A curated list of Awesome Damn Vulnerable Applications (ADVA). To contribute, just edit this file.
- Juice Shop
- URL: https://github.com/juice-shop/juice-shop
- Stacks: Node.js
- Pros: most shopisticated, modern, include owasp top 10
- Damn Vulnerable NodeJS Application (DVNA)
- URL: https://github.com/appsecco/dvna
- Stacks: Node.js, express, passport, sequelize
- Pros: there are branches that have fix version off all vulns
- Damn-Vulnerable-RESTaurant-API-Game
- URL: https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game
- Stacks: API, Python, Docker
- Pros: mitigation step in blog series, focus on API
- VAmPI
- URL: https://github.com/erev0s/VAmPI
- Stacks: Flask API
- Pros: focus on REST API with owasp top 10 vulns, OpenAPI3 specs and Postman Collection included, OpenAPI3 specs and Postman Collection included
- secDevLabs
- URL: https://github.com/globocom/secDevLabs
- Stacks: Web & Android: Golang, Python, PHP, Node.js, Angular/Spring, React/Go, React, Dart/Flutter
- Pros: multitple different apps per different vulns, simple n efficent, inlclude all owasp top 10 old and new.
- nodejs-goof
- URL: https://github.com/snyk-labs/nodejs-goof
- Stacks: Node.js
- Pros: integrated with Snyk to fix all vulns
- NodeGoat
- URL: https://github.com/OWASP/NodeGoat
- Stacks: Node.js
- Pros: tutorial style and mitigation, include OWASP top 10 vulns
- WebGoat
- URL: https://github.com/WebGoat/WebGoat
- Stacks: Java
- Pros: owasp top 10, tutorial style guide
- WebGoatPHP
- URL: https://github.com/OWASP/OWASPWebGoatPHP
- Stacks: PHP
- Pros: owasp top 10, tutorial style guide
- Damn Vulnerable OAuth 2.0 Applications
- URL: https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications
- Stacks: MEAN stacks, Docker, OAuth 2.0
- Pros: there is a secure by design version of OAuth 2.0 implementation on web, mobile, and SPA
- Damn Vulnerable Python Web Application (DVPWA)
- URL: https://github.com/anxolerd/dvpwa
- Stacks: Python, Docker
- Pros: mitigation just narrative but the instructions is clear
- NoSQL Injection Vulnerable App (NIVA)
- URL: https://github.com/aabashkin/nosql-injection-vulnapp
- Stacks: MongoDB + Java Driver edition
- Pros: focus on noSQL vulns
- Vulnerable Java based Web Application (JSP)
- URL: https://github.com/CSPF-Founder/JavaVulnerableLab/
- Stacks: JSP, docker, java, spring
- Pros: focus on jsp/java, many vulns and video style tutorial
[LATEST]. Vulnerable Node.js Express.js Web Application and API
- URL: https://github.com/SirAppSec/vuln-node.js-express.js-app
- Stacks: Express.js + Node.js API and Frontend
- Pros: latest, many vuln low hanging and complex one
- Damn Vulnerable Web Services (Nodejs)
- URL: https://github.com/snoopysecurity/dvws-node
- Stacks: Nodejs, Docker
- Pros: focus on many of web services/API vulns and all the SOLUTIONS.
- PyGOAT
- URL: https://github.com/adeyosemanputra/pygoat
- Stacks: Django, Python
- Pros: include all owasp top 10 and latest 2021
- Broken Crystals
- URL: https://github.com/NeuraLegion/brokencrystals
- Stacks: React, Node.js, Swagger UI, GraphQL
- Pros: many common + advance vulns
- Damn Small Vulnerable Web (DSVW)
- URL: https://github.com/stamparm/DSVW
- Stacks: Python
- Pros: just a one file with 100 LoC (Lines of Code) for many vulns
- Damn Vulnerable File Upload (DVFU)
- URL: https://github.com/LunaM00n/File-Upload-Lab
- Stacks: PHP
- Pros: uniquely that only focus on file uploads vulns
- Damn Vulnerable GraphQL Application (DVGA)
- URL: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- Stacks: Python, HTML, Javascript, GraphQL, SQLAlchemy, docker
- Pros: uniquely & complete that only focus on GraphQL
- Generic-University Vulnerable API
- URL: https://github.com/InsiderPhD/Generic-University
- Stacks: Laravel
- Pros: laravel specific
- Vulnerable Node
- URL: https://github.com/cr0hn/vulnerable-node
- Stacks: Node.js
- Pros: include owasp top 10
- Vulnerable Banking Suite (UnSAFE Bank)
- URL: https://github.com/lucideus-repo/UnSAFE_Bank
- Stacks: Typescript, Node, iOS
- Pros: include all owasp & mobile top 10, focus on banking fungsionals
- Varnish HTTP/2 Request Smuggling
- URL: https://github.com/detectify/Varnish-H2-Request-Smuggling/
- Stacks: Varnish, Docker
- Pros: focus on htt/2 request smuggling
- VulnLab
- URL: https://github.com/Yavuzlar/VulnLab
- Stacks: PHP, Docker
- Pros: many vulns including modern stacks
- thegarden
- URL: https://github.com/gwen001/thegarden
- Stacks: Laravel
- Pros: uniquely in Laravel, recently updates
- https://github.com/OWASP/wrongsecrets
- Java/GO API vulns: https://github.com/OWASP/crAPI
- Laravel/PHP API vulns: https://github.com/roottusk/vapi
- Complete API vulns: https://github.com/yrprey/yrprey-application
- Complete owasp top 10: https://github.com/yrprey/yrpreyTasksPython
- https://github.com/yrprey/yrpreyBlog
- https://github.com/yrprey/ypreyAPINodeJS
- https://github.com/yrprey/ypreyAPIPython
- https://github.com/yrprey/ypreyPollsPHP
- https://github.com/yrprey/yrpreyPollsNodeJS
- https://github.com/yrprey/yrpreyPollsPython
- https://github.com/yrprey/yrpreyTasks
- https://github.com/yrprey/yrpreyTasksNodeJS
- https://github.com/appsecco/dvja