(opens in new window)

OWASP Vulnerable Web Applications Directory

An OWASP production project

A comprehensive registry of known vulnerable web and mobile applications for legal security testing and training.

play-webgoat

Vulnerable Play (Scala) application for attackers. Demonstrates where unvalidated client input can be improperly trusted and included in the response; avoids Twirl templates for the most part.

Collections offline
Technology Java Scala Play Framework
Categories Guided lessons Single-player
Stars 18 stars
Last contribution May 21, 2026 < 1mo
Link

Notes

sbt run; then http://localhost:9000. Cross-builds Scala 2.13 and 3.

← Back to directory