rarecoil/awesome-dva

A curated list of "damn vulnerable apps" and exploitable VMs / wargames. See contributing.md for information.

awesome-dva

DVA (no, not D.VA), or damn vulnerable apps, are web applications and VMs that exist to help infosec students and practitioners hone exploitation skills in an environment that is not competitive like a CTF or online like a wargame. This is a list of various downloadable applications and wargames.

This is a port of OWASP VWAD to the Awesome list framework. See /scripts/update-dva.js for the script that ports this from VWAD to Markdown. To contribute, contribute upstream to OWASP-VWAD and this will be updated. OWASP uses CC-BY-SA 3.0, so this is CC-BY-SA 4.0.

Table of Contents

• Downloadable Applications
• ISOs / Virtual Machines

Downloadable Applications

• BadStore — Perl(CGI)
• BodgeIt Store — Java
• Bricks — PHP
• Butterfly Security Project — PHP — Last updated in 2008
• bWAPP — PHP
• CryptOMG — PHP
• Cyclone Transfers — Ruby on Rails
• Damn Vulnerable File Upload - DVFU — PHP
• Damn Vulnerable Node Application - DVNA — Node.js
• Damn Vulnerable NodeJS Application - DVNA — Node.js — Different project from the old DVNA
• Damn Vulnerable Stateful WebApp — PHP
• Damn Vulnerable Web Application - DVWA — PHP
• Damn Vulnerable Web Services - DVWS — PHP
• Damn Vulnerable Web Services — Web Services
• Damn Vulnerable Web Sockets — Web Sockets
• Extreme Vulnerable Node Application — NodeJS
• Gruyere — Python
• Hackademic Challenges Project — PHP
• Hacme Bank - Android
• Hacme Bank — .NET
• Hacme Books — Java
• Hacme Casino — Ruby on Rails
• Hacme Shipping — ColdFusion
• Hacme Travel — C++
• hackxor — First 2 levels online, rest offline
• Juice Shop — Javascript
• LampSecurity — PHP
• Magical Code Injection Rainbow - MCIR
• Mutillidae — PHP
• .NET Goat — C#
• NodeGoat — Node.js
• NodeVulnerable — Node.js
• NoSQL Injection Lab — PHP and MongoDB
• Peruggia — PHP
• Puzzlemall — Java
• Rails Goat — Ruby on Rails
• SecuriBench — Java
• SecuriBench Micro — Java
• Security Shepherd — Java
• SQL injection test environment — PHP — SQLmap Project
• SQLI-labs — PHP
• SQLol — PHP
• TicketMagpie — Java
• twitterlike — PHP
• vulnerable-api — Python
• VulnApp — .NET
• Vulnerable Java Web Application — Java
• Vulnerable OTP App — PHP and Google OTP
• Vulnerable Web App
• WackoPicko — PHP
• WAVSEP - Web Application Vulnerability Scanner Evaluation Project — Java
• WebGoat — Java
• WebGoatPHP — PHP
• WIVET- Web Input Vector Extractor Teaser
• Xtreme Vulnerable Web Application (XVWA) — PHP and MySQL
• Tiredful API — Python and Django

ISOs and Virtual Machines

• BadStore — ISO
• Bee-Box — VMware
• (OWASP) Broken Web Applications Project (BWA) — VMware
• Drunk Admin Web Hacking Challenge — VMware
• Exploit.co.il Vuln Web App — VMware
• GameOver — VMware
• Hackxor — VMware
• Hacme Bank Prebuilt VM — VMware
• Kioptrix4 — VMware and Hyper-V
• LAMPSecurity — VMware
• Metasploitable 2 — VMware
• Metasploitable 3 — VMware
• Moth — VMware
• PentesterLab - The Exercises — ISO and PDF
• PHDays I-Bank — VMware
• Pixi (OWASP) — Docker and MEAN Stack
• Samurai WTF — ISO
• Sauron — Quemu
• Virtual Hacking Lab — ZIP
• Web Security Dojo — VMware and VirtualBox
• WordPress CD — VirtualBox
• XXE — VMware