This application provides an interactive way to explore open-source, "vulnerable by design" web security learning projects. These projects are intentionally engineered with security weaknesses to serve as educational resources, allowing safe and legal practice in identifying and exploiting vulnerabilities.
The Open Worldwide Application Security Project (OWASP) plays a significant role, with many prominent projects like Juice Shop and WebGoat being official OWASP initiatives. These tools are vital for security training, awareness, CTFs, and testing security tools.
Use the navigation to explore projects, learn about key OWASP initiatives, discover learning frameworks, and understand the important considerations when using these tools.
Project Technology Distribution
This chart shows the count of listed projects by their primary technologies. It offers a quick overview of the tech stacks you can find practice environments for. (Note: A project can be associated with multiple technologies).
Project Deployment Methods
This chart illustrates the common deployment methods for the listed projects, highlighting the prevalence of Docker for ease of setup.
Project Explorer
Discover a wide range of vulnerable-by-design projects. Use the filters below to narrow down your search based on technology, deployment method, or project category. Click on a project card to see more details and find its GitHub link.
No projects match your current filter selection.
Key OWASP Projects
OWASP hosts several highly regarded projects that serve as benchmarks in vulnerable application training. Here are a couple of prominent examples:
OWASP Juice Shop
Description:
Often described as "probably the most modern and sophisticated insecure web application," OWASP Juice Shop is intentionally riddled with security holes for educational purposes. It serves as a versatile tool for security training, awareness demonstrations, CTFs, and as a test subject for security tools and DevSecOps pipelines.
Scope:
Juice Shop aims to cover the entire OWASP Top Ten list of critical web application security risks, along with numerous other vulnerabilities encountered in contemporary web applications. It is built using modern technologies, including Node.js, Express, Angular, and TypeScript.
Key Features:
Scoreboard for progress tracking, extensive hacking challenges, RESTful API component, modern JavaScript frameworks.
WebGoat is a deliberately insecure web application specifically designed to teach security lessons related to Java-based applications, particularly those using common open-source components.
Scope:
Focuses on demonstrating common server-side application flaws through interactive exercises. Its pedagogical approach involves explaining vulnerabilities, providing hands-on assignments, and explaining potential mitigations. Includes WebWolf, a companion app for specific challenges.
Beyond pre-built vulnerable applications, other resources exist that facilitate security learning, sometimes by providing frameworks to build custom labs or offering comprehensive training platforms.
Docker Security Playground (DSP)
DSP is a microservices-based framework designed for studying network security and penetration testing techniques. It leverages Docker Compose to allow users to create, graphically edit, and manage custom network scenarios and vulnerability labs. It empowers users to build their own labs rather than providing a single, pre-defined vulnerable application.
This is a widely respected, free online training center provided by the creators of Burp Suite. It offers extensive learning materials covering numerous web security topics, complemented by interactive labs where users can practice exploiting vulnerabilities. It functions as a comprehensive learning platform rather than a single downloadable open-source project.
Vulnerable-by-design applications are genuinely insecure. They should NEVER be deployed on production servers or any internet-facing systems. Accidental exposure or misconfiguration can lead to the compromise of the host machine or network. Always use these educational resources responsibly within isolated environments (e.g., local Docker instances bound to 127.0.0.1).
These applications are indispensable assets for practical cybersecurity education. They provide essential, safe, and legal sandboxes for hands-on learning that theoretical study alone cannot replicate.
The open-source projects listed offer a rich collection of environments covering various technologies. The increasing use of Docker simplifies deployment, making these tools more accessible. However, their inherent insecurity demands caution.
As cyber threats and development practices evolve, continuous learning is paramount. These projects provide invaluable means for professionals and students to hone skills, test defenses, and stay current with vulnerabilities and secure coding practices.