Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀

Best hands-on lab for learning the fundamentals of cybersecurity and penetration testing workflows also packaged as Docker containers for fast, safe setup.

Sample vulnerable code and its exploit code

Damn Vulnerable Java (EE) Application

Vulnerable Client-Server Application (VuCSA) is made for learning how to perform penetration tests of non-http thick clients. It is written in Java (with JavaFX graphical user interface) and contains multiple challenges including SQL injection, RCE, XML vulnerabilities and more.

VyAPI - A cloud based vulnerable hybrid Android App

Conviso Vulnerable Web Application is the OSS project from the Conviso Application Security for the community. The project represents a vulnerable web application to practice security testing and improve your learning in AppSec..

gRPC Goat is a "Vulnerable by Design" lab created to provide an interactive, hands-on playground for learning and practicing gRPC security.

Examples of different vulnerabilities, in a variety of languages, shapes and sizes.

📧 [Research] E-Mail Injection: Vulnerable applications

OWASP Foundation Web Respository

An educational, lab-only Flask security project demonstrating how weak authentication logic can be broken in practice. Includes an intentionally vulnerable local login page and a simulated brute-force attacker script to show credential stuffing, missing rate limits, and plain-text passwords—paired with concrete guidance on hardening real-world app.

An intentionally vulnerable AI chatbot to learn and practice AI Security.

This is a collection of vulnerable machines that can help you to learn hacking, pentesting and bug hunting. I know there are a lot of lists out there, but most of them are not updated regularly. So I decided to make on myself. Hope this will help you

Several snippets of vulnerable code in different programming languages.

File Content Disclosure on Rails Test Case - CVE-2019-5418

IOTgoat is a vulnerable firmware made by the OWASP project. This is a custom made version of the 'IOTgoat firmware' built for the A5-V11 mini 3G router. This branch brings back the vulnerable IOT firmware back to a real IOT device, for a more realistic experience of IOT device exploitation on a budget.

Another vulnerable application for practicing web penetration testing.

Sample Spring API for testing

Intentionally insecure RAG demo for security testing. Test target for LLM Production Safety Scanner. DO NOT deploy publicly.