The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.
The main goal of VWAD is to provide a list of vulnerable applications available to security professionals for hacking, offensive and defensive activities, so that they can manipulate realistic web environments… without going to jail
The vulnerable web applications have been classified in four categories: Online, Offline, Mobile, and VMs/ISOs. Each list has been ordered alphabetically.
An initial list that inspired this project was maintained till October 2013 here.
A brief description of the OWASP VWAD project is available here.
The associated GitHub repository is available here.
The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.