankv2

InsecureBankv2 is an intentionally vulnerable Android application with a Python back-end server designed for educational purposes in mobile security testing and Android vulnerability research.

Damn Vulnerable Web Application (DVWA)

A deliberately vulnerable PHP/MySQL web application designed for security training, testing, and educational purposes in controlled environments.

Damn Vulnerable eXtensive Training Environment (DVXTE)

DVXTE is a Docker-based training platform containing multiple vulnerable applications designed for cybersecurity education and skill development.