OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

A curated list of VULNERABLE APPS and SYSTEMS which can be used as PENETRATION TESTING PRACTICE LAB.

Awesome Vulnerable Applications

Twitter vulnerable snippets

The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.

Damn Vulnerable NodeJS Application

A lib that allows using mhyprot2 driver for enum process modules, r/w process memory and kill process.

An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners.

Damn Vulnerable Web Application Docker container

Intentionally vulnerable Android application.

Web application with vulnerabilities found in real cases, both in pentests and in Bug Bounty programs.

A Broken Application - Very Vulnerable!

Damn Vulnerable eXtensive Training Environment

Vulnerable Client-Server Application (VuCSA) is made for learning how to perform penetration tests of non-http thick clients. It is written in Java (with JavaFX graphical user interface) and contains multiple challenges including SQL injection, RCE, XML vulnerabilities and more.

Frida scripts for mobile application dynamic-analysis.

An app with really insecure crypto. To be used to see/test/exploit weak cryptographic implementations as well as to learn a little bit more about crypto, without the need to dive deep into the math behind it

Vulnerable Python Application To Learn Secure Development

Vulnerable OTP/2FA Application written in PHP using Google Authenticator

OpenSSH remote DOS exploit and vulnerable container

🔬 A collection of test cases in the Java language. It contains examples for 112 different CWEs.