• Stars
    star
    974
  • Rank 47,011 (Top 1.0 %)
  • Language
  • License
    Creative Commons ...
  • Created about 5 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Awesome Vulnerable Applications

Awesome Vulnerable Applications Awesome

A curated list of various vulnerable by design applications

Contents


Online

Online vulnerable app and CTFs

Paid

Paid tranining courses

Vulnerable VMs

Cloud Security

  • Kubernetes Goat - Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
  • CloudGoat - CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
  • CdkGoat - Vulnerable AWS CDK Infra - CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository.
  • Cfngoat - Vulnerable Cloudformation Template - Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository.
  • TerraGoat - Vulnerable Terraform Infra - TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
  • caponeme - Capital One Breach - Repository demonstrating the Capital One breach on your AWS account
  • WrongSecrets - WrongSecrets is "Vulnerable by Design" to show how to not handle secrets in Docker, Kubernetes and in the cloud (AWS/GCP/Azure).
  • AWSGoat - A Damn Vulnerable AWS Infrastructure
  • AzureGoat - A Damn Vulnerable Azure Infrastructure
  • IAM Vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
  • Sadcloud - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure

SSO - Single Sign On

Mobile Security

  • Allsafe - Allsafe is an intentionally vulnerable application that contains various vulnerabilities.
  • InsecureBankv2 - Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities.
  • Vulnerable Kext - A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation.
  • InjuredAndroid - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
  • Damn Vulnerable Bank - Damn Vulnerable Bank is designed to be an intentionally vulnerable android application.
  • InsecureShop - An Intentionally designed Vulnerable Android Application built in Kotlin.
  • AndroGoat - AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin.
  • DIVA Android - Damn Insecure and vulnerable App for Android.
  • OVAA - Oversecured Vulnerable Android App.
  • Vuldroid - Android Application covering various static and dynamic vulnerabilities.
  • Android Security Testing - hpAndro1337 Application made in Kotlin with multiple vulnerabilities and a CTF.

OWASP Top 10

  • Owasp Juice shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
  • DVWA - Damn Vulnerable Web Application (DVWA)
  • DSVW - Damn Small Vulnerable Web
  • bWAPP - This is just an instance of the OWASP bWAPP project as a docker container.
  • Xtreme Vulnerable Web Application - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
  • lazyweb - This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.
  • OWASP Mutillidae II - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • Pentest_lab - Local penetration testing lab using docker-compose.
  • VulnLab - A vulnerable web application lab using Docker
  • WebGoat - WebGoat is a deliberately insecure application by OWASP for training purpose
  • VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing

SQL Injection

XSS Injection

  • clicker-service - simulate XSS - Docker container that intakes post and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
  • XSSworm.dev - Self-replication contest
  • xssed - A set of XSS vulnerable PHP scripts for testing
  • xssable - A vulnerable blogging platform used to demonstrate XSS vulnerabilities.

Server Side Request Forgery

  • SSRF_Vulnerable_Lab - This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

CORS Misconfiguration

XXE Injection

  • XXE Lab - A simple web app with a XXE vulnerability.
  • docker-java-xxe - Docker image to test XXE attacks in java with tomcat.

Request Smuggling

  • Varnish HTTP/2 Request Smuggling - This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.

Technologies

WordPress

  • DVWP - Damn Vulnerable WordPress

Node.js

  • exploit-workshop - A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
  • DVNA - Damn Vulnerable NodeJS Application
  • Extreme Vulnerable Node Application - Extreme Vulnerable Node Application
  • dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.

Firmware

  • DVRF - The Damn Vulnerable Router Firmware Project
  • OWASP IoT Goat - IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
  • DVID - Damn Vulnerable IoT Device

Uncategorized

  • dvws - Damn Vulnerable Web Services - Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
  • Fuzzgoat - A vulnerable C program for testing fuzzers.
  • wavsep - The Web Application Vulnerability Scanner Evaluation Project
  • leaky-repo - Benchmarking repo for secrets scanning
  • OWASP SKF labs - Repo for all the OWASP-SKF Docker lab examples
  • Vulnserver - Vulnerable server used for learning software exploitation
  • Damn-Vulnerable-GraphQL-Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
  • Vulnerable-nginx - An intentionally vulnerable NGINX setup
  • Raspwn OS - The intentionally vulnerable image for the Raspberry Pi.
  • python_security - This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs
  • OWASP-VWAD - The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
  • Vulhub - Vulhub is an open-source collection of pre-built vulnerable docker environments.
  • VulnDoge - Web app for hunters
  • CI/CD Goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, catch the flags.
  • Damn Vulnerable Thick Client - Damn Vulnerable Thick Client App developed in C# .NET

Contribute

Contributions welcome! Read the contribution guidelines first.

License

CC0

To the extent possible under law, vavkamil has waived all copyright and related or neighboring rights to this work.

More Repositories

1

awesome-bugbounty-tools

A curated list of various bug bounty tools
4,081
star
2

xss2png

PNG IDAT chunks XSS payload generator
Python
166
star
3

dvwp

Damn Vulnerable WordPress
PHP
159
star
4

XFFenum

X-Forwarded-For [403 forbidden] enumeration
Python
88
star
5

wp-update-confusion

WordPress Plugin Update Confusion
Python
66
star
6

dkimsc4n

Asynchronous wordlist based DKIM scanner
Python
54
star
7

XSSwagger

A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks
Python
53
star
8

bugbountytip.com

Flask powered website to display tweets with a hashtag #bugbountytip
HTML
16
star
9

BBClip

Bug Bounty Clipboard
JavaScript
16
star
10

h1_2_nuclei

Scan any HackerOne program with Nuclei
Python
10
star
11

wp2burp

Intercept WordPress requests with Burp Suite
Shell
9
star
12

old-repos-backup

Back-up of my old unmaintained GitHub repositories
Perl
8
star
13

SpyPortal

Sniffing & geolocating saved SSIDs
Python
7
star
14

XSSworm.dev

Self-replication contest
CSS
6
star
15

web-security-notify

Telegram bot to notify about new Web Security Academy labs
Python
5
star
16

bb_tldr_bot

tldr; bot for r/bugbounty
Python
4
star
17

openvpn_proton

OpenVPN / ProtonVPN
Python
4
star
18

API-Keys-Snitch

Burp extension to detect & report exposed API keys as an Informative issue
Python
4
star
19

xml-rpc-settings

Configure XML-RPC methods to increase the security of your website
PHP
4
star
20

dvnc

Damn Vulnerable Nginx Config
Dockerfile
3
star
21

vavkamil

https://news.ycombinator.com/item?id=23807881
2
star
22

r-bugbounty-automod

reddit.com/r/bugbounty AutoModerator config
2
star
23

vavkamil.cz

My personal blog
HTML
2
star
24

securitytxt.cz

https://securitytxt.cz/
TSQL
1
star