Secure coding

Vulnerable web apps (from OWASP and others)

August 27, 2020 by Srinivas

Web application attacks significantly contribute to the breaches and various other cyberattacks. In fact, web applications provide an easy entry point to attackers if vulnerable. Something like the Equifax breach, which happened through a struts vulnerability, takes a lifetime to forget about.

With the passing of time, some of the vulnerabilities may fade out while other classes of vulnerabilities emerge. This is what happened in 2015 when Java deserialization vulnerabilities blew up the information security world. It is not easy to keep up with ever-changing vulnerability classes without hands-on experience. Thus, penetration testers and security professionals need vulnerable playgrounds to understand and legally practice various web security vulnerabilities. 

In this article, we will go through some of the existing vulnerable web applications that can be used to identify and exploit web application vulnerabilities.

List of top deliberately vulnerable web application

Let’s explore some of the top vulnerable web applications that can be used to practice web application vulnerabilities in various languages. 

OWASP WebGoat 

WebGoat is an OWASP project developed in Java. Many large enterprises use web applications built using Java, and WebGoat is a good candidate to learn vulnerabilities specifically in Java-based web applications. This is an open-source application; this means we can also understand vulnerabilities with source code examples.

A majority of the free software applications are available as Docker images these days, which makes it easy to use them. WebGoat is also available as a Docker image and we can quickly spin up a container and play with WebGoat. 

The following image shows the WebGoat UI after launching it.

Docker Hub:



Damn Vulnerable Web Application (DVWA) is another popular vulnerable web application developed in PHP. Since this is developed in PHP, beginners usually find it easy to follow. Each vulnerability contains various difficult levels from Low to High, so it is possible to learn web security at varying difficulty levels. PHP source code snippets are provided in each challenge and thus, it is possible to find the flaws by reviewing the source code. 

DVWA is also available as a Docker image and we can quickly spin up a container and play with DVWA. 

The following image shows DVWA UI after launching it.

Docker Hub:



Xtreme Vulnerable Web Application (XVWA) is a badly coded web application written in PHP/MySQL to help security enthusiasts learn application security. The XVWA application is ideal if you want an easy-to-use application with some modern-day attacks covered. Some not-so-traditional vulnerabilities such as server-side template injection and server-side request forgery are covered in this application.

The authors of XVWA did not create a Docker image, but it was made available by someone else and featured on the official GitHub page of XVWA. 

The following figure shows XVWA UI after launching it.

Docker Container:



Buggy Web Application (bWAPP) is another free and open-source vulnerable web application. bWAPP comes with a comprehensive list of vulnerabilities with great coverage. 

There are several vulnerabilities covered in bWAPP that are not covered in any other vulnerable web application, such as Heartbleed and Shellshock. However, we need to download the virtual machine to avail ourselves of some of these rarely seen vulnerabilities. The reason for this is that these vulnerabilities require additional configurations on the server where the web application is installed. 

The virtual machine, bee-box, already contains these configurations and thus these vulnerabilities are ready to use. The bottom line is, we can get the best of bWAPP if we use the bee-box VM. There is also a Docker image made available, which can be used to quickly spin up the web application.

The following image shows bWAPP UI after launching it.

Docker Container:


OWASP Juice Shop 

Juice Shop is an OWASP project, the most modern and sophisticated insecure web application. Juice Shop is written in Node.js, Express and Angular. Since this application is completely written in JavaScript, it is considered an application built using modern technologies, unlike other vulnerable applications such as WebGoat and DVWA. 

This application is a great choice if one wants to practice their attacks against applications developed using JavaScript technologies. There is also a Docker image available, which can be used to quickly spin up the web application.

The following figure shows OWASP Juice Shop UI after launching it.

Docker Container:



OWASP WEBGOAT.NET is a deliberately vulnerable web application developed using C# .NET. This application is useful if someone is specifically interested in learning security vulnerabilities associated with .NET applications.

Webgoat.NET has a docker image available on Docker Hub, which can be used to quickly spin up the web application.

The following image shows OWASP WEBGOAT.NET UI after launching it.

Docker Container:


Other vulnerable web apps worth looking at

We have covered several unique and commonly used vulnerable web applications in this article. However, following are some other applications that are worth looking at. 

  • OWASP Rails Goat Project: This is the project you want if you want a vulnerable application developed using Ruby On Rails.
  • VulnerableSAMLApp: During penetration tests in enterprise environments, we often come across applications with Single Sign-On setup. If we want to get our hands dirty with some SAML-based SSO vulnerabilities, VulnerableSAMLApp is worth taking a look at.
  • JWTdemo: JSON web tokens are commonly used in many REST API-based applications. JWTdemo is an application, which can be used to practice JWT-based attacks.


We discussed several vulnerable web applications which are great resources to start learning web application security. These vulnerable apps provide great value as they can assist security professionals to have deeper and practical understanding of security vulnerabilities. 

It is worth noting that all of the vulnerable applications shown in the article can be set up locally in the laptop using virtualization software such as a virtual machine.


Posted: August 27, 2020
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs Email: