Scraper for daily renewal of the Known Exploited Vulnerabilities Catalog by CISA

OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws

A vulnerable Play application for attackers.

Grails sample application using the Javamelody 1.44 plugin to illustrate the CVE-2013-4378 vulnerability.

OWASP Benchmark is a test suite designed to verify the speed and accuracy of software vulnerability detection tools. A fully runnable web app written in Java, it supports analysis by Static (SAST), Dynamic (DAST), and Runtime (IAST) tools that support Java. The idea is that since it is fully runnable and all the vulnerabilities are actually expl…

Damn Vulnerable Python Web App

Damn Vulnerable Node Application

A deliberately insecure Java web application

A vulnerable version of Rails that follows the OWASP Top 10

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

Damn Small Vulnerable Web

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

OWASP VulnerableApp Project: For Security Enthusiasts by Security Enthusiasts.

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.