(opens in new window)

OWASP Vulnerable Web Applications Directory

An OWASP production project

A comprehensive registry of known vulnerable web and mobile applications for legal security testing and training.

WackoPicko

Vulnerable web application for testing web vulnerability scanners; used in the paper "Why Johnny Can't Pentest". Contains known vulns: XSS, SQLi, directory traversal, file inclusion, command injection, logic flaws, session issues. Docker image and BWA VM available.

Collections offline container
Technology PHP
Categories Free-form Scanner test Single-player
Author adamdoupe
Stars 350 stars
Last contribution Nov 17, 2021 2y +
Link Download

Notes

Docker: adamdoupe/wackopicko; also in OWASP BWA VM. short_open_tag required. Example logins: admin/admin, scanner1/scanner1; DB user wackopicko / webvuln!@#.

← Back to directory