List of offline and downloadable vulnerable web applications for Penetration and Security Testing with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).
  1. The BodgeIt Store (Java): http://code.google.com/p/bodgeit/ 
  2. The ButterFly Security Project (PHP): http://sourceforge.net/projects/thebutterflytmp/ 
  3. bWAPP - an extremely buggy web application! (PHP): http://www.mmeit.be/bwapp/ 
  4. Damn Vulnerable Web Application - DVWA (PHP): http://www.dvwa.co.uk 
  5. Damn Vulnerable Web Services - DVWS (PHP): http://dvws.secureideas.net 
  6. OWASP Hackademic Challenges Project (PHP): https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project 
  7. Google Gruyere (Python): http://google-gruyere.appspot.com 
  8. Hacme Bank (.NET): http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx 
  9. Hacme Books (Java): http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx 
  10. Hacme Casino (Ruby on Rails): http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx 
  11. Hacme Shipping (ColdFusion): http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx 
  12. Hacme Travel (C++): http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx 
  13. OWASP Insecure Web App Project (Java): https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project 
  14. Mutillidae (PHP): http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 
  15. OWASP .NET Goat (C#): https://owasp.codeplex.com 
  16. Peruggia (PHP): http://peruggia.sourceforge.net 
  17. Puzzlemall (Java): https://code.google.com/p/puzzlemall/ 
  18. Stanford Securibench (Java) & Micro: http://suif.stanford.edu/~livshits/securibench/ 
  19. SQLI-labs (PHP): https://github.com/Audi-1/sqli-labs 
  20. SQLol (PHP): https://github.com/SpiderLabs/SQLol 
  21. OWASP Vicnum Project (Perl & PHP): https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project 
  22. VulnApp (.NET): http://www.nth-dimension.org.uk/blog.php?id=88 
  23. WackoPicko (PHP): https://github.com/adamdoupe/WackoPicko 
  24. OWASP WebGoat (Java): https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project 
  25. OWASP ZAP WAVE - Web Application Vulnerability Examples (Java): http://code.google.com/p/zaproxy/downloads/list
  26. Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): https://code.google.com/p/wavsep/ 
  27. WIVET - Web Input Vector Extractor Teaser: https://code.google.com/p/wivet/ 

Like it ? Share it.

Post a Comment

  1. We've tried to list all known vulnerable web apps here: https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

    Let us know if we've missed any :)

  2. hi Simon! can I download and test them locally? please help

  3. Sure you can.
    Download bee-box, a VM pre-installed with bWAPP (compatible with VMware and VirtualBox)
    Have fun ;)

    URL: http://www.itsecgames.com


Comment Rules :
1. Do not post Adult/illegal Links.
2. Try to comment in only English Language.
3. Do not post other website's links which are useless.
4. Your Comment should be based on the Topic for other queries Kindly Visit our Contact Us Page.
5. Do not use Abusive Language.
6. Respect each other.
Thank You for following the rules. Please Comment....