Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀

Best hands-on lab for learning the fundamentals of cybersecurity and penetration testing workflows also packaged as Docker containers for fast, safe setup.

Sample vulnerable code and its exploit code

Damn Vulnerable Java (EE) Application

Vulnerable Client-Server Application (VuCSA) is made for learning how to perform penetration tests of non-http thick clients. It is written in Java (with JavaFX graphical user interface) and contains multiple challenges including SQL injection, RCE, XML vulnerabilities and more.

VyAPI - A cloud based vulnerable hybrid Android App

Conviso Vulnerable Web Application is the OSS project from the Conviso Application Security for the community. The project represents a vulnerable web application to practice security testing and improve your learning in AppSec..

gRPC Goat is a "Vulnerable by Design" lab created to provide an interactive, hands-on playground for learning and practicing gRPC security.

Web Application Pentesting Lab with over 40 plus vulnerability, which covers all the owasp top 10 issues.

Examples of different vulnerabilities, in a variety of languages, shapes and sizes.

An intentionally vulnerable AI chatbot to learn and practice AI Security.

📧 [Research] E-Mail Injection: Vulnerable applications

OWASP Foundation Web Respository

This is a collection of vulnerable machines that can help you to learn hacking, pentesting and bug hunting. I know there are a lot of lists out there, but most of them are not updated regularly. So I decided to make on myself. Hope this will help you

LLMForge is a modular AI security gateway for building and testing dynamic LLM-based vulnerability labs. Designed for prompt injection research, exploit simulation, and AI attack experimentation.

Several snippets of vulnerable code in different programming languages.

File Content Disclosure on Rails Test Case - CVE-2019-5418

Self-hosted Dockerized pentest lab: five intentionally-vulnerable apps (store, bank, finance, SaaS + a dedicated AI/LLM lab) — 280+ vulns across OWASP Top 10 & the full LLM Top 10. The AI is a built-in deterministic offline engine: NO model, NO API key. A modern DVWA / Juice Shop alternative.

Web/API, AI/LLM/MCP, and Web3/Blockchain security labs Android/iOS/Windows/macOS platforms plus PHP/Java/Node.js/Python stacks Cloud/Kubernetes, AD, IoT/ICS, CTF, and other specialized domains Continuously maintained collection of related resources

IOTgoat is a vulnerable firmware made by the OWASP project. This is a custom made version of the 'IOTgoat firmware' built for the A5-V11 mini 3G router. This branch brings back the vulnerable IOT firmware back to a real IOT device, for a more realistic experience of IOT device exploitation on a budget.