Vulnerable Applications - Penetration Testing Tools, ML and Linux Tutorials

superior_hosting_service

The Awesome Vulnerable Applications is a github repository by Kamil Vavra

Online

Online vulnerable app and CTFs

Paid tranining courses

Vulhub
Exploit Exercises
Metasploitable3 – Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.

Kubernetes Goat – Kubernetes Goat is “Vulnerable by Design” Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
CloudGoat – CloudGoat is Rhino Security Labs’ “Vulnerable by Design” AWS deployment tool
CdkGoat – Vulnerable AWS CDK Infra – CdkGoat is Bridgecrew’s “Vulnerable by Design” AWS CDK repository.
Cfngoat – Vulnerable Cloudformation Template – Cfngoat is Bridgecrew’s “Vulnerable by Design” Cloudformation repository.
TerraGoat – Vulnerable Terraform Infra – TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository.
caponeme – Capital One Breach – Repository demonstrating the Capital One breach on your AWS account

Allsafe – Allsafe is an intentionally vulnerable application that contains various vulnerabilities.
InsecureBankv2 – Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities
Vulnerable Kext – A WIP “Vulnerable by Design” kext for iOS/macOS to play & learn *OS kernel exploitation
InjuredAndroid – A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
Damn Vulnerable Bank – Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.
InsecureShop – An Intentionally designed Vulnerable Android Application built in Kotlin.
AndroGoat – AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin.
InsecureBankv2 – Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities
DIVA Android – Damn Insecure and vulnerable App for Android
OVAA – Oversecured Vulnerable Android App
Vuldroid – Android Application covering various static and dynamic vulnerabilities

Owasp Juice shop – OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
DVWA – Damn Vulnerable Web Application (DVWA)
DSVW – Damn Small Vulnerable Web
bWAPP – This is just an instance of the OWASP bWAPP project as a docker container.
Xtreme Vulnerable Web Application – XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
lazyweb – This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.
OWASP Mutillidae II – OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
Pentest_lab – Local penetration testing lab using docker-compose.
VulnLab – A vulnerable web application lab using Docker

clicker-service – simulate XSS – Docker container that intakes post and then “clicks” the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
XSSworm.dev – Self-replication contest
xssed – A set of XSS vulnerable PHP scripts for testing
xssable – A vulnerable blogging platform used to demonstrate XSS vulnerabilities.

SSRF_Vulnerable_Lab – This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

CORS-vulnerable-Lab – Sample vulnerable code and its exploit code
CORS misconfiguration vulnerable Lab – This Repository contains CORS misconfiguration related vulnerable codes.

Varnish HTTP/2 Request Smuggling – This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.

exploit-workshop – A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
DVNA – Damn Vulnerable NodeJS Application
Extreme Vulnerable Node Application – Extreme Vulnerable Node Application
dvws-node – Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.

DVRF – The Damn Vulnerable Router Firmware Project
OWASP IoT Goat – IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.

dvws – Damn Vulnerable Web Services – Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
Fuzzgoat – A vulnerable C program for testing fuzzers.
wavsep – The Web Application Vulnerability Scanner Evaluation Project
leaky-repo – Benchmarking repo for secrets scanning
OWASP SKF labs – Repo for all the OWASP-SKF Docker lab examples
Vulnserver – Vulnerable server used for learning software exploitation
Damn-Vulnerable-GraphQL-Application – Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook’s GraphQL technology, to learn and practice GraphQL Security.
Vulnerable-nginx – An intentionally vulnerable NGINX setup
Raspwn OS – The intentionally vulnerable image for the Raspberry Pi.
python_security – This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs
OWASP-VWAD – The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
Vulhub – Vulhub is an open-source collection of pre-built vulnerable docker environments.
VulnDoge – Web app for hunters

Contributions welcome! Read the contribution guidelines first.

To the extent possible under law, vavkamil has waived all copyright and related or neighboring rights to this work.