A curated list of vulnerable web applications.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Awesome Vulnerable Web Applications

Name URL Technology Creds (role:user:password)
Acunetix Acuforum http://testasp.vulnweb.com/ IIS, ASP, Microsoft SQL Server unknown
Acunetix Acublog http://testaspnet.vulnweb.com/ IIS, ASP.NET, Microsoft SQL Server unknown
Acunetix SecurityTweets http://testhtml5.vulnweb.com/ nginx, Python, Flask, CouchDB admin:admin:1234
Acunetix Acuart http://testphp.vulnweb.com/ Apache, PHP, MySQL unknown
Cenzic crackmebank http://crackme.cenzic.com/ CentOS, Apache, PHP unknown
HP freebank http://zero.webappsecurity.com/ Apache Tomcat unknown
IBM altoromutual http://demo.testfire.net/ ISS, ASP.NET unknown
Testsparker ASP.NET http://aspnet.testsparker.com/ ISS, ASP.NET unknown
Testsparker PHP http://php.testsparker.com/ Apache, PHP unknown
NTOSpider Test Site http://www.webscantest.com/ Apache, PHP unknown
HackYourselfFirst http://hackyourselffirst.troyhunt.com/ IIS, ASP.NET unknown
NotASafaWeb http://notasafaweb.apphb.com/ IIS, ASP.NET unknown
Hackazon http://hackazon.webscantest.com/ Apache, PHP, Ajax, JSONm XML, Gwt, AMF unknown
Firing Range https://public-firing-range.appspot.com/ Google App Engine unknown
OWASP Vicnum http://vicnum.ciphertechs.com/ Apache, PHP, Perl unknown
Google Gruyere http://google-gruyere.appspot.com/start Python, Google App Engine unknown
Web Application Vulnerable Lab http://wav-lab.com/ IIS, ASP.NET unknown
OWASP NodeGoat http://nodegoat.herokuapp.com/ Node.js unknown
OWASP Juice Shop https://juice-shop.herokuapp.com/ Node.js unknown
Cyclone Transfers http://cyclone.ciphertechs.com/ Ruby on Rails unknown
Web Scanner Test Site http://webscantest.com/ Apache, PHP unknown