Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀

Best hands-on lab for learning the fundamentals of cybersecurity and penetration testing workflows also packaged as Docker containers for fast, safe setup.

Sample vulnerable code and its exploit code

Damn Vulnerable Java (EE) Application

Vulnerable Client-Server Application (VuCSA) is made for learning how to perform penetration tests of non-http thick clients. It is written in Java (with JavaFX graphical user interface) and contains multiple challenges including SQL injection, RCE, XML vulnerabilities and more.

VyAPI - A cloud based vulnerable hybrid Android App

Conviso Vulnerable Web Application is the OSS project from the Conviso Application Security for the community. The project represents a vulnerable web application to practice security testing and improve your learning in AppSec..

gRPC Goat is a "Vulnerable by Design" lab created to provide an interactive, hands-on playground for learning and practicing gRPC security.

Examples of different vulnerabilities, in a variety of languages, shapes and sizes.

📧 [Research] E-Mail Injection: Vulnerable applications

OWASP Foundation Web Respository

A hands-on security lab demonstrating how weak authentication code can be exploited and how to harden it. Includes a vulnerable Flask login page and an attacker script to simulate brute-force credential stuffing. Learn common auth flaws, defensive coding practices, and concrete steps to secure real-world apps.

An intentionally vulnerable AI chatbot to learn and practice AI Security.

This is a collection of vulnerable machines that can help you to learn hacking, pentesting and bug hunting. I know there are a lot of lists out there, but most of them are not updated regularly. So I decided to make on myself. Hope this will help you

Several snippets of vulnerable code in different programming languages.

File Content Disclosure on Rails Test Case - CVE-2019-5418

IOTgoat is a vulnerable firmware made by the OWASP project. This is a custom made version of the 'IOTgoat firmware' built for the A5-V11 mini 3G router. This branch brings back the vulnerable IOT firmware back to a real IOT device, for a more realistic experience of IOT device exploitation on a budget.

Another vulnerable application for practicing web penetration testing.

Web/API, AI/LLM/MCP, and Web3/Blockchain security labs Android/iOS/Windows/macOS platforms plus PHP/Java/Node.js/Python stacks Cloud/Kubernetes, AD, IoT/ICS, CTF, and other specialized domains Continuously maintained collection of related resources

Deliberately vulnerable REST API for OWASP Top 10 (2023) security testing and learning.