Security Practical Challenges - Offline and Downloadable

List of offline and downloadable vulnerable web applications for Penetration and Security Testing with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).


  1. The BodgeIt Store (Java): (download)

  2. The ButterFly Security Project (PHP): (download)

  3. bWAPP - an extremely buggy web application! (PHP): (download) (docs)

  4. Damn Vulnerable Web Application - DVWA (PHP): (download)

  5. Damn Vulnerable Web Services - DVWS (PHP): (download)

  6. OWASP Hackademic Challenges Project (PHP): (download)

  7. Google Gruyere (Python): (download)

  8. Hacme Bank (.NET): (download)

  9. Hacme Books (Java): (download)

  10. Hacme Casino (Ruby on Rails): (download)

  11. Hacme Shipping (ColdFusion): (download)

  12. Hacme Travel (C++): (download)

  13. OWASP Insecure Web App Project (Java): (download - orphaned)

  14. Mutillidae (PHP): (download)

  15. OWASP .NET Goat (C#): (download)

  16. Peruggia (PHP): (download)

  17. Puzzlemall (Java): (download) (docs)

  18. Stanford Securibench (Java) & Micro: (download)

  19. SQLI-labs (PHP): (download) (blog)

  20. SQLol (PHP): (download)

  21. OWASP Vicnum Project (Perl & PHP): (download)

  22. VulnApp (.NET): (CVS download & vulns)

  23. WackoPicko (PHP): (download) (whitepaper)

  24. OWASP WebGoat (Java): (download) (guide)

  25. OWASP ZAP WAVE - Web Application Vulnerability Examples (Java):

  26. Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): (download) (docs)

  27. WIVET - Web Input Vector Extractor Teaser: (download) (tests)

If you required any more information and help about any application please mail @ This email address is being protected from spambots. You need JavaScript enabled to view it.