(opens in new window)

OWASP Vulnerable Web Applications Directory

An OWASP production project

A comprehensive registry of known vulnerable web and mobile applications for legal security testing and training.

WebGoat

A deliberately insecure application that allows developers to test vulnerabilities commonly found in Java-based applications that use common and popular open source components. De facto interactive teaching environment for web application security; lessons cover the OWASP Top 10 and more.

Collections offline
Technology Java
Categories Guided lessons Single-player
Author OWASP
Stars 9140 stars
Last contribution May 30, 2026 < 1mo
Link Download Guide Docker

Notes

Default configuration binds to localhost. Disconnect from the Internet while using. For educational use only.

← Back to directory