Перейти к содержанию

Список уязвимых приложений и ресурсов для получения практических навыков (оффлайн)

Deliberately vulnerable APIs

Name Author Description
APISandbox APISecurity Community Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
Bookstore sidchn TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing.
crAPI OWASP completely ridiculous API (crAPI)
Damn-Vulnerable-GraphQL-Application dolevf Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
Damn Vulnerable Micro Services ne0z This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development)
Damn Vulnerable Web Services snoopysecurity Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
Generic-University InsiderPhD Vulnerable API with Laravel App
node-api-goat layro01 A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities.
Pixi DevSlop The Pixi module is a MEAN Stack web app with wildly insecure APIs!
poc-graphql righettod Research on GraphQL from an AppSec point of view.
REST API Goat optiv This is a "Goat" project so you can get familiar with REST API testing.
VAmPI erev0s Vulnerable REST API with OWASP top 10 vulnerabilities for APIs
vAPI roottusk vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
vulnapi tkisason Intentionaly very vulnerable API with bonus bad coding practices.
vulnerable-graphql-api CarveSystems A very vulnerable implementation of a GraphQL API.
Websheep marmicode Websheep is an app based on a willingly vulnerable ReSTful APIs.
VulnerableApp4APISecurity Erdemstar This repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10.

Vulnerable VMs

Cloud Security

  • Kubernetes Goat - Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
  • CloudGoat - CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
  • CdkGoat - Vulnerable AWS CDK Infra - CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository.
  • Cfngoat - Vulnerable Cloudformation Template - Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository.
  • TerraGoat - Vulnerable Terraform Infra - TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
  • caponeme - Capital One Breach - Repository demonstrating the Capital One breach on your AWS account
  • WrongSecrets - WrongSecrets is "Vulnerable by Design" to show how to not handle secrets in Docker, Kubernetes and in the cloud (AWS/GCP/Azure).
  • AWSGoat - A Damn Vulnerable AWS Infrastructure
  • AzureGoat - A Damn Vulnerable Azure Infrastructure
  • IAM Vulnerable - Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
  • Sadcloud - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure

SSO - Single Sign On

Безопасность мобильных приложений



OWASP Top 10

  • Owasp Juice shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
  • DVWA - Damn Vulnerable Web Application (DVWA)
  • DSVW - Damn Small Vulnerable Web
  • bWAPP - This is just an instance of the OWASP bWAPP project as a docker container.
  • Xtreme Vulnerable Web Application - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
  • lazyweb - This web application is a demonstration of common server-side application flaws. Each of the vulnerabilities has its own difficulty rating.
  • OWASP Mutillidae II - OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • Pentest_lab - Local penetration testing lab using docker-compose.
  • VulnLab - A vulnerable web application lab using Docker
  • WebGoat - WebGoat is a deliberately insecure application by OWASP for training purpose
  • VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing

SQL Injection

XSS Injection

  • clicker-service - simulate XSS - Docker container that intakes post and then "clicks" the link. Intentionally vulnerable. To be used with vulnerable by design web apps to realistically simulate XSS and XSRF (CSRF).
  • XSSworm.dev - Self-replication contest
  • xssed - A set of XSS vulnerable PHP scripts for testing
  • xssable - A vulnerable blogging platform used to demonstrate XSS vulnerabilities.

Server Side Request Forgery

  • SSRF_Vulnerable_Lab - This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack

CORS Misconfiguration

XXE Injection

  • XXE Lab - A simple web app with a XXE vulnerability.
  • docker-java-xxe - Docker image to test XXE attacks in java with tomcat.

Request Smuggling

  • Varnish HTTP/2 Request Smuggling - This repository a docker-compose file to setup a local environment that is vulnerable to CVE-2021-36740 Varnish HTTP/2 request smuggling.



  • DVWP - Damn Vulnerable WordPress


  • exploit-workshop - A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
  • DVNA - Damn Vulnerable NodeJS Application
  • Extreme Vulnerable Node Application - Extreme Vulnerable Node Application
  • dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.


  • CICD Goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.