Web Application Hacking - List of vulnerable web applications

Web Hacking Practice Applications

List of vulnerable web applications and Mobile Applications (please scroll to bottom of page) to pwn and learn.

This will be updated on periodic basis.


Vulnerable Web Applications

Damn Vulnerable Node Application (DVNA) - https://github.com/quantumfoam/DVNA/
Damn Vulnerable Web App (DVWA) - http://www.dvwa.co.uk/
Damn Vulnerable Web Services (DVWS) - http://dvws.professionallyevil.com/
Drunk Admin Web Hacking Challenge -  https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/
Exploit KB Vulnerable Web App - http://exploit.co.il/projects/vuln-web-app/
Foundstone Hackme Bank -  http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme Books - http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme Casino -  http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme Shipping- http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme Travel - http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
GameOver - http://sourceforge.net/projects/null-gameover/
hackxor - http://hackxor.sourceforge.net/cgi-bin/index.pl
OWASP Security Shepherd - https://www.owasp.org/index.php/OWASP_Security_Shepherd
PentesterLab - https://pentesterlab.com/
PHDays iBank CTF - http://blog.phdays.com/2012/05/once-again-about-remote-banking.html
SecuriBench - http://suif.stanford.edu/~livshits/securibench/
SentinelTestbed - https://github.com/dobin/SentinelTestbed
SocketToMe - http://digi.ninja/projects/sockettome.php
sqli-labs - https://github.com/Audi-1/sqli-labs 
MCIR (Magical Code Injection Rainbow) - https://github.com/SpiderLabs/MCIR
sqlilabs - https://github.com/himadriganguly/sqlilabs
Hackazon - https://github.com/rapid7/hackazon
LAMPSecurity - http://sourceforge.net/projects/lampsecurity/
Moth - http://www.bonsai-sec.com/en/research/moth.php
NOWASP / Mutillidae 2 - http://sourceforge.net/projects/mutillidae/
OWASP BWA - http://code.google.com/p/owaspbwa/
OWASP Hackademic - http://hackademic1.teilar.gr/
OWASP SiteGenerator - https://www.owasp.org/index.php/Owasp_SiteGenerator
OWASP Bricks - http://sourceforge.net/projects/owaspbricks/
VulnApp - http://www.nth-dimension.org.uk/blog.php?id=88
PuzzleMall - http://code.google.com/p/puzzlemall/
WackoPicko - https://github.com/adamdoupe/WackoPicko
WAED - http://www.waed.info
WebGoat.NET - https://github.com/jerryhoff/WebGoat.NET/
WebSecurity Dojo - http://www.mavensecurity.com/web_security_dojo/
XVWA - https://github.com/s4n7h0/xvwa
Zap WAVE - http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip
BadStore - http://www.badstore.net/
BodgeIt Store - http://code.google.com/p/bodgeit/
Butterfly Security Project - http://thebutterflytmp.sourceforge.net/
bWAPP
http://www.mmeit.be/bwapp/
http://sourceforge.net/projects/bwapp/files/bee-box/
Commix - https://github.com/stasinopoulos/commix-testbed
CryptOMG - https://github.com/SpiderLabs/CryptOMG

Vulnerable Mobile Applications

ExploitMe Mobile iPhone Labs - http://securitycompass.github.io/iPhoneLabs/
Damn Vulnerable FirefoxOS Application (DVFA) - https://github.com/pwnetrationguru/dvfa/
Damn Vulnerable iOS App (DVIA) - http://damnvulnerableiosapp.com/
InsecureBank - http://www.paladion.net/downloadapp.html
NcN Wargame - http://noconname.org/evento/wargame/
Damn Vulnerable Android App (DVAA) - https://code.google.com/p/dvaa/
Hacme Bank Android - http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx
OWASP iGoat - http://code.google.com/p/owasp-igoat/
OWASP Goatdroid - https://github.com/jackMannino/OWASP-GoatDroid-Project
ExploitMe Mobile Android Labs - http://securitycompass.github.io/AndroidLabs/