Penetration testing commands for Intentionally Vulnerable Applications

Intentionally vulnerable applications are developed to provide a safe environment for practising security assessments and learning exploitation techniques without real-world consequences.

NameDescriptionPrice
BodhiClient-side vulnerability playground, CTF style application, a bot program which simulates the real-world victimFree
Bust-A-KubeIntentionally-vulnerable Kubernetes cluster, intended to help people self-train on attacking and defending Kubernetes clustersFree
bWAPPBuggy Web Application, insecure webapp for security trainingsFree
DVGADamn Vulnerable GraphQL Application, insecure webapp for GraphQL security trainingsFree
DVIADamn Vulnerable iOS App, insecure webapp for mobile security trainingsFree
DVWADamn Vulnerable Web Application, insecure webapp for security trainingsFree
Google GruyereCodelab for white-box and black-box hackingFree
HackazonIntentionally vulnerable web shopping application using modern technologies and containing configurable areasFree
MetasploitableVM that is built from the ground up with a large amount of security vulnerabilitiesFree
OWASP Juice ShopInsecure web application with >85 challenges; supports CTFs, custom themes, tutorial mode etc.Free
OWASP Mutillidae IIIntentionally vulnerable web-application containing some OWASP Top Ten vulnerabilities, with hints and switch for secure version of the codeFree
OWASP WebGoatDeliberately insecure web application to teach web application security lessonsFree
simulatorDistributed systems and infrastructure simulator for attacking and debugging Kubernetes, creates a Kubernetes cluster in AWS and runs scenarios which misconfigure it or leave it vulnerable to compromise to train in mitigating against these vulnerabilitiesFree
VAmPIVulnerable REST API with OWASP top 10 vulnerabilities for security testing Free
XVNAExtreme Vulnerable Node Application, insecure webapp for security trainingsFree