├── .gitattributes ├── .github ├── FUNDING.yml ├── dependabot.yml └── workflows │ └── validate.yml ├── .gitignore ├── LICENSE ├── README.md ├── schema.json └── src └── data └── collection.json /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | 3 | *.css text 4 | *.htm text 5 | *.html text 6 | *.js text 7 | *.md text 8 | *.svg text 9 | *.txt text 10 | *.xml text 11 | *.xsl text 12 | *.yml text 13 | *.yaml text 14 | *.json text 15 | *.sh text 16 | *.nav text 17 | 18 | *.pdf binary 19 | *.png binary 20 | *.gif binary 21 | *.jpg binary 22 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: https://owasp.org/donate/?reponame=www-project-vulnerable-web-applications-directory&title=OWASP+Vulnerable+Web+Applications+Directory 2 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Please see the documentation for all configuration options: 2 | # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file 3 | 4 | version: 2 5 | updates: 6 | - package-ecosystem: "github-actions" # See documentation for possible values 7 | directory: "/" # Location of package manifests 8 | schedule: 9 | interval: "weekly" 10 | groups: 11 | dependencies: 12 | applies-to: version-updates 13 | patterns: 14 | - "*" 15 | -------------------------------------------------------------------------------- /.github/workflows/validate.yml: -------------------------------------------------------------------------------- 1 | name: Validate JSONs 2 | 3 | on: 4 | pull_request_target: 5 | paths: 6 | - '**.json' 7 | workflow_dispatch: 8 | 9 | permissions: 10 | contents: read 11 | pull-requests: write 12 | 13 | jobs: 14 | schema-check: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@v4 19 | with: 20 | ref: ${{github.event.pull_request.head.ref}} 21 | repository: ${{github.event.pull_request.head.repo.full_name}} 22 | - name: Setup Node 23 | uses: actions/setup-node@v4 24 | with: 25 | node-version: '20.x' 26 | - name: Install dependencies 27 | run: | 28 | npm install -g ajv-formats 29 | npm install -g ajv-cli 30 | - name: Run schema check 31 | run: | 32 | ajv validate -s schema.json -d src/data/collection.json --all-errors --errors=text --verbose=true -c=ajv-formats 1>> log.txt 2>&1 33 | - name: Show Validation Issues 34 | if: failure() 35 | run: cat log.txt 36 | - name: Attach Log 37 | uses: actions/upload-artifact@v4 38 | if: failure() 39 | with: 40 | name: JSONValidationLog 41 | path: log.txt 42 | - name: Comment Validation Issues 43 | if: failure() 44 | uses: actions/github-script@v7 45 | with: 46 | github-token: ${{secrets.GITHUB_TOKEN}} 47 | script: | 48 | const fs = require("fs"); 49 | const logPath = `${process.env.GITHUB_WORKSPACE}/log.txt`; 50 | const logString = fs.readFileSync(logPath).toString().trimEnd(); 51 | github.issues.createComment({ 52 | issue_number: ${{ github.event.number }}, 53 | owner: context.repo.owner, 54 | repo: context.repo.repo, 55 | body: `**The following issues were identified:**\n\n
Summary\n\n\`\`\`\n${logString}\n\`\`\`\n\n
` 56 | }) 57 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | .idea/ 3 | *.iml 4 | 5 | #Eclipse files 6 | .settings 7 | .project 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, and 10 | distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by the copyright 13 | owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all other entities 16 | that control, are controlled by, or are under common control with that entity. 17 | For the purposes of this definition, "control" means (i) the power, direct or 18 | indirect, to cause the direction or management of such entity, whether by 19 | contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the 20 | outstanding shares, or (iii) beneficial ownership of such entity. 21 | 22 | "You" (or "Your") shall mean an individual or Legal Entity exercising 23 | permissions granted by this License. 24 | 25 | "Source" form shall mean the preferred form for making modifications, including 26 | but not limited to software source code, documentation source, and configuration 27 | files. 28 | 29 | "Object" form shall mean any form resulting from mechanical transformation or 30 | translation of a Source form, including but not limited to compiled object code, 31 | generated documentation, and conversions to other media types. 32 | 33 | "Work" shall mean the work of authorship, whether in Source or Object form, made 34 | available under the License, as indicated by a copyright notice that is included 35 | in or attached to the work (an example is provided in the Appendix below). 36 | 37 | "Derivative Works" shall mean any work, whether in Source or Object form, that 38 | is based on (or derived from) the Work and for which the editorial revisions, 39 | annotations, elaborations, or other modifications represent, as a whole, an 40 | original work of authorship. For the purposes of this License, Derivative Works 41 | shall not include works that remain separable from, or merely link (or bind by 42 | name) to the interfaces of, the Work and Derivative Works thereof. 43 | 44 | "Contribution" shall mean any work of authorship, including the original version 45 | of the Work and any modifications or additions to that Work or Derivative Works 46 | thereof, that is intentionally submitted to Licensor for inclusion in the Work 47 | by the copyright owner or by an individual or Legal Entity authorized to submit 48 | on behalf of the copyright owner. For the purposes of this definition, 49 | "submitted" means any form of electronic, verbal, or written communication sent 50 | to the Licensor or its representatives, including but not limited to 51 | communication on electronic mailing lists, source code control systems, and 52 | issue tracking systems that are managed by, or on behalf of, the Licensor for 53 | the purpose of discussing and improving the Work, but excluding communication 54 | that is conspicuously marked or otherwise designated in writing by the copyright 55 | owner as "Not a Contribution." 56 | 57 | "Contributor" shall mean Licensor and any individual or Legal Entity on behalf 58 | of whom a Contribution has been received by Licensor and subsequently 59 | incorporated within the Work. 60 | 61 | 2. Grant of Copyright License. 62 | 63 | Subject to the terms and conditions of this License, each Contributor hereby 64 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 65 | irrevocable copyright license to reproduce, prepare Derivative Works of, 66 | publicly display, publicly perform, sublicense, and distribute the Work and such 67 | Derivative Works in Source or Object form. 68 | 69 | 3. Grant of Patent License. 70 | 71 | Subject to the terms and conditions of this License, each Contributor hereby 72 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 73 | irrevocable (except as stated in this section) patent license to make, have 74 | made, use, offer to sell, sell, import, and otherwise transfer the Work, where 75 | such license applies only to those patent claims licensable by such Contributor 76 | that are necessarily infringed by their Contribution(s) alone or by combination 77 | of their Contribution(s) with the Work to which such Contribution(s) was 78 | submitted. If You institute patent litigation against any entity (including a 79 | cross-claim or counterclaim in a lawsuit) alleging that the Work or a 80 | Contribution incorporated within the Work constitutes direct or contributory 81 | patent infringement, then any patent licenses granted to You under this License 82 | for that Work shall terminate as of the date such litigation is filed. 83 | 84 | 4. Redistribution. 85 | 86 | You may reproduce and distribute copies of the Work or Derivative Works thereof 87 | in any medium, with or without modifications, and in Source or Object form, 88 | provided that You meet the following conditions: 89 | 90 | You must give any other recipients of the Work or Derivative Works a copy of 91 | this License; and 92 | You must cause any modified files to carry prominent notices stating that You 93 | changed the files; and 94 | You must retain, in the Source form of any Derivative Works that You distribute, 95 | all copyright, patent, trademark, and attribution notices from the Source form 96 | of the Work, excluding those notices that do not pertain to any part of the 97 | Derivative Works; and 98 | If the Work includes a "NOTICE" text file as part of its distribution, then any 99 | Derivative Works that You distribute must include a readable copy of the 100 | attribution notices contained within such NOTICE file, excluding those notices 101 | that do not pertain to any part of the Derivative Works, in at least one of the 102 | following places: within a NOTICE text file distributed as part of the 103 | Derivative Works; within the Source form or documentation, if provided along 104 | with the Derivative Works; or, within a display generated by the Derivative 105 | Works, if and wherever such third-party notices normally appear. The contents of 106 | the NOTICE file are for informational purposes only and do not modify the 107 | License. You may add Your own attribution notices within Derivative Works that 108 | You distribute, alongside or as an addendum to the NOTICE text from the Work, 109 | provided that such additional attribution notices cannot be construed as 110 | modifying the License. 111 | You may add Your own copyright statement to Your modifications and may provide 112 | additional or different license terms and conditions for use, reproduction, or 113 | distribution of Your modifications, or for any such Derivative Works as a whole, 114 | provided Your use, reproduction, and distribution of the Work otherwise complies 115 | with the conditions stated in this License. 116 | 117 | 5. Submission of Contributions. 118 | 119 | Unless You explicitly state otherwise, any Contribution intentionally submitted 120 | for inclusion in the Work by You to the Licensor shall be under the terms and 121 | conditions of this License, without any additional terms or conditions. 122 | Notwithstanding the above, nothing herein shall supersede or modify the terms of 123 | any separate license agreement you may have executed with Licensor regarding 124 | such Contributions. 125 | 126 | 6. Trademarks. 127 | 128 | This License does not grant permission to use the trade names, trademarks, 129 | service marks, or product names of the Licensor, except as required for 130 | reasonable and customary use in describing the origin of the Work and 131 | reproducing the content of the NOTICE file. 132 | 133 | 7. Disclaimer of Warranty. 134 | 135 | Unless required by applicable law or agreed to in writing, Licensor provides the 136 | Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, 137 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, 138 | including, without limitation, any warranties or conditions of TITLE, 139 | NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are 140 | solely responsible for determining the appropriateness of using or 141 | redistributing the Work and assume any risks associated with Your exercise of 142 | permissions under this License. 143 | 144 | 8. Limitation of Liability. 145 | 146 | In no event and under no legal theory, whether in tort (including negligence), 147 | contract, or otherwise, unless required by applicable law (such as deliberate 148 | and grossly negligent acts) or agreed to in writing, shall any Contributor be 149 | liable to You for damages, including any direct, indirect, special, incidental, 150 | or consequential damages of any character arising as a result of this License or 151 | out of the use or inability to use the Work (including but not limited to 152 | damages for loss of goodwill, work stoppage, computer failure or malfunction, or 153 | any and all other commercial damages or losses), even if such Contributor has 154 | been advised of the possibility of such damages. 155 | 156 | 9. Accepting Warranty or Additional Liability. 157 | 158 | While redistributing the Work or Derivative Works thereof, You may choose to 159 | offer, and charge a fee for, acceptance of support, warranty, indemnity, or 160 | other liability obligations and/or rights consistent with this License. However, 161 | in accepting such obligations, You may act only on Your own behalf and on Your 162 | sole responsibility, not on behalf of any other Contributor, and only if You 163 | agree to indemnify, defend, and hold each Contributor harmless for any liability 164 | incurred by, or claims asserted against, such Contributor by reason of your 165 | accepting any such warranty or additional liability. 166 | 167 | END OF TERMS AND CONDITIONS 168 | 169 | APPENDIX: How to apply the Apache License to your work 170 | 171 | To apply the Apache License to your work, attach the following boilerplate 172 | notice, with the fields enclosed by brackets "[]" replaced with your own 173 | identifying information. (Don't include the brackets!) The text should be 174 | enclosed in the appropriate comment syntax for the file format. We also 175 | recommend that a file or class name and description of purpose be included on 176 | the same "printed page" as the copyright notice for easier identification within 177 | third-party archives. 178 | 179 | Copyright [yyyy] [name of copyright owner] 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | http://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OWASP-VWAD ![OWASP Lab](https://img.shields.io/badge/owasp-lab-yellow.svg) 2 | 3 | ## 2024-10-26 4 | 5 | ⚠️ This repo is being wound down. Future work should be via [`www-project-vulnerable-web-applications-directory`](https://github.com/OWASP/www-project-vulnerable-web-applications-directory) 6 | 7 | --- 8 | 9 | The OWASP Vulnerable Web Applications Directory Project (VWAD, https://owasp.org/www-project-vulnerable-web-applications-directory/) is a comprehensive and well maintained registry of all known vulnerable web applications currently available. 10 | 11 | The individual collections are available via separate tabs on: [https://owasp.org/www-project-vulnerable-web-applications-directory/](https://owasp.org/www-project-vulnerable-web-applications-directory/) 12 | -------------------------------------------------------------------------------- /schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "array", 3 | "items": { 4 | "$ref": "#/definitions/VWADEntry" 5 | }, 6 | "title": "OWASP VWAD Schema", 7 | "definitions": { 8 | "VWADEntry": { 9 | "type": "object", 10 | "additionalProperties": false, 11 | "properties": { 12 | "url": { 13 | "type": "string", 14 | "format": "uri" 15 | }, 16 | "name": { 17 | "type": "string" 18 | }, 19 | "collection": { 20 | "type": "array", 21 | "items": { 22 | "type": "string", 23 | "enum": [ 24 | "container", 25 | "mobile", 26 | "online", 27 | "offline" 28 | ] 29 | } 30 | }, 31 | "technology": { 32 | "type": "array", 33 | "items": { 34 | "type": "string" 35 | } 36 | }, 37 | "references": { 38 | "type": "array", 39 | "items": { 40 | "$ref": "#/definitions/Reference" 41 | } 42 | }, 43 | "author": { 44 | "oneOf": [ 45 | { 46 | "type": "null" 47 | }, 48 | { 49 | "type": "string" 50 | } 51 | ] 52 | }, 53 | "notes": { 54 | "oneOf": [ 55 | { 56 | "type": "null" 57 | }, 58 | { 59 | "type": "string" 60 | } 61 | ] 62 | }, 63 | "badge": { 64 | "oneOf": [ 65 | { 66 | "type": "null" 67 | }, 68 | { 69 | "type": "string" 70 | } 71 | ] 72 | } 73 | }, 74 | "required": [ 75 | "author", 76 | "badge", 77 | "collection", 78 | "name", 79 | "notes", 80 | "references", 81 | "technology", 82 | "url" 83 | ], 84 | "title": "VWADEntry" 85 | }, 86 | "Reference": { 87 | "type": "object", 88 | "additionalProperties": false, 89 | "properties": { 90 | "name": { 91 | "$ref": "#/definitions/Name" 92 | }, 93 | "url": { 94 | "type": "string", 95 | "format": "uri" 96 | } 97 | }, 98 | "required": [ 99 | "name", 100 | "url" 101 | ], 102 | "title": "Reference" 103 | }, 104 | "Name": { 105 | "type": "string", 106 | "enum": [ 107 | "guide", 108 | "download", 109 | "docker", 110 | "downloads", 111 | "announcement", 112 | "live", 113 | "demo", 114 | "preview" 115 | ], 116 | "title": "Name" 117 | } 118 | } 119 | } 120 | -------------------------------------------------------------------------------- /src/data/collection.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "url": "https://github.com/jerryhoff/WebGoat.NET", 4 | "name": ".NET Goat", 5 | "collection": [ 6 | "offline" 7 | ], 8 | "technology": [ 9 | "C#" 10 | ], 11 | "references": [], 12 | "author": "OWASP", 13 | "notes": "Original main repo: https://github.com/jerryhoff/WebGoat.NET. Others: https://github.com/rapPayne/WebGoat.Net , https://github.com/jowasp/WebGoat.NET.", 14 | "badge": "jerryhoff/WebGoat.NET" 15 | }, 16 | { 17 | "url": "http://testphp.vulnweb.com", 18 | "name": "Acuart", 19 | "collection": [ 20 | "online" 21 | ], 22 | "technology": [ 23 | "PHP" 24 | ], 25 | "references": [ 26 | { 27 | "name": "live", 28 | "url": "http://testphp.vulnweb.com" 29 | } 30 | ], 31 | "author": "Acunetix", 32 | "notes": "Art shopping", 33 | "badge": null 34 | }, 35 | { 36 | "url": "https://github.com/dhammon/ai-goat", 37 | "name": "AI-Goat", 38 | "collection": [ 39 | "offline" 40 | ], 41 | "technology": [ 42 | "Python", 43 | "Vicuna LLM", 44 | "LLaMa" 45 | ], 46 | "references": [ 47 | { 48 | "name": "download", 49 | "url": "https://github.com/dhammon/ai-goat" 50 | } 51 | ], 52 | "author": "fhammon, Guanwei Hu", 53 | "notes": "AI Goat uses the Vicuna LLM which derived from Meta's LLaMA and coupled with ChatGPT's response data. When installing AI Goat the LLM binary is downloaded from third party locally on your computer.", 54 | "badge": null 55 | }, 56 | { 57 | "url": "http://demo.testfire.net/", 58 | "name": "Altoro Mutual (AltoroJ)", 59 | "collection": [ 60 | "online", 61 | "offline" 62 | ], 63 | "technology": [ 64 | "J2EE" 65 | ], 66 | "references": [ 67 | { 68 | "name": "download", 69 | "url": "https://github.com/HCL-TECH-SOFTWARE/AltoroJ" 70 | }, 71 | { 72 | "name": "live", 73 | "url": "http://demo.testfire.net/" 74 | } 75 | ], 76 | "author": "IBM/Watchfire", 77 | "notes": "Log in with jsmith/demo1234 or admin/admin", 78 | "badge": "hclproducts/AltoroJ" 79 | }, 80 | { 81 | "url": "https://github.com/satishpatnayak/AndroGoat", 82 | "name": "AndroGoat", 83 | "collection": [ 84 | "mobile" 85 | ], 86 | "technology": [ 87 | "Kotlin", 88 | "Android" 89 | ], 90 | "references": [ 91 | { 92 | "name": "download", 93 | "url": "https://github.com/satishpatnayak/MyTest/blob/master/AndroGoat.apk" 94 | } 95 | ], 96 | "author": "satishpatnayak", 97 | "notes": null, 98 | "badge": "satishpatnayak/AndroGoat" 99 | }, 100 | { 101 | "url": "https://github.com/digininja/authlab", 102 | "name": "AuthLab", 103 | "collection": [ 104 | "offline", 105 | "online" 106 | ], 107 | "technology": [ 108 | "GO" 109 | ], 110 | "references": [ 111 | { 112 | "name": "guide", 113 | "url": "https://digi.ninja/projects/authlab.php" 114 | }, 115 | { 116 | "name": "live", 117 | "url": "https://authlab.digi.ninja/" 118 | } 119 | ], 120 | "author": "digininja (Robin Wood)", 121 | "notes": null, 122 | "badge": "digininja/authlab" 123 | }, 124 | { 125 | "url": "http://www.bgabank.com/", 126 | "name": "BGA Vulnerable BANK App", 127 | "collection": [ 128 | "online" 129 | ], 130 | "technology": [ 131 | ".NET" 132 | ], 133 | "references": [ 134 | { 135 | "name": "live", 136 | "url": "http://www.bgabank.com/" 137 | } 138 | ], 139 | "author": "BGA Security", 140 | "notes": null, 141 | "badge": null 142 | }, 143 | { 144 | "url": "https://sourceforge.net/projects/bwapp/files/bee-box/", 145 | "name": "Bee-Box", 146 | "collection": [ 147 | "container" 148 | ], 149 | "technology": [ 150 | "VMware" 151 | ], 152 | "references": [], 153 | "author": null, 154 | "notes": null, 155 | "badge": null 156 | }, 157 | { 158 | "url": "https://github.com/psiinon/bodgeit", 159 | "name": "BodgeIt Store", 160 | "collection": [ 161 | "offline", 162 | "container" 163 | ], 164 | "technology": [ 165 | "Java" 166 | ], 167 | "references": [ 168 | { 169 | "name": "download", 170 | "url": "https://github.com/psiinon/bodgeit/releases/latest" 171 | }, 172 | { 173 | "name": "docker", 174 | "url": "https://hub.docker.com/r/psiinon/bodgeit" 175 | } 176 | ], 177 | "author": "Simon Bennetts (psiinon)", 178 | "notes": null, 179 | "badge": "psiinon/bodgeit" 180 | }, 181 | { 182 | "url": "http://sechow.com/bricks/index.html", 183 | "name": "Bricks", 184 | "collection": [ 185 | "offline" 186 | ], 187 | "technology": [ 188 | "PHP" 189 | ], 190 | "references": [ 191 | { 192 | "name": "download", 193 | "url": "http://sechow.com/bricks/download.html" 194 | }, 195 | { 196 | "name": "guide", 197 | "url": "http://sechow.com/bricks/docs/" 198 | } 199 | ], 200 | "author": "OWASP", 201 | "notes": null, 202 | "badge": null 203 | }, 204 | { 205 | "url": "https://github.com/NeuraLegion/brokencrystals#vulnerabilities-overview", 206 | "name": "Broken Crystals", 207 | "collection": [ 208 | "offline", 209 | "online" 210 | ], 211 | "technology": [ 212 | "react", 213 | "Node", 214 | "Swagger" 215 | ], 216 | "references": [ 217 | { 218 | "name": "live", 219 | "url": "https://brokencrystals.com/" 220 | } 221 | ], 222 | "author": "NeuraLegion", 223 | "notes": null, 224 | "badge": "NeuraLegion/brokencrystals" 225 | }, 226 | { 227 | "url": "https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project", 228 | "name": "Broken Web Applications Project (BWA) - OWASP", 229 | "collection": [ 230 | "container" 231 | ], 232 | "technology": [ 233 | "VMware" 234 | ], 235 | "references": [ 236 | { 237 | "name": "download", 238 | "url": "https://github.com/chuckfw/owaspbwa/" 239 | }, 240 | { 241 | "name": "download", 242 | "url": "https://sourceforge.net/projects/owaspbwa/files/" 243 | } 244 | ], 245 | "author": "OWASP - Chuck Willis", 246 | "notes": null, 247 | "badge": null 248 | }, 249 | { 250 | "url": "https://bugbait.io", 251 | "name": "BugBait - Vulnerable Web Application", 252 | "collection": [ 253 | "online" 254 | ], 255 | "technology": [ 256 | "Node.js" 257 | ], 258 | "references": [ 259 | { 260 | "name": "live", 261 | "url": "https://bugbait.io" 262 | } 263 | ], 264 | "author": "Blacklock Security", 265 | "notes": "bugbait.io is a vulnerable web application for students, developers, cyber enthusiasts and pen testers to identify and exploit the vulnerabilities.", 266 | "badge": null 267 | }, 268 | { 269 | "url": "https://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/", 270 | "name": "Butterfly Security Project", 271 | "collection": [ 272 | "offline" 273 | ], 274 | "technology": [ 275 | "PHP" 276 | ], 277 | "references": [ 278 | { 279 | "name": "download", 280 | "url": "https://sourceforge.net/projects/thebutterflytmp/files/" 281 | } 282 | ], 283 | "author": null, 284 | "notes": "Last updated in 2008", 285 | "badge": null 286 | }, 287 | { 288 | "url": "https://ctflearn.com/", 289 | "name": "CTFLearn", 290 | "collection": [ 291 | "online" 292 | ], 293 | "technology": [], 294 | "references": [ 295 | { 296 | "name": "live", 297 | "url": "https://ctflearn.com/" 298 | } 299 | ], 300 | "author": "@ctflearn", 301 | "notes": null, 302 | "badge": null 303 | }, 304 | { 305 | "url": "https://github.com/convisolabs/CVWA", 306 | "name": "CVWA - Conviso Vulnerable Web Application", 307 | "collection": [ 308 | "offline" 309 | ], 310 | "technology": [ 311 | "PHP" 312 | ], 313 | "references": [ 314 | { 315 | "name": "download", 316 | "url": "https://github.com/convisolabs/CVWA" 317 | } 318 | ], 319 | "author": "Conviso AppSec", 320 | "notes": null, 321 | "badge": "convisolabs/CVWA" 322 | }, 323 | { 324 | "url": "https://github.com/RhinoSecurityLabs/cloudgoat", 325 | "name": "CloudGoat", 326 | "collection": [ 327 | "offline", 328 | "container" 329 | ], 330 | "technology": [ 331 | "Python", 332 | "AWS" 333 | ], 334 | "references": [ 335 | { 336 | "name": "guide", 337 | "url": "https://medium.com/@rzepsky/playing-with-cloudgoat-part-1-hacking-aws-ec2-service-for-privilege-escalation-4c42cc83f9da" 338 | }, 339 | { 340 | "name": "announcement", 341 | "url": "https://rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-aws-environment/" 342 | }, 343 | { 344 | "name": "docker", 345 | "url": "https://hub.docker.com/r/rhinosecuritylabs/cloudgoat" 346 | } 347 | ], 348 | "author": "Rhino Security Labs", 349 | "notes": null, 350 | "badge": "RhinoSecurityLabs/cloudgoat" 351 | }, 352 | { 353 | "url": "https://github.com/SpiderLabs/CryptOMG", 354 | "name": "CryptOMG", 355 | "collection": [ 356 | "offline" 357 | ], 358 | "technology": [ 359 | "PHP" 360 | ], 361 | "references": [ 362 | { 363 | "name": "download", 364 | "url": "http://isc.sans.edu/forums/diary/Modern+Web+Application+Penetration+Testing+Hash+Length+Extension+Attacks/22792/" 365 | } 366 | ], 367 | "author": "SpiderLabs", 368 | "notes": null, 369 | "badge": "SpiderLabs/CryptOMG" 370 | }, 371 | { 372 | "url": "https://cyberscavengerhunt.com", 373 | "name": "Cyber Scavenger Hunt", 374 | "collection": [ 375 | "online" 376 | ], 377 | "technology": [ 378 | "Javacript", 379 | "React" 380 | ], 381 | "references": [ 382 | { 383 | "name": "download", 384 | "url": "https://github.com/arthurakay/cyberscavengerhunt" 385 | }, 386 | { 387 | "name": "live", 388 | "url": "https://cyberscavengerhunt.com" 389 | } 390 | ], 391 | "author": "Arthur Kay", 392 | "notes": "A simple scavenger hunt to learn about pentesting a website or web application.", 393 | "badge": "arthurakay/cyberscavengerhunt" 394 | }, 395 | { 396 | "url": "https://github.com/fridaygoldsmith/bwa_cyclone_transfers", 397 | "name": "Cyclone Transfers", 398 | "collection": [ 399 | "offline" 400 | ], 401 | "technology": [ 402 | "Ruby on Rails" 403 | ], 404 | "references": [], 405 | "author": null, 406 | "notes": null, 407 | "badge": "fridaygoldsmith/bwa_cyclone_transfers" 408 | }, 409 | { 410 | "url": "https://github.com/snsttr/diwa", 411 | "name": "DIWA - Deliberately Insecure Web Application", 412 | "collection": [ 413 | "offline", 414 | "container" 415 | ], 416 | "technology": [ 417 | "PHP", 418 | "Docker" 419 | ], 420 | "references": [ 421 | { 422 | "name": "guide", 423 | "url": "https://github.com/snsttr/diwa/tree/master/docs" 424 | } 425 | ], 426 | "author": "Tim Steufmehl", 427 | "notes": "A Deliberately Insecure Web Application", 428 | "badge": "snsttr/diwa" 429 | }, 430 | { 431 | "url": "https://github.com/stamparm/DSVW", 432 | "name": "Damn Small Vulnerable Web (DSVW)", 433 | "collection": [ 434 | "offline" 435 | ], 436 | "technology": [ 437 | "Python" 438 | ], 439 | "references": [], 440 | "author": "Miroslav Stampar", 441 | "notes": null, 442 | "badge": "stamparm/DSVW" 443 | }, 444 | { 445 | "url": "https://github.com/AvalZ/DVAS", 446 | "name": "Damn Vulnerable Application Scanner (DVAS)", 447 | "collection": [ 448 | "offline" 449 | ], 450 | "technology": [ 451 | "PHP" 452 | ], 453 | "references": [ 454 | { 455 | "name": "guide", 456 | "url": "https://ceur-ws.org/Vol-2940/paper36.pdf" 457 | }, 458 | { 459 | "name": "announcement", 460 | "url": "https://avalz.it/research/metasploit-pro-xss-to-rce/" 461 | } 462 | ], 463 | "author": "Andrea Valenza, Enrico Russo, Gabriele Costa", 464 | "notes": "An intentionally vulnerable web application scanner", 465 | "badge": "AvalZ/DVAS" 466 | }, 467 | { 468 | "url": "https://github.com/rewanthtammana/Damn-Vulnerable-Bank", 469 | "name": "Damn Vulnerable Bank", 470 | "collection": [ 471 | "mobile" 472 | ], 473 | "technology": [ 474 | "android" 475 | ], 476 | "references": [ 477 | { 478 | "name": "guide", 479 | "url": "https://rewanthtammana.com/damn-vulnerable-bank/" 480 | } 481 | ], 482 | "author": "Rewanth Tammana, Akshansh Jaiswal, Hrushikesh Kakade", 483 | "notes": null, 484 | "badge": "rewanthtammana/Damn-Vulnerable-Bank" 485 | }, 486 | { 487 | "url": "https://github.com/njmulsqb/DVEA/", 488 | "name": "Damn Vulnerable Electron App (DVEA)", 489 | "collection": [ 490 | "offline" 491 | ], 492 | "technology": [ 493 | "ElectronJS" 494 | ], 495 | "references": [ 496 | { 497 | "name": "announcement", 498 | "url": "https://njmulsqb.github.io/2023/01/03/releasing-DVEA.html" 499 | }, 500 | { 501 | "name": "download", 502 | "url": "https://github.com/njmulsqb/DVEA/" 503 | } 504 | ], 505 | "author": "Najam Ul Saqib (cybersoldier)", 506 | "notes": "A deliberately insecure ElectronJS application", 507 | "badge": "njmulsqb/DVEA" 508 | }, 509 | { 510 | "url": "https://github.com/LunaM00n/File-Upload-Lab", 511 | "name": "Damn Vulnerable File Upload - DVFU", 512 | "collection": [ 513 | "offline" 514 | ], 515 | "technology": [ 516 | "PHP" 517 | ], 518 | "references": [], 519 | "author": "Thin Ba Shane (@art0flunam00n)", 520 | "notes": null, 521 | "badge": "LunaM00n/File-Upload-Lab" 522 | }, 523 | { 524 | "url": "https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service", 525 | "name": "Damn Vulnerable Functions as a Service (DVFaaS)", 526 | "collection": [ 527 | "offline" 528 | ], 529 | "technology": [ 530 | "Python", 531 | "AWS" 532 | ], 533 | "references": [ 534 | { 535 | "name": "guide", 536 | "url": "https://www.slideshare.net/abhaybhargav/an-attackers-view-of-serverless-and-graphql-apps-abhay-bhargav-appsec-california-2019" 537 | } 538 | ], 539 | "author": "we45 (Abhay Bhargav)", 540 | "notes": null, 541 | "badge": "we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service" 542 | }, 543 | { 544 | "url": "https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application", 545 | "name": "Damn Vulnerable GraphQL Application (DVGA)", 546 | "collection": [ 547 | "container", 548 | "offline" 549 | ], 550 | "technology": [ 551 | "Python", 552 | "HTML", 553 | "Javascript", 554 | "GraphQL", 555 | "SQLAlchemy", 556 | "docker" 557 | ], 558 | "references": [], 559 | "author": "Dolev Farhi , Connor McKinnon", 560 | "notes": null, 561 | "badge": "dolevf/Damn-Vulnerable-GraphQL-Application" 562 | }, 563 | { 564 | "url": "https://github.com/isp1r0/DVNA", 565 | "name": "Damn Vulnerable Node Application - DVNA", 566 | "collection": [ 567 | "offline" 568 | ], 569 | "technology": [ 570 | "Node.js" 571 | ], 572 | "references": [], 573 | "author": "Claudio Lacayo", 574 | "notes": null, 575 | "badge": "isp1r0/DVNA" 576 | }, 577 | { 578 | "url": "https://github.com/appsecco/dvna", 579 | "name": "Damn Vulnerable NodeJS Application - DVNA", 580 | "collection": [ 581 | "offline" 582 | ], 583 | "technology": [ 584 | "Node.js" 585 | ], 586 | "references": [], 587 | "author": "@appsecco", 588 | "notes": "Different project from the old DVNA", 589 | "badge": "appsecco/dvna" 590 | }, 591 | { 592 | "url": "https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications", 593 | "name": "Damn Vulnerable OAuth 2.0 Applications", 594 | "collection": [ 595 | "offline" 596 | ], 597 | "technology": [ 598 | "MEAN", 599 | "Docker", 600 | "OAuth 2.0" 601 | ], 602 | "references": [], 603 | "author": "Koen Buyens", 604 | "notes": "A set of vulnerable applications which show Oauth2.0 vulnerabilities.", 605 | "badge": "koenbuyens/Vulnerable-OAuth-2.0-Applications" 606 | }, 607 | { 608 | "url": "https://github.com/anxolerd/dvpwa", 609 | "name": "Damn Vulnerable Python Web Application - DVPWA", 610 | "collection": [ 611 | "offline" 612 | ], 613 | "technology": [ 614 | "Python", 615 | "Docker" 616 | ], 617 | "references": [], 618 | "author": "Oleksandr Kovalchuk", 619 | "notes": null, 620 | "badge": "anxolerd/dvpwa" 621 | }, 622 | { 623 | "url": "https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game", 624 | "name": "Damn Vulnerable Restaurant", 625 | "collection": [ 626 | "offline" 627 | ], 628 | "references": [ 629 | { 630 | "name": "guide", 631 | "url": "https://devsec-blog.com/2024/04/security-code-challenge-for-developers-ethical-hackers-the-damn-vulnerable-restaurant/" 632 | } 633 | ], 634 | "technology": [ 635 | "Python", 636 | "Docker" 637 | ], 638 | "author": "theowni", 639 | "notes": "Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.", 640 | "badge": "theowni/Damn-Vulnerable-Restaurant-API-Game" 641 | }, 642 | { 643 | "url": "https://github.com/OWASP/DVSA", 644 | "name": "Damn Vulnerable Serverless App (DVSA)", 645 | "collection": [ 646 | "offline" 647 | ], 648 | "technology": [ 649 | "Node", 650 | "AWS", 651 | "Azure" 652 | ], 653 | "references": [ 654 | { 655 | "name": "guide", 656 | "url": "https://github.com/OWASP/DVSA/tree/master/AWS/LESSONS" 657 | } 658 | ], 659 | "author": "Protego Labs", 660 | "notes": null, 661 | "badge": "OWASP/DVSA" 662 | }, 663 | { 664 | "url": "https://github.com/silentsignal/damn-vulnerable-stateful-web-app", 665 | "name": "Damn Vulnerable Stateful WebApp", 666 | "collection": [ 667 | "offline" 668 | ], 669 | "technology": [ 670 | "PHP" 671 | ], 672 | "references": [ 673 | { 674 | "name": "download", 675 | "url": "http://www.sans.org/reading-room/whitepapers/testing/testing-stateful-web-application-workflows-36637" 676 | } 677 | ], 678 | "author": "dnet", 679 | "notes": null, 680 | "badge": "silentsignal/damn-vulnerable-stateful-web-app" 681 | }, 682 | { 683 | "url": "https://github.com/digininja/DVWA", 684 | "name": "Damn Vulnerable Web Application - DVWA", 685 | "collection": [ 686 | "offline", 687 | "container" 688 | ], 689 | "technology": [ 690 | "PHP" 691 | ], 692 | "references": [ 693 | { 694 | "name": "download", 695 | "url": "https://github.com/digininja/DVWA" 696 | }, 697 | { 698 | "name": "docker", 699 | "url": "https://github.com/digininja/DVWA#docker" 700 | } 701 | ], 702 | "author": "RandomStorm", 703 | "notes": null, 704 | "badge": "ethicalhack3r/DVWA" 705 | }, 706 | { 707 | "url": "https://github.com/snoopysecurity/dvws", 708 | "name": "Damn Vulnerable Web Services", 709 | "collection": [ 710 | "offline" 711 | ], 712 | "technology": [ 713 | "Web Services" 714 | ], 715 | "references": [], 716 | "author": "snoopysecurity", 717 | "notes": null, 718 | "badge": "snoopysecurity/dvws" 719 | }, 720 | { 721 | "url": "https://github.com/interference-security/DVWS", 722 | "name": "Damn Vulnerable Web Sockets", 723 | "collection": [ 724 | "offline" 725 | ], 726 | "technology": [ 727 | "Web Sockets" 728 | ], 729 | "references": [], 730 | "author": "@appsecco", 731 | "notes": null, 732 | "badge": "interference-security/DVWS" 733 | }, 734 | { 735 | "url": "https://defendtheweb.net/", 736 | "name": "Defend the Web", 737 | "collection": [ 738 | "online" 739 | ], 740 | "technology": [], 741 | "references": [ 742 | { 743 | "name": "live", 744 | "url": "https://defendtheweb.net/" 745 | } 746 | ], 747 | "author": "Luke [flabbyrabbit]", 748 | "notes": "Formerly HackThis", 749 | "badge": null 750 | }, 751 | { 752 | "url": "https://github.com/red-and-black/DjangoGoat", 753 | "name": "DjangoGoat", 754 | "collection": [ 755 | "offline" 756 | ], 757 | "technology": [ 758 | "Python", 759 | "Django" 760 | ], 761 | "references": [], 762 | "author": "Red and Black", 763 | "notes": null, 764 | "badge": "red-and-black/DjangoGoat" 765 | }, 766 | { 767 | "url": "https://github.com/k-tamura/easybuggy", 768 | "name": "EasyBuggy", 769 | "collection": [ 770 | "offline" 771 | ], 772 | "technology": [ 773 | "Java" 774 | ], 775 | "references": [ 776 | { 777 | "name": "download", 778 | "url": "https://github.com/k-tamura/easybuggy/releases" 779 | }, 780 | { 781 | "name": "guide", 782 | "url": "https://github.com/k-tamura/easybuggy/wiki" 783 | } 784 | ], 785 | "author": "Kohei Tamura", 786 | "notes": null, 787 | "badge": "k-tamura/easybuggy" 788 | }, 789 | { 790 | "url": "https://sourceforge.net/projects/exploitcoilvuln/files/", 791 | "name": "Exploit.co.il Vuln Web App", 792 | "collection": [ 793 | "container" 794 | ], 795 | "technology": [ 796 | "VMware" 797 | ], 798 | "references": [ 799 | { 800 | "name": "download", 801 | "url": "https://sourceforge.net/projects/exploitcoilvuln/files/" 802 | } 803 | ], 804 | "author": null, 805 | "notes": null, 806 | "badge": null 807 | }, 808 | { 809 | "url": "https://github.com/vegabird/xvna", 810 | "name": "Extreme Vulnerable Node Application", 811 | "collection": [ 812 | "offline" 813 | ], 814 | "technology": [ 815 | "NodeJS" 816 | ], 817 | "references": [ 818 | { 819 | "name": "download", 820 | "url": "https://github.com/vegabird/xvna" 821 | } 822 | ], 823 | "author": "vegabird", 824 | "notes": null, 825 | "badge": "vegabird/xvna" 826 | }, 827 | { 828 | "url": "https://public-firing-range.appspot.com/", 829 | "name": "Firing Range", 830 | "collection": [ 831 | "online" 832 | ], 833 | "technology": [], 834 | "references": [ 835 | { 836 | "name": "download", 837 | "url": "https://github.com/google/firing-range" 838 | }, 839 | { 840 | "name": "live", 841 | "url": "https://public-firing-range.appspot.com/" 842 | } 843 | ], 844 | "author": "Google", 845 | "notes": null, 846 | "badge": "google/firing-range" 847 | }, 848 | { 849 | "url": "https://github.com/Orange-Cyberdefense/GOAD", 850 | "name": "Game of Active Directory", 851 | "collection": [ 852 | "container" 853 | ], 854 | "technology": [ 855 | "Windows", 856 | "Active Directory" 857 | ], 858 | "references": [ 859 | { 860 | "name": "guide", 861 | "url": "https://mayfly277.github.io/categories/ad/" 862 | } 863 | ], 864 | "author": "Orange-Cyberdefense", 865 | "notes": "Requires a considerably powerful system", 866 | "badge": "Orange-Cyberdefense/GOAD" 867 | }, 868 | { 869 | "url": "http://www.gameofhacks.com/", 870 | "name": "Game of Hacks", 871 | "collection": [ 872 | "online" 873 | ], 874 | "technology": [ 875 | "Node", 876 | "Express.js" 877 | ], 878 | "references": [ 879 | { 880 | "name": "live", 881 | "url": "http://www.gameofhacks.com/" 882 | } 883 | ], 884 | "author": "Checkmarx", 885 | "notes": null, 886 | "badge": null 887 | }, 888 | { 889 | "url": "https://sourceforge.net/projects/null-gameover/", 890 | "name": "GameOver", 891 | "collection": [ 892 | "container" 893 | ], 894 | "technology": [ 895 | "VMware" 896 | ], 897 | "references": [ 898 | { 899 | "name": "download", 900 | "url": "https://sourceforge.net/projects/null-gameover/files/" 901 | } 902 | ], 903 | "author": null, 904 | "notes": null, 905 | "badge": null 906 | }, 907 | { 908 | "url": "https://github.com/InsiderPhD/Generic-University", 909 | "name": "Generic-University", 910 | "collection": [ 911 | "container", 912 | "offline" 913 | ], 914 | "technology": [ 915 | "PHP", 916 | "docker", 917 | "API", 918 | "GraphQL", 919 | "MySQL", 920 | "Laravel" 921 | ], 922 | "references": [], 923 | "author": " Katie Paxton-Fear ", 924 | "notes": null, 925 | "badge": "InsiderPhD/Generic-University" 926 | }, 927 | { 928 | "url": "https://ginandjuice.shop/", 929 | "name": "Gin & Juice Shop", 930 | "collection": [ 931 | "online" 932 | ], 933 | "technology": [ 934 | "JavaScript", 935 | "AngularJS", 936 | "React", 937 | "CSRF" 938 | ], 939 | "references": [ 940 | { 941 | "name": "announcement", 942 | "url": "https://portswigger.net/blog/gin-and-juice-shop-put-your-scanner-to-the-test" 943 | }, 944 | { 945 | "name": "live", 946 | "url": "https://ginandjuice.shop/" 947 | } 948 | ], 949 | "author": "PortSwigger", 950 | "notes": "A hosted always-online demo app with realistic technologies.", 951 | "badge": null 952 | }, 953 | { 954 | "url": "https://github.com/Checkmarx/Goatlin/", 955 | "name": "Goatlin", 956 | "collection": [ 957 | "mobile" 958 | ], 959 | "technology": [ 960 | "Kotlin", 961 | "Android", 962 | "API", 963 | "REST" 964 | ], 965 | "references": [ 966 | { 967 | "name": "guide", 968 | "url": "https://checkmarx.github.io/Kotlin-SCP/" 969 | } 970 | ], 971 | "author": "Checkmarx", 972 | "notes": null, 973 | "badge": "Checkmarx/Goatlin" 974 | }, 975 | { 976 | "url": "https://github.com/snyk-labs/nodejs-goof", 977 | "name": "Goof", 978 | "collection": [ 979 | "offline", 980 | "container" 981 | ], 982 | "technology": [ 983 | "NodeJS" 984 | ], 985 | "references": [ 986 | { 987 | "name": "guide", 988 | "url": "https://snyk.io/test/github/snyk/goof" 989 | }, 990 | { 991 | "name": "guide", 992 | "url": "http://dreamerslab.com/blog/en/write-a-todo-list-with-express-and-mongodb/" 993 | } 994 | ], 995 | "author": "Snyk", 996 | "notes": "online - via Heroku deploy", 997 | "badge": "snyk-labs/nodejs-goof" 998 | }, 999 | { 1000 | "url": "http://google-gruyere.appspot.com/", 1001 | "name": "Gruyere", 1002 | "collection": [ 1003 | "offline", 1004 | "online" 1005 | ], 1006 | "technology": [ 1007 | "Python" 1008 | ], 1009 | "references": [ 1010 | { 1011 | "name": "download", 1012 | "url": "http://google-gruyere.appspot.com/gruyere-code.zip" 1013 | }, 1014 | { 1015 | "name": "live", 1016 | "url": "http://google-gruyere.appspot.com/" 1017 | } 1018 | ], 1019 | "author": "Google", 1020 | "notes": null, 1021 | "badge": null 1022 | }, 1023 | { 1024 | "url": "https://hack.me", 1025 | "name": "Hack.me", 1026 | "collection": [ 1027 | "online" 1028 | ], 1029 | "technology": [], 1030 | "references": [], 1031 | "author": "eLearnSecurity", 1032 | "notes": "Beta", 1033 | "badge": null 1034 | }, 1035 | { 1036 | "url": "https://www.hackthis.co.uk/", 1037 | "name": "HackThis", 1038 | "collection": [ 1039 | "online" 1040 | ], 1041 | "technology": [ 1042 | "PHP" 1043 | ], 1044 | "references": [ 1045 | { 1046 | "name": "download", 1047 | "url": "https://github.com/HackThis/hackthis.co.uk" 1048 | }, 1049 | { 1050 | "name": "live", 1051 | "url": "https://www.hackthis.co.uk/" 1052 | } 1053 | ], 1054 | "author": "Luke Ward (0x6C77)", 1055 | "notes": null, 1056 | "badge": "HackThis/hackthis.co.uk" 1057 | }, 1058 | { 1059 | "url": "https://www.hackthissite.org", 1060 | "name": "HackThisSite", 1061 | "collection": [ 1062 | "online" 1063 | ], 1064 | "technology": [ 1065 | "PHP", 1066 | "Perl", 1067 | "JavaScript", 1068 | "API", 1069 | "Binaries" 1070 | ], 1071 | "references": [ 1072 | { 1073 | "name": "live", 1074 | "url": "https://www.hackthissite.org" 1075 | } 1076 | ], 1077 | "author": "HackThisSite Staff", 1078 | "notes": "Always-on CTF challenges including Basic, Realistic, Application, Steganography, and many others.", 1079 | "badge": null 1080 | }, 1081 | { 1082 | "url": "https://labs.hackxpert.com/", 1083 | "name": "HackXpert", 1084 | "collection": [ 1085 | "online" 1086 | ], 1087 | "technology": [ 1088 | "PHP" 1089 | ], 1090 | "references": [ 1091 | { 1092 | "name": "guide", 1093 | "url": "https://www.youtube.com/c/TheXSSrat" 1094 | }, 1095 | { 1096 | "name": "live", 1097 | "url": "https://labs.hackxpert.com/" 1098 | } 1099 | ], 1100 | "author": "theXSSrat", 1101 | "notes": null, 1102 | "badge": null 1103 | }, 1104 | { 1105 | "url": "https://hack-yourself-first.com/", 1106 | "name": "HackYourselfFirst", 1107 | "collection": [ 1108 | "online" 1109 | ], 1110 | "technology": [], 1111 | "references": [ 1112 | { 1113 | "name": "guide", 1114 | "url": "https://www.troyhunt.com/hack-yourself-first-how-to-go-on/" 1115 | }, 1116 | { 1117 | "name": "live", 1118 | "url": "https://hack-yourself-first.com/" 1119 | } 1120 | ], 1121 | "author": "Troy Hunt", 1122 | "notes": null, 1123 | "badge": null 1124 | }, 1125 | { 1126 | "url": "https://github.com/Hackademic/hackademic", 1127 | "name": "Hackademic Challenges Project", 1128 | "collection": [ 1129 | "offline" 1130 | ], 1131 | "technology": [ 1132 | "PHP", 1133 | "Joomla" 1134 | ], 1135 | "references": [ 1136 | { 1137 | "name": "download", 1138 | "url": "https://github.com/Hackademic/hackademic" 1139 | } 1140 | ], 1141 | "author": "OWASP", 1142 | "notes": null, 1143 | "badge": "Hackademic/hackademic" 1144 | }, 1145 | { 1146 | "url": "https://github.com/rapid7/hackazon", 1147 | "name": "Hackazon", 1148 | "collection": [ 1149 | "offline" 1150 | ], 1151 | "technology": [ 1152 | "AJAX", 1153 | "JSON", 1154 | "XML", 1155 | "GwT", 1156 | "AMF" 1157 | ], 1158 | "references": [ 1159 | { 1160 | "name": "download", 1161 | "url": "https://github.com/rapid7/hackazon" 1162 | }, 1163 | { 1164 | "name": "guide", 1165 | "url": "https://medium.com/faun/automating-authenticated-api-vulnerability-scanning-with-owasp-zap-eaddba0c2e94" 1166 | }, 1167 | { 1168 | "name": "guide", 1169 | "url": "https://github.com/tahmed11/OWASP_ZAP_API_scripts" 1170 | }, 1171 | { 1172 | "name": "guide", 1173 | "url": "https://github.com/rapid7/hackazon/blob/master/REST.md" 1174 | } 1175 | ], 1176 | "author": "Rapid7 (NTObjectives)", 1177 | "notes": null, 1178 | "badge": "rapid7/hackazon" 1179 | }, 1180 | { 1181 | "url": "https://www.hacking-lab.com/events/", 1182 | "name": "Hacking Lab", 1183 | "collection": [ 1184 | "online" 1185 | ], 1186 | "technology": [], 1187 | "references": [ 1188 | { 1189 | "name": "live", 1190 | "url": "https://www.hacking-lab.com/events/" 1191 | } 1192 | ], 1193 | "author": "Hacking Lab", 1194 | "notes": null, 1195 | "badge": null 1196 | }, 1197 | { 1198 | "url": "http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx", 1199 | "name": "Hacme Bank", 1200 | "collection": [ 1201 | "offline" 1202 | ], 1203 | "technology": [ 1204 | ".NET" 1205 | ], 1206 | "references": [ 1207 | { 1208 | "name": "download", 1209 | "url": "http://downloadcenter.mcafee.com/products/tools/foundstone/hacmebank2_install.zip" 1210 | } 1211 | ], 1212 | "author": "McAfee / Foundstone", 1213 | "notes": null, 1214 | "badge": null 1215 | }, 1216 | { 1217 | "url": "http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx", 1218 | "name": "Hacme Bank - Android", 1219 | "collection": [ 1220 | "offline" 1221 | ], 1222 | "technology": [], 1223 | "references": [], 1224 | "author": "McAfee / Foundstone", 1225 | "notes": null, 1226 | "badge": null 1227 | }, 1228 | { 1229 | "url": "http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx", 1230 | "name": "Hacme Books", 1231 | "collection": [ 1232 | "offline" 1233 | ], 1234 | "technology": [ 1235 | "Java" 1236 | ], 1237 | "references": [ 1238 | { 1239 | "name": "download", 1240 | "url": "http://b2b-download.mcafee.com/products/tools/foundstone/hacmebooks2_installer.zip" 1241 | } 1242 | ], 1243 | "author": "McAfee / Foundstone", 1244 | "notes": null, 1245 | "badge": null 1246 | }, 1247 | { 1248 | "url": "http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx", 1249 | "name": "Hacme Casino", 1250 | "collection": [ 1251 | "offline" 1252 | ], 1253 | "technology": [ 1254 | "Ruby on Rails" 1255 | ], 1256 | "references": [ 1257 | { 1258 | "name": "download", 1259 | "url": "http://downloadcenter.mcafee.com/products/tools/foundstone/hacmecasino_installer.zip" 1260 | } 1261 | ], 1262 | "author": "McAfee / Foundstone", 1263 | "notes": null, 1264 | "badge": null 1265 | }, 1266 | { 1267 | "url": "http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx", 1268 | "name": "Hacme Shipping", 1269 | "collection": [ 1270 | "offline" 1271 | ], 1272 | "technology": [ 1273 | "ColdFusion" 1274 | ], 1275 | "references": [ 1276 | { 1277 | "name": "download", 1278 | "url": "http://downloadcenter.mcafee.com/products/tools/foundstone/hacmeshipping.zip" 1279 | } 1280 | ], 1281 | "author": "McAfee / Foundstone", 1282 | "notes": null, 1283 | "badge": null 1284 | }, 1285 | { 1286 | "url": "http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx", 1287 | "name": "Hacme Travel", 1288 | "collection": [ 1289 | "offline" 1290 | ], 1291 | "technology": [ 1292 | "C++" 1293 | ], 1294 | "references": [ 1295 | { 1296 | "name": "download", 1297 | "url": "http://downloadcenter.mcafee.com/products/tools/foundstone/hacmetravel_install.zip" 1298 | } 1299 | ], 1300 | "author": "McAfee / Foundstone", 1301 | "notes": null, 1302 | "badge": null 1303 | }, 1304 | { 1305 | "url": "https://github.com/iknowjason/hammer", 1306 | "name": "Hammer", 1307 | "collection": [ 1308 | "offline" 1309 | ], 1310 | "technology": [ 1311 | "Ruby on Rails" 1312 | ], 1313 | "references": [ 1314 | { 1315 | "name": "download", 1316 | "url": "https://github.com/iknowjason/hammer" 1317 | }, 1318 | { 1319 | "name": "live", 1320 | "url": "https://preprod.rtcfingroup.com/" 1321 | } 1322 | ], 1323 | "author": "iknowjason", 1324 | "notes": "Includes manual build and docker options.", 1325 | "badge": "iknowjason/hammer" 1326 | }, 1327 | { 1328 | "url": "https://sourceforge.net/projects/lampsecurity/", 1329 | "name": "LAMPSecurity", 1330 | "collection": [ 1331 | "container", 1332 | "offline" 1333 | ], 1334 | "technology": [ 1335 | "VMware", 1336 | "PHP" 1337 | ], 1338 | "references": [ 1339 | { 1340 | "name": "download", 1341 | "url": "https://sourceforge.net/projects/lampsecurity/files/" 1342 | } 1343 | ], 1344 | "author": null, 1345 | "notes": null, 1346 | "badge": null 1347 | }, 1348 | { 1349 | "url": "https://github.com/christophetd/log4shell-vulnerable-app", 1350 | "name": "Log4Shell sample vulnerable application", 1351 | "collection": [ 1352 | "container" 1353 | ], 1354 | "technology": [ 1355 | "Spring Boot", 1356 | "Log4j", 1357 | "Java" 1358 | ], 1359 | "references": [], 1360 | "author": "Christophe Tafani-Dereeper, Gerard Arall, rayhan0x01 Rayhan Ahmed", 1361 | "notes": "CVE-2021-44228", 1362 | "badge": "christophetd/log4shell-vulnerable-app" 1363 | }, 1364 | { 1365 | "url": "https://github.com/OWASP/owasp-mstg/tree/master/Crackmes", 1366 | "name": "MSTG CrackMes", 1367 | "collection": [ 1368 | "mobile" 1369 | ], 1370 | "technology": [], 1371 | "references": [], 1372 | "author": "OWASP", 1373 | "notes": null, 1374 | "badge": "OWASP/owasp-mstg" 1375 | }, 1376 | { 1377 | "url": "https://github.com/OWASP/MSTG-Hacking-Playground", 1378 | "name": "MSTG Hacking Playground", 1379 | "collection": [ 1380 | "mobile" 1381 | ], 1382 | "technology": [], 1383 | "references": [ 1384 | { 1385 | "name": "guide", 1386 | "url": "https://github.com/OWASP/MSTG-Hacking-Playground/wiki" 1387 | } 1388 | ], 1389 | "author": "OWASP", 1390 | "notes": null, 1391 | "badge": "OWASP/MSTG-Hacking-Playground" 1392 | }, 1393 | { 1394 | "url": "https://github.com/SpiderLabs/MCIR", 1395 | "name": "Magical Code Injection Rainbow - MCIR", 1396 | "collection": [ 1397 | "offline" 1398 | ], 1399 | "technology": [ 1400 | "PHP" 1401 | ], 1402 | "references": [], 1403 | "author": "SpiderLabs", 1404 | "notes": null, 1405 | "badge": "SpiderLabs/MCIR" 1406 | }, 1407 | { 1408 | "url": "https://github.com/cschneider4711/Marathon", 1409 | "name": "Marathon", 1410 | "collection": [ 1411 | "offline" 1412 | ], 1413 | "technology": [ 1414 | "JAVA", 1415 | "Docker" 1416 | ], 1417 | "references": [], 1418 | "author": "Christian Schneider", 1419 | "notes": "Vulnerable demo application", 1420 | "badge": "cschneider4711/Marathon" 1421 | }, 1422 | { 1423 | "url": "https://community.rapid7.com/docs/DOC-1875", 1424 | "name": "Metasploitable 2", 1425 | "collection": [ 1426 | "container" 1427 | ], 1428 | "technology": [ 1429 | "VMware" 1430 | ], 1431 | "references": [ 1432 | { 1433 | "name": "download", 1434 | "url": "https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" 1435 | } 1436 | ], 1437 | "author": null, 1438 | "notes": null, 1439 | "badge": null 1440 | }, 1441 | { 1442 | "url": "https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities", 1443 | "name": "Metasploitable 3", 1444 | "collection": [ 1445 | "container" 1446 | ], 1447 | "technology": [ 1448 | "VMware" 1449 | ], 1450 | "references": [ 1451 | { 1452 | "name": "download", 1453 | "url": "https://github.com/rapid7/metasploitable3" 1454 | } 1455 | ], 1456 | "author": null, 1457 | "notes": null, 1458 | "badge": "rapid7/metasploitable3" 1459 | }, 1460 | { 1461 | "url": "https://sourceforge.net/projects/w3af/files/moth/moth/", 1462 | "name": "Moth", 1463 | "collection": [ 1464 | "container" 1465 | ], 1466 | "technology": [ 1467 | "VMware" 1468 | ], 1469 | "references": [ 1470 | { 1471 | "name": "download", 1472 | "url": "https://sourceforge.net/projects/w3af/files/moth/moth/" 1473 | } 1474 | ], 1475 | "author": null, 1476 | "notes": null, 1477 | "badge": null 1478 | }, 1479 | { 1480 | "url": "http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10", 1481 | "name": "Mutillidae", 1482 | "collection": [ 1483 | "offline" 1484 | ], 1485 | "technology": [ 1486 | "PHP" 1487 | ], 1488 | "references": [ 1489 | { 1490 | "name": "download", 1491 | "url": "https://github.com/webpwnized/mutillidae" 1492 | } 1493 | ], 1494 | "author": null, 1495 | "notes": null, 1496 | "badge": "webpwnized/mutillidae" 1497 | }, 1498 | { 1499 | "url": "http://aspnet.testsparker.com/", 1500 | "name": "Netsparker Test App .NET", 1501 | "collection": [ 1502 | "online" 1503 | ], 1504 | "technology": [ 1505 | "ASP.NET" 1506 | ], 1507 | "references": [ 1508 | { 1509 | "name": "live", 1510 | "url": "http://aspnet.testsparker.com/" 1511 | } 1512 | ], 1513 | "author": "Netsparker", 1514 | "notes": null, 1515 | "badge": null 1516 | }, 1517 | { 1518 | "url": "http://php.testsparker.com/", 1519 | "name": "Netsparker Test App PHP", 1520 | "collection": [ 1521 | "online" 1522 | ], 1523 | "technology": [ 1524 | "PHP" 1525 | ], 1526 | "references": [ 1527 | { 1528 | "name": "live", 1529 | "url": "http://php.testsparker.com/" 1530 | } 1531 | ], 1532 | "author": "Netsparker", 1533 | "notes": null, 1534 | "badge": null 1535 | }, 1536 | { 1537 | "url": "https://digi.ninja/projects/nosqli_lab.php", 1538 | "name": "NoSQL Injection Lab", 1539 | "collection": [ 1540 | "offline" 1541 | ], 1542 | "technology": [ 1543 | "PHP", 1544 | "MongoDB" 1545 | ], 1546 | "references": [ 1547 | { 1548 | "name": "download", 1549 | "url": "https://github.com/digininja/nosqlilab" 1550 | } 1551 | ], 1552 | "author": "@digininja", 1553 | "notes": null, 1554 | "badge": "digininja/nosqlilab" 1555 | }, 1556 | { 1557 | "url": "https://github.com/aabashkin/nosql-injection-vulnapp", 1558 | "name": "NoSQL Injection Vulnerable App (NIVA)", 1559 | "collection": [ 1560 | "offline", 1561 | "container" 1562 | ], 1563 | "technology": [ 1564 | "Java", 1565 | "MongoDB" 1566 | ], 1567 | "references": [ 1568 | { 1569 | "name": "docker", 1570 | "url": "https://hub.docker.com/repository/docker/aabashkin/niva" 1571 | }, 1572 | { 1573 | "name": "guide", 1574 | "url": "https://github.com/aabashkin/nosql-injection-vulnapp/blob/main/README.md" 1575 | } 1576 | ], 1577 | "author": "Anton Abashkin", 1578 | "notes": null, 1579 | "badge": "aabashkin/nosql-injection-vulnapp" 1580 | }, 1581 | { 1582 | "url": "https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project", 1583 | "name": "NodeGoat", 1584 | "collection": [ 1585 | "offline" 1586 | ], 1587 | "technology": [ 1588 | "Node.js" 1589 | ], 1590 | "references": [ 1591 | { 1592 | "name": "download", 1593 | "url": "https://github.com/OWASP/NodeGoat" 1594 | } 1595 | ], 1596 | "author": "OWASP", 1597 | "notes": null, 1598 | "badge": "OWASP/NodeGoat" 1599 | }, 1600 | { 1601 | "url": "https://github.com/cr0hn/vulnerable-node", 1602 | "name": "NodeVulnerable", 1603 | "collection": [ 1604 | "offline" 1605 | ], 1606 | "technology": [ 1607 | "Node.js" 1608 | ], 1609 | "references": [], 1610 | "author": "cr0hn", 1611 | "notes": null, 1612 | "badge": "cr0hn/vulnerable-node" 1613 | }, 1614 | { 1615 | "url": "https://github.com/OSTEsayed/OSTE-Vulnerable-Web-Application", 1616 | "name": "OSTE-Vulnerable-Web-Application", 1617 | "collection": [ 1618 | "offline" 1619 | ], 1620 | "technology": [ 1621 | "PHP" 1622 | ], 1623 | "references": [], 1624 | "author": "(OSTE)Oudjani seyyid taqi eddine", 1625 | "notes": "Vulnerable web application", 1626 | "badge": "OSTEsayed/OSTE-Vulnerable-Web-Application" 1627 | }, 1628 | { 1629 | "url": "https://owasp.org/www-project-damn-vulnerable-web-sockets/", 1630 | "name": "OWASP Damn Vulnerable Web Sockets (DVWS)", 1631 | "collection": [ 1632 | "offline" 1633 | ], 1634 | "technology": [ 1635 | "PHP", 1636 | "HTML", 1637 | "Javascript", 1638 | "WebSockets" 1639 | ], 1640 | "references": [ 1641 | { 1642 | "name": "download", 1643 | "url": "https://github.com/interference-security/DVWS" 1644 | } 1645 | ], 1646 | "author": "Abhineet Jayaraj (@xploresec)", 1647 | "notes": null, 1648 | "badge": "interference-security/DVWS" 1649 | }, 1650 | { 1651 | "url": "https://owasp-juice.shop", 1652 | "name": "OWASP Juice Shop", 1653 | "collection": [ 1654 | "offline", 1655 | "online", 1656 | "container" 1657 | ], 1658 | "technology": [ 1659 | "TypeScript", 1660 | "JavaScript", 1661 | "Angular", 1662 | "Node.js" 1663 | ], 1664 | "references": [ 1665 | { 1666 | "name": "download", 1667 | "url": "https://github.com/juice-shop/juice-shop" 1668 | }, 1669 | { 1670 | "name": "docker", 1671 | "url": "https://hub.docker.com/r/bkimminich/juice-shop/" 1672 | }, 1673 | { 1674 | "name": "guide", 1675 | "url": "https://pwning.owasp-juice.shop/" 1676 | }, 1677 | { 1678 | "name": "demo", 1679 | "url": "https://demo.owasp-juice.shop" 1680 | }, 1681 | { 1682 | "name": "preview", 1683 | "url": "https://preview.owasp-juice.shop" 1684 | }, 1685 | { 1686 | "name": "live", 1687 | "url": "https://juice-shop.herokuapp.com" 1688 | } 1689 | ], 1690 | "author": "OWASP", 1691 | "notes": null, 1692 | "badge": "juice-shop/juice-shop" 1693 | }, 1694 | { 1695 | "url": "https://secureby.design/", 1696 | "name": "OWASP SKF Labs", 1697 | "collection": [ 1698 | "online", 1699 | "offline" 1700 | ], 1701 | "technology": [ 1702 | "Python", 1703 | "HTML", 1704 | "Javascript", 1705 | "GraphQL", 1706 | "Ruby" 1707 | ], 1708 | "references": [ 1709 | { 1710 | "name": "demo", 1711 | "url": "https://demo.securityknowledgeframework.org" 1712 | }, 1713 | { 1714 | "name": "guide", 1715 | "url": "https://owasp-skf.gitbook.io/asvs-write-ups/" 1716 | }, 1717 | { 1718 | "name": "live", 1719 | "url": "https://secureby.design/" 1720 | } 1721 | ], 1722 | "author": "glenn.ten.cate@owasp.org and riccardo.ten.cate@owasp.org", 1723 | "notes": "You can go to the demo website and login(admin / test-skf) or skip login, go to Labs menu and start a Lab you want to do. Please limit the usage of scanning tools on the Labs.", 1724 | "badge": "blabla1337/skf-labs" 1725 | }, 1726 | { 1727 | "url": "https://github.com/SasanLabs/VulnerableApp", 1728 | "name": "OWASP VulnerableApp", 1729 | "collection": [ 1730 | "offline" 1731 | ], 1732 | "technology": [ 1733 | "Java", 1734 | "Javascript", 1735 | "Spring-Boot" 1736 | ], 1737 | "references": [ 1738 | { 1739 | "name": "docker", 1740 | "url": "https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp" 1741 | }, 1742 | { 1743 | "name": "download", 1744 | "url": "https://github.com/SasanLabs/VulnerableApp" 1745 | } 1746 | ], 1747 | "author": "Karan Preet Singh Sasan", 1748 | "notes": null, 1749 | "badge": "SasanLabs/VulnerableApp" 1750 | }, 1751 | { 1752 | "url": "https://github.com/SasanLabs/VulnerableApp-facade", 1753 | "name": "OWASP VulnerableApp-facade", 1754 | "collection": [ 1755 | "offline" 1756 | ], 1757 | "technology": [ 1758 | "Typescript", 1759 | "Javascript", 1760 | "Docker" 1761 | ], 1762 | "references": [ 1763 | { 1764 | "name": "docker", 1765 | "url": "https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp-facade" 1766 | }, 1767 | { 1768 | "name": "download", 1769 | "url": "https://github.com/SasanLabs/VulnerableApp-facade" 1770 | } 1771 | ], 1772 | "author": "Karan Preet Singh Sasan", 1773 | "notes": null, 1774 | "badge": "SasanLabs/VulnerableApp-facade" 1775 | }, 1776 | { 1777 | "url": "http://pentesteracademylab.appspot.com", 1778 | "name": "Pentester Academy", 1779 | "collection": [ 1780 | "online" 1781 | ], 1782 | "technology": [], 1783 | "references": [ 1784 | { 1785 | "name": "live", 1786 | "url": "http://pentesteracademylab.appspot.com" 1787 | } 1788 | ], 1789 | "author": null, 1790 | "notes": null, 1791 | "badge": null 1792 | }, 1793 | { 1794 | "url": "https://www.pentesterlab.com/exercises/", 1795 | "name": "PentesterLab - The Exercises", 1796 | "collection": [ 1797 | "container" 1798 | ], 1799 | "technology": [ 1800 | "ISO", 1801 | "PDF" 1802 | ], 1803 | "references": [], 1804 | "author": null, 1805 | "notes": null, 1806 | "badge": null 1807 | }, 1808 | { 1809 | "url": "http://peruggia.sourceforge.net/", 1810 | "name": "Peruggia", 1811 | "collection": [ 1812 | "offline" 1813 | ], 1814 | "technology": [ 1815 | "PHP" 1816 | ], 1817 | "references": [ 1818 | { 1819 | "name": "download", 1820 | "url": "https://sourceforge.net/projects/peruggia/files/" 1821 | } 1822 | ], 1823 | "author": null, 1824 | "notes": null, 1825 | "badge": null 1826 | }, 1827 | { 1828 | "url": "https://github.com/DevSlop/Pixi", 1829 | "name": "Pixi", 1830 | "collection": [ 1831 | "offline", 1832 | "container" 1833 | ], 1834 | "technology": [ 1835 | "Node.js", 1836 | "Swagger", 1837 | "docker" 1838 | ], 1839 | "references": [ 1840 | { 1841 | "name": "download", 1842 | "url": "https://github.com/DevSlop/Pixi" 1843 | }, 1844 | { 1845 | "name": "download", 1846 | "url": "https://github.com/thedeadrobots/pixi" 1847 | }, 1848 | { 1849 | "name": "guide", 1850 | "url": "https://www.slideshare.net/TanyaJanca/api-and-web-service-hacking-with-pixi-part-of-owasp-devslop" 1851 | }, 1852 | { 1853 | "name": "guide", 1854 | "url": "https://www.youtube.com/watch?v=td-2rN4PgRw" 1855 | } 1856 | ], 1857 | "author": "OWASP", 1858 | "notes": null, 1859 | "badge": "DevSlop/Pixi" 1860 | }, 1861 | { 1862 | "url": "https://code.google.com/p/puzzlemall/", 1863 | "name": "Puzzlemall", 1864 | "collection": [ 1865 | "offline" 1866 | ], 1867 | "technology": [ 1868 | "Java" 1869 | ], 1870 | "references": [ 1871 | { 1872 | "name": "download", 1873 | "url": "http://code.google.com/p/puzzlemall/downloads/list" 1874 | } 1875 | ], 1876 | "author": null, 1877 | "notes": null, 1878 | "badge": null 1879 | }, 1880 | { 1881 | "url": "https://github.com/adeyosemanputra/pygoat", 1882 | "name": "PyGoat", 1883 | "collection": [ 1884 | "offline", 1885 | "online", 1886 | "container" 1887 | ], 1888 | "technology": [ 1889 | "Python" 1890 | ], 1891 | "references": [ 1892 | { 1893 | "name": "guide", 1894 | "url": "https://github.com/adeyosemanputra/pygoat/blob/master/pygoat/Solutions/solution.md" 1895 | }, 1896 | { 1897 | "name": "docker", 1898 | "url": "https://hub.docker.com/r/pygoat/pygoat" 1899 | }, 1900 | { 1901 | "name": "download", 1902 | "url": "https://github.com/adeyosemanputra/pygoat" 1903 | }, 1904 | { 1905 | "name": "live", 1906 | "url": "http://pygoat.herokuapp.com/" 1907 | } 1908 | ], 1909 | "author": "Ade Yoseman", 1910 | "notes": null, 1911 | "badge": "adeyosemanputra/pygoat" 1912 | }, 1913 | { 1914 | "url": "https://github.com/insp3ctre/race-the-web", 1915 | "name": "Race The Web", 1916 | "collection": [ 1917 | "offline" 1918 | ], 1919 | "technology": [], 1920 | "references": [ 1921 | { 1922 | "name": "download", 1923 | "url": "https://github.com/insp3ctre/race-the-web" 1924 | } 1925 | ], 1926 | "author": "insp3ctre", 1927 | "notes": null, 1928 | "badge": "insp3ctre/race-the-web" 1929 | }, 1930 | { 1931 | "url": "https://www.owasp.org/index.php/OWASP_Rails_Goat_Project", 1932 | "name": "Rails Goat", 1933 | "collection": [ 1934 | "offline" 1935 | ], 1936 | "technology": [ 1937 | "Ruby on Rails" 1938 | ], 1939 | "references": [ 1940 | { 1941 | "name": "download", 1942 | "url": "https://github.com/OWASP/railsgoat/archive/master.zip" 1943 | }, 1944 | { 1945 | "name": "downloads", 1946 | "url": "http://railsgoat.cktricky.com/getting_started.html" 1947 | } 1948 | ], 1949 | "author": "OWASP", 1950 | "notes": null, 1951 | "badge": "OWASP/railsgoat" 1952 | }, 1953 | { 1954 | "url": "https://github.com/sqlmapproject/testenv", 1955 | "name": "SQL injection test environment", 1956 | "collection": [ 1957 | "offline" 1958 | ], 1959 | "technology": [ 1960 | "PHP" 1961 | ], 1962 | "references": [], 1963 | "author": null, 1964 | "notes": "SQLmap Project", 1965 | "badge": "sqlmapproject/testenv" 1966 | }, 1967 | { 1968 | "url": "https://github.com/Audi-1/sqli-labs", 1969 | "name": "SQLI-labs", 1970 | "collection": [ 1971 | "offline" 1972 | ], 1973 | "technology": [ 1974 | "PHP" 1975 | ], 1976 | "references": [ 1977 | { 1978 | "name": "download", 1979 | "url": "https://github.com/Audi-1/sqli-labs/archive/master.zip" 1980 | }, 1981 | { 1982 | "name": "guide", 1983 | "url": "http://dummy2dummies.blogspot.com/2012/06/sqli-lab-series-part-1.html" 1984 | } 1985 | ], 1986 | "author": null, 1987 | "notes": null, 1988 | "badge": "Audi-1/sqli-labs" 1989 | }, 1990 | { 1991 | "url": "https://github.com/SpiderLabs/SQLol", 1992 | "name": "SQLol", 1993 | "collection": [ 1994 | "offline" 1995 | ], 1996 | "technology": [ 1997 | "PHP" 1998 | ], 1999 | "references": [ 2000 | { 2001 | "name": "download", 2002 | "url": "https://github.com/SpiderLabs/SQLol/archive/master.zip" 2003 | } 2004 | ], 2005 | "author": null, 2006 | "notes": null, 2007 | "badge": "SpiderLabs/SQLol" 2008 | }, 2009 | { 2010 | "url": "https://github.com/incredibleindishell/SSRF_Vulnerable_Lab", 2011 | "name": "SSRF Vuln Lab", 2012 | "collection": [ 2013 | "offline" 2014 | ], 2015 | "technology": [ 2016 | "PHP" 2017 | ], 2018 | "references": [ 2019 | { 2020 | "name": "docker", 2021 | "url": "https://github.com/incredibleindishell/SSRF_Vulnerable_Lab#docker" 2022 | } 2023 | ], 2024 | "author": "incredibleindishell, Mohammed Farhan", 2025 | "notes": null, 2026 | "badge": "incredibleindishell/SSRF_Vulnerable_Lab" 2027 | }, 2028 | { 2029 | "url": "http://www.samurai-wtf.org/", 2030 | "name": "Samurai WTF", 2031 | "collection": [ 2032 | "container" 2033 | ], 2034 | "technology": [ 2035 | "ISO" 2036 | ], 2037 | "references": [ 2038 | { 2039 | "name": "download", 2040 | "url": "https://sourceforge.net/projects/samurai/files/" 2041 | } 2042 | ], 2043 | "author": null, 2044 | "notes": null, 2045 | "badge": null 2046 | }, 2047 | { 2048 | "url": "http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html", 2049 | "name": "Sauron", 2050 | "collection": [ 2051 | "container" 2052 | ], 2053 | "technology": [ 2054 | "Quemu" 2055 | ], 2056 | "references": [ 2057 | { 2058 | "name": "download", 2059 | "url": "http://sg6-labs.blogspot.com/search/label/SecGame" 2060 | } 2061 | ], 2062 | "author": null, 2063 | "notes": null, 2064 | "badge": null 2065 | }, 2066 | { 2067 | "url": "https://github.com/globocom/secDevLabs", 2068 | "name": "SecDevLabs", 2069 | "collection": [ 2070 | "offline" 2071 | ], 2072 | "technology": [ 2073 | "Go", 2074 | "NodeJS", 2075 | "Python", 2076 | "PHP", 2077 | "React", 2078 | "Angular/Spring", 2079 | "Dart/Flutter" 2080 | ], 2081 | "references": [ 2082 | { 2083 | "name": "guide", 2084 | "url": "https://github.com/globocom/secDevLabs" 2085 | } 2086 | ], 2087 | "author": "Globo", 2088 | "notes": "Repository with many intentionally vulnerable web applications. Includes attack narratives and docker options for each app.", 2089 | "badge": "globocom/secDevLabs" 2090 | }, 2091 | { 2092 | "url": "https://github.com/DataDog/security-labs-pocs", 2093 | "name": "Security Labs & POCs", 2094 | "collection": [ 2095 | "container" 2096 | ], 2097 | "technology": [ 2098 | "docker", 2099 | "Kubernetes", 2100 | "PiPy", 2101 | "OpenSSL", 2102 | "JWT" 2103 | ], 2104 | "references": [], 2105 | "author": "DataDog", 2106 | "notes": null, 2107 | "badge": "DataDog/security-labs-pocs" 2108 | }, 2109 | { 2110 | "url": "https://owasp.org/www-project-security-shepherd/", 2111 | "name": "Security Shepherd", 2112 | "collection": [ 2113 | "offline" 2114 | ], 2115 | "technology": [ 2116 | "Java" 2117 | ], 2118 | "references": [ 2119 | { 2120 | "name": "download", 2121 | "url": "https://github.com/OWASP/SecurityShepherd" 2122 | } 2123 | ], 2124 | "author": "OWASP", 2125 | "notes": null, 2126 | "badge": "OWASP/SecurityShepherd" 2127 | }, 2128 | { 2129 | "url": "http://testhtml5.vulnweb.com/", 2130 | "name": "Security Tweets", 2131 | "collection": [ 2132 | "online" 2133 | ], 2134 | "technology": [], 2135 | "references": [ 2136 | { 2137 | "name": "live", 2138 | "url": "http://testhtml5.vulnweb.com" 2139 | } 2140 | ], 2141 | "author": "Acunetix", 2142 | "notes": "HTML5", 2143 | "badge": null 2144 | }, 2145 | { 2146 | "url": "http://solyd.com.br/treinamentos/introducao-ao-hacking-e-pentest", 2147 | "name": "Solyd - Introdução ao Hacking e Pentest", 2148 | "collection": [ 2149 | "online" 2150 | ], 2151 | "technology": [ 2152 | "PHP", 2153 | "Linux" 2154 | ], 2155 | "references": [], 2156 | "author": "Solyd", 2157 | "notes": "In Portuguese (Português) - Free online trainning with free online lab", 2158 | "badge": null 2159 | }, 2160 | { 2161 | "url": "https://github.com/dhatanian/ticketmagpie", 2162 | "name": "TicketMagpie", 2163 | "collection": [ 2164 | "offline" 2165 | ], 2166 | "technology": [ 2167 | "Java" 2168 | ], 2169 | "references": [ 2170 | { 2171 | "name": "download", 2172 | "url": "https://github.com/dhatanian/ticketmagpie" 2173 | } 2174 | ], 2175 | "author": null, 2176 | "notes": null, 2177 | "badge": "dhatanian/ticketmagpie" 2178 | }, 2179 | { 2180 | "url": "https://github.com/payatu/Tiredful-API", 2181 | "name": "Tiredful API", 2182 | "collection": [ 2183 | "offline" 2184 | ], 2185 | "technology": [ 2186 | "Python", 2187 | "Django" 2188 | ], 2189 | "references": [ 2190 | { 2191 | "name": "download", 2192 | "url": "https://github.com/payatu/Tiredful-API" 2193 | } 2194 | ], 2195 | "author": "@payatu", 2196 | "notes": null, 2197 | "badge": "payatu/Tiredful-API" 2198 | }, 2199 | { 2200 | "url": "https://github.com/lucideus-repo/UnSAFE_Bank", 2201 | "name": "UnSAFE Bank", 2202 | "collection": [ 2203 | "offline" 2204 | ], 2205 | "technology": [ 2206 | "Docker" 2207 | ], 2208 | "references": [], 2209 | "author": "lucideus", 2210 | "notes": "Web, Android and iOS application", 2211 | "badge": "lucideus-repo/UnSAFE_Bank" 2212 | }, 2213 | { 2214 | "url": "https://github.com/erev0s/VAmPI", 2215 | "name": "VAmPI", 2216 | "collection": [ 2217 | "container" 2218 | ], 2219 | "technology": [ 2220 | "python", 2221 | "docker", 2222 | "OpenAPI" 2223 | ], 2224 | "references": [ 2225 | { 2226 | "name": "guide", 2227 | "url": "https://thetesttherapist.com/2022/02/13/api-security-testing-with-postman-and-owasp-zap/" 2228 | }, 2229 | { 2230 | "name": "announcement", 2231 | "url": "https://erev0s.com/blog/vampi-vulnerable-api-security-testing/" 2232 | } 2233 | ], 2234 | "author": "erev0s", 2235 | "notes": null, 2236 | "badge": "erev0s/VAmPI" 2237 | }, 2238 | { 2239 | "url": "https://github.com/detectify/Varnish-H2-Request-Smuggling", 2240 | "name": "Varnish HTTP/2 Request Smuggling", 2241 | "collection": [ 2242 | "offline" 2243 | ], 2244 | "technology": [ 2245 | "Varnish", 2246 | "HTTP/2" 2247 | ], 2248 | "references": [ 2249 | { 2250 | "name": "announcement", 2251 | "url": "https://twitter.com/berg0x00/status/1431027889064058885" 2252 | } 2253 | ], 2254 | "author": "Detectify", 2255 | "notes": "A docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling, presented by Albinowax at Blackhat/Defcon 2021.", 2256 | "badge": "detectify/Varnish-H2-Request-Smuggling" 2257 | }, 2258 | { 2259 | "url": "https://sourceforge.net/projects/virtualhacking/", 2260 | "name": "Virtual Hacking Lab", 2261 | "collection": [ 2262 | "container" 2263 | ], 2264 | "technology": [ 2265 | "ZIP" 2266 | ], 2267 | "references": [ 2268 | { 2269 | "name": "download", 2270 | "url": "https://sourceforge.net/projects/virtualhacking/files/" 2271 | } 2272 | ], 2273 | "author": null, 2274 | "notes": null, 2275 | "badge": null 2276 | }, 2277 | { 2278 | "url": "https://github.com/Yavuzlar/VulnLab", 2279 | "name": "VulnLab", 2280 | "collection": [ 2281 | "offline" 2282 | ], 2283 | "technology": [ 2284 | "PHP", 2285 | "Docker" 2286 | ], 2287 | "references": [], 2288 | "author": "Yavuzlar (siberyavuzlar.com)", 2289 | "notes": "A web vulnerability lab project developed by Yavuzlar.", 2290 | "badge": "Yavuzlar/VulnLab" 2291 | }, 2292 | { 2293 | "url": "https://github.com/ScaleSec/vulnado", 2294 | "name": "Vulnado", 2295 | "collection": [ 2296 | "container" 2297 | ], 2298 | "technology": [ 2299 | "Java", 2300 | "Docker" 2301 | ], 2302 | "references": [], 2303 | "author": "ScaleSec", 2304 | "notes": "Purposely vulnerable Java application to help lead secure coding workshops", 2305 | "badge": "ScaleSec/vulnado" 2306 | }, 2307 | { 2308 | "url": "https://github.com/CSPF-Founder/JavaVulnerableLab/", 2309 | "name": "Vulnerable Java Web Application", 2310 | "collection": [ 2311 | "offline" 2312 | ], 2313 | "technology": [ 2314 | "Java" 2315 | ], 2316 | "references": [], 2317 | "author": "Cyber Security and Privacy Foundation", 2318 | "notes": null, 2319 | "badge": "CSPF-Founder/JavaVulnerableLab" 2320 | }, 2321 | { 2322 | "url": "https://github.com/kaakaww/vuln_node_express", 2323 | "name": "Vulnerable Node Express", 2324 | "collection": [ 2325 | "offline" 2326 | ], 2327 | "technology": [ 2328 | "Node.js", 2329 | "Express" 2330 | ], 2331 | "references": [], 2332 | "author": "Zachary Conger", 2333 | "notes": "SQLi and XSS", 2334 | "badge": "kaakaww/vuln_node_express" 2335 | }, 2336 | { 2337 | "url": "https://github.com/mddanish/Vulnerable-OTP-Application", 2338 | "name": "Vulnerable OTP App", 2339 | "collection": [ 2340 | "offline" 2341 | ], 2342 | "technology": [ 2343 | "PHP", 2344 | "Google OTP" 2345 | ], 2346 | "references": [], 2347 | "author": "mddanish", 2348 | "notes": null, 2349 | "badge": "mddanish/Vulnerable-OTP-Application" 2350 | }, 2351 | { 2352 | "url": "https://github.com/yogisec/VulnerableSAMLApp", 2353 | "name": "Vulnerable SAML App", 2354 | "collection": [ 2355 | "offline" 2356 | ], 2357 | "technology": [ 2358 | "Python" 2359 | ], 2360 | "references": [], 2361 | "author": "yogisec", 2362 | "notes": null, 2363 | "badge": "yogisec/VulnerableSAMLApp" 2364 | }, 2365 | { 2366 | "url": "https://github.com/ctxis/VulnerableXsltConsoleApplication", 2367 | "name": "VulnerableXsltConsoleApplication", 2368 | "collection": [ 2369 | "offline" 2370 | ], 2371 | "technology": [ 2372 | ".Net" 2373 | ], 2374 | "references": [], 2375 | "author": " Context Information Security", 2376 | "notes": "This is a console app, however it relates to an issues that is relevant to web apps: use of XSLT transforms for XML files.", 2377 | "badge": "ctxis/VulnerableXsltConsoleApplication" 2378 | }, 2379 | { 2380 | "url": "https://github.com/sectooladdict/wavsep", 2381 | "name": "WAVSEP - Web Application Vulnerability Scanner Evaluation Project", 2382 | "collection": [ 2383 | "offline" 2384 | ], 2385 | "technology": [ 2386 | "Java" 2387 | ], 2388 | "references": [ 2389 | { 2390 | "name": "download", 2391 | "url": "https://sourceforge.net/projects/wavsep/" 2392 | }, 2393 | { 2394 | "name": "downloads", 2395 | "url": "https://code.google.com/p/wavsep/downloads/list" 2396 | }, 2397 | { 2398 | "name": "downloads", 2399 | "url": "https://github.com/sectooladdict/wavsep/wiki" 2400 | } 2401 | ], 2402 | "author": "Shay Chen", 2403 | "notes": null, 2404 | "badge": "sectooladdict/wavsep" 2405 | }, 2406 | { 2407 | "url": "https://code.google.com/p/wivet/", 2408 | "name": "WIVET- Web Input Vector Extractor Teaser", 2409 | "collection": [ 2410 | "offline" 2411 | ], 2412 | "technology": [], 2413 | "references": [ 2414 | { 2415 | "name": "download", 2416 | "url": "http://www.webguvenligi.org/projeler/wivet" 2417 | }, 2418 | { 2419 | "name": "downloads", 2420 | "url": "https://code.google.com/p/wivet/downloads/list?can=1&q=" 2421 | } 2422 | ], 2423 | "author": null, 2424 | "notes": null, 2425 | "badge": null 2426 | }, 2427 | { 2428 | "url": "https://github.com/adamdoupe/WackoPicko", 2429 | "name": "WackoPicko", 2430 | "collection": [ 2431 | "offline" 2432 | ], 2433 | "technology": [ 2434 | "PHP" 2435 | ], 2436 | "references": [ 2437 | { 2438 | "name": "download", 2439 | "url": "https://github.com/adamdoupe/WackoPicko/zipball/master" 2440 | } 2441 | ], 2442 | "author": null, 2443 | "notes": null, 2444 | "badge": "adamdoupe/WackoPicko" 2445 | }, 2446 | { 2447 | "url": "http://www.mavensecurity.com/web_security_dojo/", 2448 | "name": "Web Security Dojo", 2449 | "collection": [ 2450 | "container" 2451 | ], 2452 | "technology": [ 2453 | "VMware", 2454 | "VirtualBox" 2455 | ], 2456 | "references": [ 2457 | { 2458 | "name": "download", 2459 | "url": "https://sourceforge.net/projects/websecuritydojo/files/" 2460 | } 2461 | ], 2462 | "author": null, 2463 | "notes": null, 2464 | "badge": null 2465 | }, 2466 | { 2467 | "url": "https://webgoat.github.io/WebGoat/", 2468 | "name": "WebGoat", 2469 | "collection": [ 2470 | "offline" 2471 | ], 2472 | "technology": [ 2473 | "Java" 2474 | ], 2475 | "references": [ 2476 | { 2477 | "name": "download", 2478 | "url": "https://github.com/WebGoat/WebGoat/releases" 2479 | }, 2480 | { 2481 | "name": "guide", 2482 | "url": "https://owasp.org/www-project-webgoat/" 2483 | }, 2484 | { 2485 | "name": "docker", 2486 | "url": "https://hub.docker.com/r/webgoat/goatandwolf" 2487 | } 2488 | ], 2489 | "author": "OWASP", 2490 | "notes": null, 2491 | "badge": "WebGoat/WebGoat" 2492 | }, 2493 | { 2494 | "url": "https://www.owasp.org/index.php/WebGoatPHP", 2495 | "name": "WebGoatPHP", 2496 | "collection": [ 2497 | "offline" 2498 | ], 2499 | "technology": [ 2500 | "PHP" 2501 | ], 2502 | "references": [ 2503 | { 2504 | "name": "download", 2505 | "url": "https://github.com/OWASP/OWASPWebGoatPHP" 2506 | }, 2507 | { 2508 | "name": "downloads", 2509 | "url": "https://github.com/OWASP/OWASPWebGoatPHP/blob/master/README.md" 2510 | } 2511 | ], 2512 | "author": "OWASP", 2513 | "notes": null, 2514 | "badge": "OWASP/OWASPWebGoatPHP" 2515 | }, 2516 | { 2517 | "url": "https://github.com/commjoen/wrongsecrets", 2518 | "name": "WrongSecrets", 2519 | "collection": [ 2520 | "offline" 2521 | ], 2522 | "technology": [ 2523 | "JavaScript", 2524 | "Java", 2525 | "Hashicorp Vault", 2526 | "Kubernetes", 2527 | "Docker", 2528 | "AWS", 2529 | "GCP" 2530 | ], 2531 | "references": [ 2532 | { 2533 | "name": "download", 2534 | "url": "https://github.com/commjoen/wrongsecrets" 2535 | } 2536 | ], 2537 | "author": "Jeroen Willemsen (@commjoen), Ben de Haan (@bendehaan), Nanne Baars (@nbaars)", 2538 | "notes": "OWASP WrongSecrets is a vulnerable app used to show how to not use secrets.", 2539 | "badge": "commjoen/wrongsecrets" 2540 | }, 2541 | { 2542 | "url": "http://xxe.sourceforge.net/", 2543 | "name": "XXE", 2544 | "collection": [ 2545 | "container" 2546 | ], 2547 | "technology": [ 2548 | "VMware" 2549 | ], 2550 | "references": [ 2551 | { 2552 | "name": "download", 2553 | "url": "https://sourceforge.net/projects/xxe/files/" 2554 | } 2555 | ], 2556 | "author": null, 2557 | "notes": null, 2558 | "badge": null 2559 | }, 2560 | { 2561 | "url": "https://github.com/jbarone/xxelab", 2562 | "name": "XXE Lab", 2563 | "collection": [ 2564 | "container", 2565 | "offline" 2566 | ], 2567 | "technology": [ 2568 | "docker", 2569 | "vagrant" 2570 | ], 2571 | "references": [], 2572 | "author": "Joshua Barone", 2573 | "notes": null, 2574 | "badge": "jbarone/xxelab" 2575 | }, 2576 | { 2577 | "url": "https://github.com/s4n7h0/xvwa", 2578 | "name": "Xtreme Vulnerable Web Application (XVWA)", 2579 | "collection": [ 2580 | "offline" 2581 | ], 2582 | "technology": [ 2583 | "PHP", 2584 | "MySQL" 2585 | ], 2586 | "references": [ 2587 | { 2588 | "name": "download", 2589 | "url": "https://github.com/s4n7h0/xvwa" 2590 | } 2591 | ], 2592 | "author": "@s4n7h0, @samanL33T", 2593 | "notes": null, 2594 | "badge": "s4n7h0/xvwa" 2595 | }, 2596 | { 2597 | "url": "http://zero.webappsecurity.com/", 2598 | "name": "Zero Bank", 2599 | "collection": [ 2600 | "online" 2601 | ], 2602 | "technology": [], 2603 | "references": [ 2604 | { 2605 | "name": "live", 2606 | "url": "http://zero.webappsecurity.com" 2607 | } 2608 | ], 2609 | "author": "Micro Focus Fortify (was HP/SpiDynamics)", 2610 | "notes": "(username/password)", 2611 | "badge": null 2612 | }, 2613 | { 2614 | "url": "http://www.itsecgames.com/", 2615 | "name": "bWAPP", 2616 | "collection": [ 2617 | "offline" 2618 | ], 2619 | "technology": [ 2620 | "PHP" 2621 | ], 2622 | "references": [ 2623 | { 2624 | "name": "download", 2625 | "url": "https://sourceforge.net/projects/bwapp/files/" 2626 | }, 2627 | { 2628 | "name": "guide", 2629 | "url": "http://itsecgames.blogspot.be/2013/01/bwapp-installation.html" 2630 | } 2631 | ], 2632 | "author": null, 2633 | "notes": null, 2634 | "badge": null 2635 | }, 2636 | { 2637 | "url": "https://owasp.org/www-project-crapi/", 2638 | "name": "crAPI", 2639 | "collection": [ 2640 | "offline", 2641 | "container" 2642 | ], 2643 | "technology": [ 2644 | "Go", 2645 | "nginx" 2646 | ], 2647 | "references": [ 2648 | { 2649 | "name": "downloads", 2650 | "url": "https://github.com/OWASP/crAPI" 2651 | } 2652 | ], 2653 | "author": "OWASP", 2654 | "notes": null, 2655 | "badge": "OWASP/crAPI" 2656 | }, 2657 | { 2658 | "url": "https://github.com/snoopysecurity/dvws-node", 2659 | "name": "dvws-node", 2660 | "collection": [ 2661 | "offline", 2662 | "container" 2663 | ], 2664 | "technology": [ 2665 | "Web Services", 2666 | "NodeJS" 2667 | ], 2668 | "references": [ 2669 | { 2670 | "name": "guide", 2671 | "url": "https://github.com/snoopysecurity/dvws-node/wiki" 2672 | } 2673 | ], 2674 | "author": "@snoopysecurity", 2675 | "notes": null, 2676 | "badge": "snoopysecurity/dvws-node" 2677 | }, 2678 | { 2679 | "url": "http://hackxor.sourceforge.net/cgi-bin/index.pl", 2680 | "name": "Hackxor", 2681 | "collection": [ 2682 | "offline", 2683 | "online", 2684 | "container" 2685 | ], 2686 | "technology": [ 2687 | "VMware" 2688 | ], 2689 | "references": [ 2690 | { 2691 | "name": "download", 2692 | "url": "https://sourceforge.net/projects/hackxor/files/" 2693 | }, 2694 | { 2695 | "name": "guide", 2696 | "url": "http://hackxor.sourceforge.net/cgi-bin/hints.pl" 2697 | }, 2698 | { 2699 | "name": "live", 2700 | "url": "https://hackxor.net" 2701 | } 2702 | ], 2703 | "author": "albinowax", 2704 | "notes": "First 2 levels online, rest offline. Web application hacking game via missions, based on real vulnerabilities.", 2705 | "badge": null 2706 | }, 2707 | { 2708 | "url": "https://github.com/omerlh/insecure-deserialisation-net-poc", 2709 | "name": "insecure-deserialisation-net-poc", 2710 | "collection": [ 2711 | "offline" 2712 | ], 2713 | "technology": [ 2714 | ".NET", 2715 | "JSON", 2716 | "yoserial.NET" 2717 | ], 2718 | "references": [], 2719 | "author": "Omer Levi Hevroni", 2720 | "notes": "A small webserver vulnerable to insecure deserialization", 2721 | "badge": "omerlh/insecure-deserialisation-net-poc" 2722 | }, 2723 | { 2724 | "url": "https://github.com/Sjord/jwtdemo/", 2725 | "name": "jwtdemo", 2726 | "collection": [ 2727 | "offline" 2728 | ], 2729 | "technology": [ 2730 | "PHP" 2731 | ], 2732 | "references": [ 2733 | { 2734 | "name": "guide", 2735 | "url": "https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/" 2736 | } 2737 | ], 2738 | "author": "Sjoerd Langkemper (Sjord)", 2739 | "notes": "Practice hacking JWT tokens.", 2740 | "badge": "Sjord/jwtdemo" 2741 | }, 2742 | { 2743 | "url": "https://github.com/playframework/play-webgoat", 2744 | "name": "play-webgoat", 2745 | "collection": [ 2746 | "offline" 2747 | ], 2748 | "technology": [ 2749 | "Java", 2750 | "Scala", 2751 | "Play Framework" 2752 | ], 2753 | "references": [], 2754 | "author": null, 2755 | "notes": null, 2756 | "badge": "playframework/play-webgoat" 2757 | }, 2758 | { 2759 | "url": "https://github.com/sakti/twitterlike", 2760 | "name": "twitterlike", 2761 | "collection": [ 2762 | "offline" 2763 | ], 2764 | "technology": [ 2765 | "PHP" 2766 | ], 2767 | "references": [ 2768 | { 2769 | "name": "download", 2770 | "url": "https://github.com/sakti/twitterlike" 2771 | } 2772 | ], 2773 | "author": "Sakti Dwi Cahyono", 2774 | "notes": null, 2775 | "badge": "sakti/twitterlike" 2776 | }, 2777 | { 2778 | "url": "https://github.com/roottusk/vapi", 2779 | "name": "vAPI", 2780 | "collection": [ 2781 | "offline" 2782 | ], 2783 | "technology": [ 2784 | "PHP" 2785 | ], 2786 | "references": [ 2787 | { 2788 | "name": "guide", 2789 | "url": "https://github.com/roottusk/vapi/blob/master/README.md" 2790 | }, 2791 | { 2792 | "name": "docker", 2793 | "url": "https://hub.docker.com/r/roottusk/vapi" 2794 | } 2795 | ], 2796 | "author": "Tushar Kulkarni", 2797 | "notes": "vAPI is a Vulnerable Interface that demonstrates the OWASP API Top 10 vulnerabilities in the means of exercises", 2798 | "badge": "roottusk/vapi" 2799 | }, 2800 | { 2801 | "url": "https://github.com/Aif4thah/VulnerableLightApp", 2802 | "name": "VulnerableLightApp", 2803 | "collection": [ 2804 | "offline" 2805 | ], 2806 | "technology": [ 2807 | ".NET", 2808 | "C#", 2809 | "AspNetCore" 2810 | ], 2811 | "references": [ 2812 | { 2813 | "name": "guide", 2814 | "url": "https://github.com/Aif4thah/VulnerableLightApp" 2815 | } 2816 | ], 2817 | "author": "Michael Vacarella", 2818 | "notes": "Vulnerable API for educational purposes", 2819 | "badge": "Aif4thah/VulnerableLightApp" 2820 | }, 2821 | { 2822 | "url": "https://github.com/mattvaldes/vulnerable-api", 2823 | "name": "vulnerable-api", 2824 | "collection": [ 2825 | "offline" 2826 | ], 2827 | "technology": [ 2828 | "Python" 2829 | ], 2830 | "references": [ 2831 | { 2832 | "name": "download", 2833 | "url": "https://github.com/mattvaldes/vulnerable-api" 2834 | } 2835 | ], 2836 | "author": "Matthew Valdes", 2837 | "notes": null, 2838 | "badge": "mattvaldes/vulnerable-api" 2839 | }, 2840 | { 2841 | "url": "https://github.com/marmicode/websheep", 2842 | "name": "websheep", 2843 | "collection": [ 2844 | "offline" 2845 | ], 2846 | "technology": [ 2847 | "Angular", 2848 | "JavaScript", 2849 | "Node" 2850 | ], 2851 | "references": [ 2852 | { 2853 | "name": "guide", 2854 | "url": "https://github.com/marmicode/websheep" 2855 | } 2856 | ], 2857 | "author": "Younes Jaaidi (yjaaidi)", 2858 | "notes": " Websheep is an app based on a willingly vulnerable ReSTful APIs.", 2859 | "badge": "marmicode/websheep" 2860 | }, 2861 | { 2862 | "url": "https://github.com/cider-security-research/cicd-goat", 2863 | "name": "CI/CD Goat", 2864 | "collection": [ 2865 | "container" 2866 | ], 2867 | "technology": [ 2868 | "Gitea", 2869 | "Jenkins", 2870 | "GitLab", 2871 | "Docker" 2872 | ], 2873 | "references": [], 2874 | "author": "Cider", 2875 | "notes": "Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.", 2876 | "badge": "cider-security-research/cicd-goat" 2877 | }, 2878 | { 2879 | "url": "http://ffuf.me/", 2880 | "name": "FFUF.me", 2881 | "collection": [ 2882 | "online", 2883 | "offline", 2884 | "container" 2885 | ], 2886 | "technology": [ 2887 | "PHP", 2888 | "Docker" 2889 | ], 2890 | "references": [ 2891 | { 2892 | "name": "download", 2893 | "url": "https://github.com/adamtlangley/ffufme" 2894 | }, 2895 | { 2896 | "name": "live", 2897 | "url": "http://ffuf.me/" 2898 | } 2899 | ], 2900 | "author": "adamtlangley", 2901 | "notes": "Target practice for ffuf", 2902 | "badge": "adamtlangley/ffufme" 2903 | }, 2904 | { 2905 | "url": "https://pentest-ground.com/", 2906 | "name": "Pentest-Ground", 2907 | "collection": [ 2908 | "online" 2909 | ], 2910 | "technology": [ 2911 | "PHP", 2912 | "Docker" 2913 | ], 2914 | "references": [], 2915 | "author": "Pentest-Tools.com", 2916 | "notes": "Suite of vulnerable web apps to practice", 2917 | "badge": null 2918 | }, 2919 | { 2920 | "author":"Fernando Mengali, Vagner Mengali", 2921 | "badge":null, 2922 | "collection":[ 2923 | "offline" 2924 | ], 2925 | "name":"Yrprey", 2926 | "notes":"Framework created in NextJs (TypeScript) and PHP/MySQL with OWASP TOP 10 API vulnerabilities of 2019 and 2023. Yrprey can was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (Appsec).", 2927 | "references":[ 2928 | { 2929 | "name":"download", 2930 | "url":"https://github.com/yrprey/yrprey-backend" 2931 | }, 2932 | { 2933 | "name":"download", 2934 | "url":"https://github.com/yrprey/yrprey-frontend" 2935 | }, 2936 | { 2937 | "name":"docker", 2938 | "url":"https://github.com/yrprey/yrprey-application" 2939 | } 2940 | ], 2941 | "technology":[ 2942 | "PHP", 2943 | "TypeScript", 2944 | "NextJs" 2945 | ], 2946 | "url":"https://yrprey.com" 2947 | }, 2948 | { 2949 | "author":"Fernando Mengali", 2950 | "badge":null, 2951 | "collection":[ 2952 | "offline" 2953 | ], 2954 | "name":"YrpreyPHP", 2955 | "notes":"A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities. YrpreyPHP was created for educational purposes, contributing to the teaching and learning of those interested in Pentest (intrusion testing) and Application Security (AppSec).", 2956 | "references":[ 2957 | { 2958 | "name":"download", 2959 | "url":"https://github.com/yrprey/yrpreyPHP/" 2960 | } 2961 | ], 2962 | "technology":[ 2963 | "PHP", 2964 | "CSS", 2965 | "Bootstrap", 2966 | "MySQL" 2967 | ], 2968 | "url":"https://yrprey.com" 2969 | }, 2970 | { 2971 | "author":"Fernando Mengali", 2972 | "badge":null, 2973 | "collection":[ 2974 | "offline" 2975 | ], 2976 | "name":"YrpreyBlog", 2977 | "notes":"A framework created in PHP/MySQL with OWASP TOP 10 Web Application vulnerabilities.", 2978 | "references":[ 2979 | { 2980 | "name":"download", 2981 | "url":"https://github.com/yrprey/yrpreyBlog" 2982 | } 2983 | ], 2984 | "technology":[ 2985 | "PHP", 2986 | "CSS", 2987 | "Bootstrap", 2988 | "MySQL" 2989 | ], 2990 | "url":"https://yrprey.com" 2991 | }, 2992 | { 2993 | "author":"Fernando Mengali", 2994 | "badge":null, 2995 | "collection":[ 2996 | "offline" 2997 | ], 2998 | "name":"YrpreyC", 2999 | "notes":"YrpreyC is a framework written in the C language that contains vulnerabilities related to memory issues, categorized as overflows", 3000 | "references":[ 3001 | { 3002 | "name":"download", 3003 | "url":"https://github.com/yrprey/yrpreyC" 3004 | } 3005 | ], 3006 | "technology":[ 3007 | "C" 3008 | ], 3009 | "url":"https://yrprey.com" 3010 | }, 3011 | { 3012 | "author":"Fernando Mengali", 3013 | "badge":null, 3014 | "collection":[ 3015 | "offline" 3016 | ], 3017 | "name":"YrpreyC++", 3018 | "notes":"YrpreyC++ is a framework written in the C++ language that contains vulnerabilities related to memory issues, categorized as overflows", 3019 | "references":[ 3020 | { 3021 | "name":"download", 3022 | "url":"https://github.com/yrprey/yrpreyCPlus" 3023 | } 3024 | ], 3025 | "technology":[ 3026 | "C++" 3027 | ], 3028 | "url":"https://yrprey.com" 3029 | }, 3030 | { 3031 | "author":"Fernando Mengali", 3032 | "badge":null, 3033 | "collection":[ 3034 | "offline" 3035 | ], 3036 | "name":"yrpreyTasksPython", 3037 | "notes":"yrpreyTasksPython is a vulnerable framework written in Python with a task management scenario, based on the OWASP TOP 10", 3038 | "references":[ 3039 | { 3040 | "name":"download", 3041 | "url":"https://github.com/yrprey/yrpreyTasksPython" 3042 | } 3043 | ], 3044 | "technology":[ 3045 | "Python", 3046 | "PHP", 3047 | "MySQL", 3048 | "Bootstrap" 3049 | ], 3050 | "url":"https://yrprey.com" 3051 | }, 3052 | { 3053 | "author":"Fernando Mengali", 3054 | "badge":null, 3055 | "collection":[ 3056 | "offline" 3057 | ], 3058 | "name":"yrpreyTasksNodeJS", 3059 | "notes":"yrpreyTasksNodeJS is a vulnerable framework written in NodeJS with a task management scenario, based on the OWASP TOP 10", 3060 | "references":[ 3061 | { 3062 | "name":"download", 3063 | "url":"https://github.com/yrprey/yrpreyTasksNodeJS" 3064 | } 3065 | ], 3066 | "technology":[ 3067 | "NodeJS", 3068 | "PHP", 3069 | "MySQL", 3070 | "Bootstrap" 3071 | ], 3072 | "url":"https://yrprey.com" 3073 | }, 3074 | { 3075 | "author":"Fernando Mengali", 3076 | "badge":null, 3077 | "collection":[ 3078 | "offline" 3079 | ], 3080 | "name":"yrpreyTasks", 3081 | "notes":"yrpreyTasks is a vulnerable framework written in PHP with a task management scenario, based on the OWASP TOP 10", 3082 | "references":[ 3083 | { 3084 | "name":"download", 3085 | "url":"https://github.com/yrprey/yrpreyTasks" 3086 | } 3087 | ], 3088 | "technology":[ 3089 | "PHP", 3090 | "MySQL", 3091 | "Bootstrap" 3092 | ], 3093 | "url":"https://yrprey.com" 3094 | }, 3095 | { 3096 | "author":"Fernando Mengali", 3097 | "badge":null, 3098 | "collection":[ 3099 | "offline" 3100 | ], 3101 | "name":"ypreyPollsPHP", 3102 | "notes":"ypreyPollsPHP is a vulnerable framework written in PHP with a polls management scenario, based on the OWASP TOP 10", 3103 | "references":[ 3104 | { 3105 | "name":"download", 3106 | "url":"https://github.com/yrprey/ypreyPollsPHP" 3107 | } 3108 | ], 3109 | "technology":[ 3110 | "PHP", 3111 | "MySQL", 3112 | "Materialize", 3113 | "Bootstrap" 3114 | ], 3115 | "url":"https://yrprey.com" 3116 | }, 3117 | { 3118 | "author":"Fernando Mengali", 3119 | "badge":null, 3120 | "collection":[ 3121 | "offline" 3122 | ], 3123 | "name":"yrpreyPollsPython", 3124 | "notes":"yrpreyPollsPython is a vulnerable framework written in Python with a polls management scenario, based on the OWASP TOP 10", 3125 | "references":[ 3126 | { 3127 | "name":"download", 3128 | "url":"https://github.com/yrprey/yrpreyPollsPython" 3129 | } 3130 | ], 3131 | "technology":[ 3132 | "Python", 3133 | "PHP", 3134 | "MySQL", 3135 | "Materialize", 3136 | "Bootstrap" 3137 | ], 3138 | "url":"https://yrprey.com" 3139 | }, 3140 | { 3141 | "author":"Fernando Mengali", 3142 | "badge":null, 3143 | "collection":[ 3144 | "offline" 3145 | ], 3146 | "name":"yrpreyPollsNodeJS", 3147 | "notes":"yrpreyPollsNodeJS is a vulnerable framework written in NodeJS with a polls management scenario, based on the OWASP TOP 10", 3148 | "references":[ 3149 | { 3150 | "name":"download", 3151 | "url":"https://github.com/yrprey/yrpreyPollsNodeJS" 3152 | } 3153 | ], 3154 | "technology":[ 3155 | "NodeJS", 3156 | "PHP", 3157 | "MySQL", 3158 | "Materialize", 3159 | "Bootstrap" 3160 | ], 3161 | "url":"https://yrprey.com" 3162 | }, 3163 | { 3164 | "author":"Fernando Mengali", 3165 | "badge":null, 3166 | "collection":[ 3167 | "offline" 3168 | ], 3169 | "name":"yrpreyPollsPerl", 3170 | "notes":"yrpreyPollsPerl is a vulnerable framework written in Perl with a polls management scenario, based on the OWASP TOP 10", 3171 | "references":[ 3172 | { 3173 | "name":"download", 3174 | "url":"https://github.com/yrprey/yrpreyPollsPerl" 3175 | } 3176 | ], 3177 | "technology":[ 3178 | "Perl", 3179 | "PHP", 3180 | "MySQL", 3181 | "Materialize", 3182 | "Bootstrap" 3183 | ], 3184 | "url":"https://yrprey.com" 3185 | }, 3186 | { 3187 | "author":"Fernando Mengali", 3188 | "badge":null, 3189 | "collection":[ 3190 | "offline" 3191 | ], 3192 | "name":"ypreyAPINodeJS", 3193 | "notes":"yrpreyAPINodeJS is a vulnerable framework written in NodeJS and based on the OWASP TOP 10 API.", 3194 | "references":[ 3195 | { 3196 | "name":"download", 3197 | "url":"https://github.com/yrprey/ypreyAPINodeJS" 3198 | } 3199 | ], 3200 | "technology":[ 3201 | "NodeJS", 3202 | "PHP", 3203 | "MariaDB", 3204 | "Bootstrap", 3205 | "JavaScript" 3206 | ], 3207 | "url":"https://yrprey.com" 3208 | }, 3209 | { 3210 | "author":"Fernando Mengali", 3211 | "badge":null, 3212 | "collection":[ 3213 | "offline" 3214 | ], 3215 | "name":"ypreyAPIPython", 3216 | "notes":"ypreyAPIPython is a vulnerable framework written in Python and based on the OWASP TOP 10 API.", 3217 | "references":[ 3218 | { 3219 | "name":"download", 3220 | "url":"https://github.com/yrprey/ypreyAPIPython" 3221 | } 3222 | ], 3223 | "technology":[ 3224 | "Python", 3225 | "PHP", 3226 | "MariaDB", 3227 | "Bootstrap", 3228 | "JavaScript" 3229 | ], 3230 | "url":"https://yrprey.com" 3231 | }, 3232 | { 3233 | "author":"Fernando Mengali", 3234 | "badge":null, 3235 | "collection":[ 3236 | "offline" 3237 | ], 3238 | "name":"yrpreyLibrary", 3239 | "notes":"yrpreyLibrary is a vulnerable framework written in PHP, based on the OWASP TOP 10", 3240 | "references":[ 3241 | { 3242 | "name":"download", 3243 | "url":"https://github.com/yrprey/yrpreyLibrary" 3244 | } 3245 | ], 3246 | "technology":[ 3247 | "PHP", 3248 | "MySQL", 3249 | "Bootstrap" 3250 | ], 3251 | "url":"https://yrprey.com" 3252 | }, 3253 | { 3254 | "author":"Fernando Mengali", 3255 | "badge":null, 3256 | "collection":[ 3257 | "offline" 3258 | ], 3259 | "name":"yrpreyFinance", 3260 | "notes":"yrpreyFinance is a vulnerable framework written in PHP with a financial management scenario, based on the OWASP TOP 10", 3261 | "references":[ 3262 | { 3263 | "name":"download", 3264 | "url":"https://github.com/yrprey/yrpreyFinance" 3265 | } 3266 | ], 3267 | "technology":[ 3268 | "PHP", 3269 | "MySQL", 3270 | "Bootstrap" 3271 | ], 3272 | "url":"https://yrprey.com" 3273 | }, 3274 | { 3275 | "author":"Fernando Mengali", 3276 | "badge":null, 3277 | "collection":[ 3278 | "offline" 3279 | ], 3280 | "name":"yrpreyASPC", 3281 | "notes":"yrpreyASPC is a vulnerable framework written in ASP and C with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities.", 3282 | "references":[ 3283 | { 3284 | "name":"download", 3285 | "url":"https://github.com/yrprey/yrpreyASPC" 3286 | } 3287 | ], 3288 | "technology":[ 3289 | "ASP", 3290 | "MySQL", 3291 | "C" 3292 | ], 3293 | "url":"https://yrprey.com" 3294 | }, 3295 | { 3296 | "author":"Fernando Mengali", 3297 | "badge":null, 3298 | "collection":[ 3299 | "offline" 3300 | ], 3301 | "name":"yrpreyASPCPlus", 3302 | "notes":"yrpreyASPCPlus is a vulnerable framework written in ASP and C++ with vulnerabilities based on Buffer Overflow, Command Injection, and web application vulnerabilities.", 3303 | "references":[ 3304 | { 3305 | "name":"download", 3306 | "url":"https://github.com/yrprey/yrpreyASPCPlus" 3307 | } 3308 | ], 3309 | "technology":[ 3310 | "ASP", 3311 | "MySQL", 3312 | "C++" 3313 | ], 3314 | "url":"https://yrprey.com" 3315 | }, 3316 | { 3317 | "author":"Fernando Mengali", 3318 | "badge":null, 3319 | "collection":[ 3320 | "offline" 3321 | ], 3322 | "name":"YrpreyPathTraversal", 3323 | "notes":"YrpreyPathTraversal is a framework written in PHP, with examples of exploiting Path Traversal and Local File Inclusion vulnerabilities in different ways.", 3324 | "references":[ 3325 | { 3326 | "name":"download", 3327 | "url":"https://github.com/yrprey/YrpreyPathTraversal" 3328 | } 3329 | ], 3330 | "technology":[ 3331 | "PHP", 3332 | "MySQL", 3333 | "Semantic UI", 3334 | "Bootstrap" 3335 | ], 3336 | "url":"https://yrprey.com" 3337 | } 3338 | ] 3339 | --------------------------------------------------------------------------------