Список уязвимых приложений и ресурсов для получения практических навыков (оффлайн)
Deliberately vulnerable APIs
| Name | Author | Description |
|---|---|---|
| APISandbox | APISecurity Community | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
| Bookstore | sidchn | TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing. |
| crAPI | OWASP | completely ridiculous API (crAPI) |
| Damn-Vulnerable-GraphQL-Application | dolevf | Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security. |
| Damn Vulnerable Micro Services | ne0z | This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development) |
| Damn Vulnerable Web Services | snoopysecurity | Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. |
| Generic-University | InsiderPhD | Vulnerable API with Laravel App |
| node-api-goat | layro01 | A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities. |
| Pixi | DevSlop | The Pixi module is a MEAN Stack web app with wildly insecure APIs! |
| poc-graphql | righettod | Research on GraphQL from an AppSec point of view. |
| REST API Goat | optiv | This is a "Goat" project so you can get familiar with REST API testing. |
| VAmPI | erev0s | Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
| vAPI | roottusk | vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises. |
| vulnapi | tkisason | Intentionaly very vulnerable API with bonus bad coding practices. |
| vulnerable-graphql-api | CarveSystems | A very vulnerable implementation of a GraphQL API. |
| Websheep | marmicode | Websheep is an app based on a willingly vulnerable ReSTful APIs. |
| VulnerableApp4APISecurity | Erdemstar | This repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10. |
Vulnerable VMs
- Vulhub
- Exploit Exercises
- Metasploitable3 - Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.
- Hackmyvm.eu
Cloud Security
- Kubernetes Goat - Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
- CloudGoat - CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
- CdkGoat - Vulnerable AWS CDK Infra - CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository.
- Cfngoat - Vulnerable Cloudformation Template - Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository.
- TerraGoat - Vulnerable Terraform Infra - TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
- caponeme - Capital One Breach - Repository demonstrating the Capital One breach on your AWS account
- WrongSecrets - WrongSecrets is "Vulnerable by Design" to show how to not handle secrets in Docker, Kubernetes and in the cloud (AWS/GCP/Azure).
- AWSGoat - A Damn Vulnerable AWS Infrastructure
- AzureGoat - A Damn Vulnerable Azure Infrastructure
- IAM Vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
- Sadcloud - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
SSO - Single Sign On
- vulnerable-sso - vulnerable single sign on
Безопасность мобильных приложений
Android
- DIVA (Damn insecure and vulnerable App)
- SecurityShepherd
- Damn Vulnerable Hybrid Mobile App (DVHMA)
- OWASP-mstg
- VulnerableAndroidAppOracle
- Android InsecureBankv2
- Purposefully Insecure and Vulnerable Android Application (PIIVA)
- Приложение Sieve
- DodoVulnerableBank
- Digitalbank
- OWASP GoatDroid
- AppKnox Vulnerable Application
- Уязвимое приложение для Android
- Hackme Bank
- Android Security Labs
- Android-InsecureBankv2
- Android-security
IOS
- OWASP iGoat
- Damn Vulnerable iOS App (DVIA) v2
- Damn Vulnerable iOS App (DVIA) v1
- iPhoneLabs
- iOS-Attack-Defense
- Pentesting iOS Applications
- Проектирование и разработка приложений для iOS
OWASP Top 10
- Owasp Juice shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
- DVWA - Damn Vulnerable Web Application (DVWA)
- DSVW - Damn Small Vulnerable Web
- bWAPP - This is just an instance of the OWASP bWAPP project as a docker container.
- Xtreme Vulnerable Web Application - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
- lazyweb - This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.
- OWASP Mutillidae II - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
- Pentest_lab - Local penetration testing lab using docker-compose.
- VulnLab - A vulnerable web application lab using Docker
- WebGoat - WebGoat is a deliberately insecure application by OWASP for training purpose
- VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
SQL Injection
- Yet Another Vulnerability Database - Yet Another Vulnerability Database
XSS Injection
- clicker-service - simulate XSS - Docker container that intakes post and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
- XSSworm.dev - Self-replication contest
- xssed - A set of XSS vulnerable PHP scripts for testing
- xssable - A vulnerable blogging platform used to demonstrate XSS vulnerabilities.
Server Side Request Forgery
- SSRF_Vulnerable_Lab - This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack
CORS Misconfiguration
- CORS-vulnerable-Lab - Sample vulnerable code and its exploit code
- CORS misconfiguration vulnerable Lab - This Repository contains CORS misconfiguration related vulnerable codes.
XXE Injection
- XXE Lab - A simple web app with a XXE vulnerability.
- docker-java-xxe - Docker image to test XXE attacks in java with tomcat.
Request Smuggling
- Varnish HTTP/2 Request Smuggling - This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.
Technologies
WordPress
- DVWP - Damn Vulnerable WordPress
Node.js
- exploit-workshop - A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
- DVNA - Damn Vulnerable NodeJS Application
- Extreme Vulnerable Node Application - Extreme Vulnerable Node Application
- dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.
CICD
- CICD Goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.