🕸 Web
Online/Live
Acunetix :
- TestASP (Forum - ASP)
- TestAspNet (Blog - .NET)
- VulnWeb
- Cenzic CrackMeBank
- Google Gruyere (Python)
- Hacking-Lab (eg. OWASP Top 10)
- Hack.me (beta)
- HackThisSite (HTS - Basic & Realistic (web) Missions)
- Hackxor online demo (algo/smurf)
- HP/SpiDynamics Free Bank Online (admin/admin)
- IBM/Watchfire AltoroMutual (jsmith/Demo1234)
- NTOSpider Web Scanner Test Site (testuser/testpass)
- OWASP Hackademic Challenges Project - Live (PHP - Joomla)
- Pentester Academy
:LiHardDriveDownload: Offline
The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).
- The BodgeIt Store (Java)
- OWASP Bricks (PHP)
- The ButterFly Security Project (PHP)
- bWAPP - an extremely buggy web application! (PHP)
- Damn Vulnerable Web Application - DVWA (PHP)
- Damn Vulnerable Web Services - DVWS (PHP)
- OWASP Hackademic Challenges Project (PHP)
- Google Gruyere (Python)
- Hacme Bank (.NET)
- Hacme Books (Java)
- Hacme Casino (Ruby on Rails)
- Hacme Shipping (ColdFusion)
- Hacme Travel (C++)
- Mutillidae (PHP)
- OWASP .NET Goat (C#)
- Peruggia (PHP)
- Puzzlemall (Java)
- Stanford Securibench (Java) & Micro
- SQLI-labs (PHP)
- SQLol (PHP)
- OWASP Vicnum Project (Perl & PHP)
- VulnApp (.NET)
- WackoPicko (PHP)
- OWASP WebGoat (Java)
- OWASP ZAP WAVE - Web Application Vulnerability Examples (Java)
- Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java)
- WIVET - Web Input Vector Extractor Teaser
💾 Virtual Machines (VMs) or ISO images
- BadStore (ISO)
- Bee-Box (bWAPP VMware)
- OWASP BWA - Broken Web Applications Project (VMware - list)
- Drunk Admin Web Hacking Challenge (VMware)
- Exploit.co.il Vuln Web App (VMware)
- GameOver (VMware)
- Hackxor (VMware)
- Hacme Bank Prebuilt VM (VMware)
- Kioptrix4 (VMware & Hyper-V)
- LAMPSecurity (VMware)
- Metasploitable (VMware)
- Metasploitable 2 (VMware)
- Moth (VMware)
- PentesterLab - The Exercises (ISO & PDF)
- PHDays I-Bank (VMware)
- Samurai WTF (ISO - list)
- Sauron (Quemu) [Spanish]
- UltimateLAMP (VMware - list)
- Virtual Hacking Lab (ZIP)
- Web Security Dojo (VMware, VirtualBox - list)
🍏 iOS
📱 Android
- DVAA
- DIVA Android
- Android InsecureBank v2
- hpAndro Android AppSec (Kotlin)
- MSTG Hacking Playground
- InjuredAndroid
- AndroGoat
- OWASP Crackmes
- Sieve app
- Purposefully Insecure and Vulnerable Android Application(PIIVA)
- Damn Vulnerable Hybrid Mobile App (DVHMA)
- Damn Vulnerable Bank