15 Vulnerable Offline Web Applications to Practice Security Testing

To improve your pen testing skills yet is important to know how to find bugs and vulnerabilities in web applications. The following offline web applications can be downloaded so you can practice your skills , if you are a beginner these are a priceless resource to get some real life practice. Even a developer can loook at these and learn from the mistakes so he can avoid them in his own web application. Anyway on with the list


bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.

bWAPP has over 100 web vulnerabilities covering all major known web bugs, including all risks from the OWASP Top 10 project.



Bricks is a web application security learning platform built on PHP and MySQL. The project focuses on variations of commonly seen application security issues. Each ‘Brick’ has some sort of security issue which can be leveraged manually or using automated software tools. The mission is to ‘Break the Bricks’ and thus learn the various aspects of web application security.


Damn Vulnerable Web App

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

Download from https://github.com/ethicalhack3r/DVWA

Damn Vulnerable Web Services

Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. The aim of this project is to help security professionals learn about Web Application Security through the use of a practical lab environment.

This application includes the following vulnerabilities.

WSDL Enumeration
XML External Entity Injection
XML Bomb Denial-of-Service
XPATH Injection
WSDL Scanning
Cross Site-Tracing
OS Command Injection
Server Side Request Forgery
REST API SQL Injection
Same Origin Method Execution
JSON Web Token (JWT) Secret Key Brute Force
Cross-Origin Resource Sharing



DVTA is a Vulnerable Thick Client Application developed in C# .NET

Some of the vulnerabilities covered in this Application.

Insecure local data storage
Insecure logging
Weak cryptography
Lack of code obfuscation
Exposed decryption logic
SQL Injection
CSV Injection
Sensitive data in memory
DLL Hijacking
Clear text data in transit


OWASP Damn Vulnerable Web Sockets (DVWS)

OWASP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication. The flow of the application is similar to DVWA. You will find more vulnerabilities than the ones listed in the application.



Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.



RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some “extras” that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.


SQLI labs

SQLI-LABS is a platform to learn SQLI Following labs are covered for GET and POST scenarios:

Error Based Injections (Union Select)
Error Based Injections (Double Injection Based)
BLIND Injections: 1.Boolian Based 2.Time Based
Update Query Injection.
Insert Query Injections.
Header Injections. 1.Referer based. 2.UserAgent based. 3.Cookie based.
Second Order Injections
Bypassing WAF
Bypassing Blacklist filters Stripping comments Stripping OR & AND Stripping SPACES and COMMENTS Stripping UNION & SELECT
Impidence mismatch
Bypass addslashes()
Bypassing mysql_real_escape_string. (under special conditions)
Stacked SQL injections.
Secondary channel extraction


WebGoat 8.0

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.



XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose.



Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.


Metasploitable 2

Metasploitable is virtual machine based on Linux that contains several intentional vulnerabilities for you to exploit. Metasploitable is essentially a penetration testing lab in a box, available as a VMware virtual machine (VMX).You can use tools like Metasploit and Nmap to test this application.



A preconfigured, stand-alone training environment for Web Application Security. Virtualbox and VMware versions for download. See “View all files” for VMware version.



OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. Has over 40 vulnerabilities and challenges. Contains at least one vulnerability for each of the OWASP Top Ten 2007, 2010, 2013 and 2017



Did we miss an offline web application, do you use one that is not on the risk or maybe you are the developer of one. Let us know in the comments and we will take a look and add it to our list