Saturday, October 29, 2011

Hacking Vulnerable Web Applications Without Going To Jail

(LAST UPDATE: 2013-10-20)

Shameless plug: I will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in Abu Dhabi, UAE (Apr 26, 2014 - May 1, 2014) and Berlin, Germany (Jun 16-21, 2014).

LAST UPDATE: Since October 18, 2013, this list of vulnerable web applications has been moved to a new OWASP project: "OWASP Vulnerable Web Applications Directory (VWAD) Project".

While teaching web application security and penetration testing, one of the most prevalent questions from the audience at the end of every week is: "How and where can I (legally) put in practice all the knowledge and test all the different tools we have covered during the training (while preparing for the next real-world engagement)?" Along the years I have been providing multiple references to the attendees (including the option of testing real-world vulnerable open-source web applications) and mentioned several times that I had a pending blog post listing all them together... Today is the day! ;)... and I will be able to refer people here in future training sessions.

This blog post provides an extensive and updated list (as of October 20, 2011) of vulnerable web applications you can test your web hacking knowledge, pen-testing tools, skills, and kung-fu on, with an added bonus... without going to jail :) The vulnerable web applications have been classified in three categories: offline, VMs/ISOs, and online. Each list has been ordered alphabetically.

Offline: The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).
Virtual Machines (VMs) or ISO images: The following list references preinstalled and ready to use virtual machines (VMs) or ISO images that contain one or multiple vulnerable web applications to play with.
Online/Live: The following list references online and live vulnerable web applications available on the Internet to play with.
For completeness, there have been some other similar lists published in the past that I'm aware of, and also some "in-the-cloud" commercial training lab options are getting popular (let's call them "pay-per-hack" :-). Enjoy all these different web vulnerable environments and sharp your web app pen-testing skills and tools practicing with them!

Updates: (Thanks to everybody that sent me new vulnerable web-apps)
2011-10-31: Added VulnApp (.NET) & Sauron (Quemu).
2012-06-17: Added Metasploitable 2, Positive Hack Days (PHDays) I-Bank, and Hacme Bank Prebuilt VM.
2012-07-23: Added GameOver, Virtual Hacking Lab, and Hacking-Lab.
2012-12-19: Added SQLol, SQLI-labs, and WIVET.
2012-12-27: (beta).
2013-01-21: bWAPP.
2013-01-31: Drunk Admin Web Hacking Challenge, Hackxor online demo, Kioptrix4, and check The Hacker Games (VM) - some new additions via
2013-03-15: DVWS.
2013-09-09: Added PentesterLab and OWASP Bricks (thanks to m0wgli).
2013-10-08: Added Pentester Academy (thanks to m0wgli) and Bee-Box, and updated bWAPP homepage.
2013-10-20: List moved to OWASP VWAD project.

NOTE: WAVE and Wapsec main goal is to evaluate the features, quality, and accuracy of automatic web application vulnerability scanners. WIVET main goal is to statistically analyze web link extractors.

Image source:


  1. I miss the game "Sauron"

    In any case, good compilation!

  2. Theres also the project available online:

  3. Hi guys,

    Also this is very interesting:


  4. Hi everyone! I have not added to the list some suggestions I've received (like the one above) as they are wargames or challenges for multiple disciplines, and not only or related with web-apps.

    Though, I will keep the interesting ones here in the comments section.

  5. Thanks for your efforts. They're really helpful for vulnerability scanning.

  6. Another offline addition, OWASP bricks:

  7. Pentesterlab also has quite a few ISO images:

  8. Thanks a lot, Raul

    I am still learning