Skip to content

@vulnerable-apps vulnerable-apps

Change the repository type filter

All

    Repositories list

    156 repositories

    • security-crawl-maze

      Public
      Security Crawl Maze is a comprehensive testbed for web security crawlers. It contains pages representing many ways in which one can link resources from a valid …
      HTML
      Apache License 2.0
      43001Updated Feb 20, 2026Feb 20, 2026

    • juice-shop

      Public
      OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
      javascriptangular
      javascriptangular
      TypeScript
      MIT License
      18k1027Updated Feb 12, 2026Feb 12, 2026

    • verademo

      Public
      A deliberately insecure Java web application
      Java
      MIT License
      5670016Updated Jan 24, 2026Jan 24, 2026

    • dvws-node

      Public
      Damn Vulnerable Web Services is a vulnerable web service and API that can be used to learn about webservices/API related vulnerabilities.
      JavaScript
      GNU General Public License v3.0
      225000Updated Jan 23, 2026Jan 23, 2026

    • javaspringvulny

      Public
      javaspringvulny - a Spring Boot web application built wrong on purpose
      Java
      272200Updated Nov 4, 2025Nov 4, 2025

    • damn-vulnerable-MCP-server

      Public
      Damn Vulnerable MCP Server
      Python
      146007Updated Nov 3, 2025Nov 3, 2025

    • vuln_django_play

      Public
      🐛 An intentionally vulnerable Django app
      JavaScript
      34000Updated Jul 24, 2025Jul 24, 2025

    • WebGoat

      Public
      WebGoat is a deliberately insecure application
      JavaScript
      Other
      7.6k001Updated May 7, 2025May 7, 2025

    • salesforce-pentest-series

      Public
      3000Updated Mar 18, 2025Mar 18, 2025

    • vulnerable-rest-api

      Public
      A vulnerable RESTful application written in Node and React based on OWASP API security top 10 2023 edition.
      JavaScript
      MIT License
      55002Updated Jan 17, 2025Jan 17, 2025

    • paas-cloud-goat

      Public
      PaaS Cloud Goat is a simulated vulnerable Salesforce application providing hands-on experience with penetration testing of custom Salesforce applications.
      Apex
      GNU Affero General Public License v3.0
      7000Updated Nov 21, 2024Nov 21, 2024

    • nosql-injection-vulnapp

      Public
      NIVA is a simple web application which is intentionally vulnerable to NoSQL injection. The purpose of this project is to facilitate a better understanding of th…
      Java
      MIT License
      25001Updated Nov 12, 2024Nov 12, 2024

    • simple-ssrf

      Public
      Simple deliberately vulnerable API demonstrating Server-Side Request Forgery (SSRF).
      Python
      11004Updated Nov 9, 2024Nov 9, 2024

    • terragoat

      Public
      TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration e…
      terraformtfsecsemgrep
      terraformtfsecsemgrep
      HCL
      Apache License 2.0
      5.7k000Updated Nov 8, 2024Nov 8, 2024

    • SSRF_Vulnerable_Lab

      Public
      This Lab contain the sample codes which are vulnerable to Server-Side Request Forgery attack
      PHP
      MIT License
      202000Updated Nov 8, 2024Nov 8, 2024

    • Vulnerable-JWT

      Public
      Collection of vulnerable APIs/apps to test JWT attacks
      JavaScript
      11508Updated Oct 31, 2024Oct 31, 2024

    • crazy-vulnerable-nodejs-application

      Public
      CVNA
      JavaScript
      24001Updated Oct 26, 2024Oct 26, 2024

    • yrpreyTasksNodeJS

      Public
      PHP
      7002Updated Oct 20, 2024Oct 20, 2024

    • brokencrystals-demo

      Public
      Mirror of broken crystals, but with specific dockerfiles for easy docker compose
      TypeScript
      MIT License
      5005Updated Oct 17, 2024Oct 17, 2024

    • brokencrystals

      Public
      A Broken Application - Very Vulnerable!
      TypeScript
      MIT License
      318000Updated Oct 16, 2024Oct 16, 2024

    • vuln-graphql-api

      Public
      A very vulnerable implementation of a GraphQL API.
      TypeScript
      94002Updated Oct 11, 2024Oct 11, 2024

    • Tiredful-API-py3-beta

      Public
      Python 3 compatible repo of Tiredful API
      Python
      GNU General Public License v3.0
      11001Updated Oct 9, 2024Oct 9, 2024

    • dvcsharp-api

      Public
      Damn Vulnerable C# Application (API)
      C#
      MIT License
      287000Updated Sep 28, 2024Sep 28, 2024

    • Tiredful-API

      Public
      An intentionally designed broken web application based on REST API.
      Python
      GNU General Public License v3.0
      143000Updated Sep 27, 2024Sep 27, 2024

    • vuln_node_express

      Public
      JavaScript
      374200Updated Sep 27, 2024Sep 27, 2024

    • VulnerableApp

      Public
      OWASP VulnerableApp Project: For Security Enthusiasts by Security Enthusiasts.
      Java
      Apache License 2.0
      668005Updated Sep 27, 2024Sep 27, 2024

    • DVWA

      Public
      Damn Vulnerable Web Application (DVWA)
      PHP
      GNU General Public License v3.0
      4.8k100Updated Sep 27, 2024Sep 27, 2024

    • Remediation-Demo

      Public
      Python
      Apache License 2.0
      2100Updated Sep 19, 2024Sep 19, 2024

    • VulnerableCoreApp

      Public
      Mirror of https://github.com/zsusac/VulnerableCoreApp
      HTML
      3000Updated Sep 19, 2024Sep 19, 2024

    • VulnerableLightApp

      Public
      Vulnerable API for educational purposes
      C#
      GNU General Public License v3.0
      82100Updated Sep 10, 2024Sep 10, 2024
    ProTip! When viewing an organization's repositories, you can use the props. filter to filter by custom property.