Deliberately vulnerable web applications are purpose-built tools for learning and practicing application security. Unlike real-world targets, they’re legal to attack, designed to break, and annotated with explanations of what went wrong.
This guide covers the best vulnerable apps for 2026 — what each one covers, how to set them up, and which is the right choice for your goals.
Why use deliberately vulnerable applications?
Real-world penetration testing requires authorization. Training on production applications — even your own — introduces risk. Deliberately vulnerable apps solve both problems:
- Safe environment — you own it, you control it, breaking it is the point
- Reproducible — reset to a clean state after every exercise
- Annotated — most explain why each vulnerability exists and how to fix it
- Exam-relevant — CEH, OSCP, and most AppSec certifications expect hands-on lab experience
They’re also essential for testing your SAST and DAST tools before running them on real code — if your scanner can’t find SQL injection in DVWA, it won’t find it in production.
DVWA — Damn Vulnerable Web Application
Best for: Beginners learning OWASP Top 10, SAST/DAST benchmarking
DVWA is a PHP/MySQL web application with intentional vulnerabilities at three difficulty levels (Low, Medium, High). Each vulnerability class has its own page with a code viewer showing the vulnerable source — invaluable for understanding how fixes work.
Vulnerability classes covered:
- SQL Injection (standard and blind)
- Command Injection
- File Upload, File Inclusion (LFI/RFI)
- Cross-Site Scripting (Reflected and Stored)
- Cross-Site Request Forgery (CSRF)
- Brute Force
- Insecure CAPTCHA
- JavaScript attacks
Setup (Docker — fastest):
docker run --rm -it -p 80:80 vulnerables/web-dvwa
# Access at http://localhost/
# Default credentials: admin / passwordUsing DVWA with SAST: Point your static analysis tool at the DVWA PHP source code. A good scanner should flag SQL injection in vulnerabilities/sqli/source/low.php, command injection in vulnerabilities/exec/source/low.php, and file inclusion in vulnerabilities/fi/source/low.php. If it misses these, tune your rules.
OWASP Juice Shop
Best for: Modern web app vulnerabilities, JavaScript/Node.js security, CTF-style challenges
Juice Shop is the most maintained vulnerable app in 2026. It’s a realistic single-page application (Angular frontend, Node.js/Express backend) with 100+ challenges organized by difficulty and OWASP category. There’s a built-in score board, hints system, and CTF mode.
Unique aspects:
- Realistic UI — looks like a real e-commerce app, not a lab toy
- Covers OWASP Top 10 + many beyond it (broken access control, improper error handling, sensitive data exposure)
- Excellent for DAST testing — running tools against it surfaces real-world-style vulnerabilities
- Actively maintained, updated regularly
docker run --rm -p 3000:3000 bkimminich/juice-shop
# Access at http://localhost:3000/Using Juice Shop with DAST: Point your dynamic scanner at http://localhost:3000/. A comprehensive DAST run should find SQL injection, XSS, broken authentication, and business logic flaws. The built-in score board at /#/score-board tracks which challenges your scanner flagged.
WebGoat
Best for: Java developers, Spring/Jakarta EE security, OWASP SAMM training
WebGoat is OWASP’s primary Java-based training platform. Each lesson explains a vulnerability concept, walks through an attack, and requires the student to exploit it themselves before moving on. It’s more educational than DVWA — less “find the bug” and more “understand why the bug exists.”
Coverage includes:
- SQL injection (including parameterized query bypass)
- LDAP injection
- XML injection, XPath injection
- Cross-site scripting
- JWT attacks
- Insecure deserialization (Java-specific)
- Path traversal
- HTTP request smuggling
docker run -it -p 8080:8080 -p 9090:9090 webgoat/webgoat
# Access at http://localhost:8080/WebGoatGood for: Testing SAST tools against Java source. WebGoat’s source code is on GitHub — clone it and run your static analyzer to verify it detects the known vulnerabilities before deploying on real Java projects.
bWAPP — Buggy Web Application
Best for: Breadth — over 100 vulnerability types in one app
bWAPP (Buggy Web Application) covers more vulnerability types than any other single application — over 100 bugs spanning the OWASP Top 10, WASC Threat Classification, and more obscure weaknesses.
Notable coverage:
- HTML injection (reflected and stored)
- OS command injection across multiple languages
- XML/XPath/LDAP injection
- Server-side request forgery (SSRF)
- Clickjacking, framebusting bypass
- Heartbleed, Shellshock (simulated)
- Unvalidated redirects
docker run -d -p 80:80 raesene/bwapp
# Access at http://localhost/bWAPP/install.php first, then /bWAPP/login.phpHackTheBox & TryHackMe (hosted platforms)
For teams that want browser-based labs without Docker setup, these platforms provide pre-configured vulnerable machines:
HackTheBox (HTB):
- More realistic — machines mimic real-world servers
- Requires reverse engineering and exploitation skills
- Active machines require a working exploit; retired machines have public write-ups
- Best for: intermediate to advanced practitioners
TryHackMe (THM):
- Guided learning paths for beginners
- Web app security rooms cover OWASP Top 10, SQLMap, Burp Suite basics
- No setup required — everything runs in the browser
- Best for: structured beginner training
NodeGoat
Best for: Node.js / JavaScript security, Express application vulnerabilities
NodeGoat is a Node.js application with intentional OWASP vulnerabilities. It’s the JavaScript equivalent of WebGoat — a good target if your stack is Node/Express and you want to verify your SAST tool handles JavaScript-specific issues.
git clone https://github.com/OWASP/NodeGoat
cd NodeGoat && npm install
docker-compose up
# Access at http://localhost:4000/Which app should you use?
| Goal | Best app |
|---|---|
| Learning OWASP Top 10 from scratch | DVWA (beginner) → Juice Shop (intermediate) |
| Testing DAST tools against a realistic target | OWASP Juice Shop |
| Testing SAST tools against Java code | WebGoat |
| Testing SAST tools against PHP code | DVWA |
| Testing SAST tools against Node.js code | NodeGoat |
| Maximum breadth (100+ vulnerability types) | bWAPP |
| Structured beginner training without setup | TryHackMe |
| Realistic CTF-style challenges | HackTheBox |
Using vulnerable apps to benchmark your security tools
Before running a SAST or DAST tool on your production codebase, test it against a known-vulnerable target:
- Clone the source (DVWA, WebGoat, NodeGoat) and run your SAST scanner
- Check whether it flags the known-vulnerable functions — SQL injection sinks, command injection, hardcoded credentials
- Deploy the app locally and run your DAST scanner against it
- Verify it finds XSS, SQLi, auth bypasses in the running app
- Use this to calibrate confidence in the scanner before applying it to real code
If your scanner misses obvious injection points in DVWA’s low.php, it will miss similar patterns in production. This is why benchmarking against vulnerable apps is standard practice before any security tool rollout.
Offensive360’s SAST and DAST scanners are benchmarked against DVWA, Juice Shop, and WebGoat during every release. Book a demo to see a live scan of your own code or a vulnerable app.