OWASP-VWAD
OWASP-VWAD is a directory of known vulnerable web applications used for security testing and learning. The repository is being wound down; future work has moved to the www-project-vulnerable-web-applications-directory repository.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | OWASP/OWASP-VWAD |
| Owner | OWASP |
| Primary language | Unknown |
| License | Apache-2.0 — OSI-approved |
| Stars | 884 |
| Forks | 222 |
| Open issues | 0 |
| Latest release | Unknown |
| Last updated | 2026-06-22 |
| Source | https://github.com/OWASP/OWASP-VWAD |
What OWASP-VWAD is
A curated registry of vulnerable web applications indexed by type and maintained as an OWASP Lab project. The project consolidates metadata and links to known vulnerable applications for penetration testing and security research purposes.
Get the OWASP-VWAD source
Clone the repository and explore it locally.
git clone https://github.com/OWASP/OWASP-VWAD.gitcd OWASP-VWAD# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Project is archived and no longer actively maintained; use only as a reference or redirect to the active repository.
- Directory functions as a metadata index; actual vulnerable applications must be sourced, deployed, and managed separately.
- No release artifacts or binary distributions; content is reference documentation only.
- Ensure all vulnerable application usage is authorized and isolated in non-production environments.
- Regularly cross-reference the active www-project-vulnerable-web-applications-directory for current application listings and updates.
When to avoid it — and what to weigh
- Active production use required — Repository is explicitly being wound down; ongoing maintenance and updates are no longer provided in this repository.
- Need current tooling — Latest development and feature additions have moved to www-project-vulnerable-web-applications-directory; this repository will not receive new enhancements.
- Require direct code contributions — Project is in wind-down mode with zero open issues and minimal recent activity; community contribution velocity is not expected.
- Seeking integrated deployment platform — This is a directory/registry only, not a deployment or orchestration tool; does not provide automated setup or hosted vulnerable environments.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution under stated terms.
Apache-2.0 allows commercial use. However, this repository is archived and no longer maintained. Verify applicability with the successor repository (www-project-vulnerable-web-applications-directory) before relying on this for commercial tooling.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Stale |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Possible |
| Assessment confidence | High |
This is a registry of intentionally vulnerable applications intended for authorized security testing only. Deployment of vulnerable applications must occur in isolated, non-production environments with proper authorization. No assessment of the security practices or code quality of listed applications is provided here; security due diligence on individual applications is the responsibility of the deployer.
Alternatives to consider
OWASP www-project-vulnerable-web-applications-directory (active)
Official successor project with active maintenance, current application listings, and ongoing community support. Use this instead for production reference needs.
DVWA (Damn Vulnerable Web Application)
Single, well-maintained vulnerable application designed for security training; provides hands-on learning if a specific application is preferred over a directory reference.
WebGoat (OWASP project)
Active OWASP educational application with structured lessons; focuses on teaching security concepts rather than providing a directory of external vulnerable apps.
Build on OWASP-VWAD with DEV.co software developers
This repository is no longer maintained. Visit https://github.com/OWASP/www-project-vulnerable-web-applications-directory for current vulnerable application listings and ongoing updates.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
OWASP-VWAD FAQ
Should I use this repository for new projects?
Can I use listed vulnerable applications for security training?
Is the Apache-2.0 license sufficient for commercial security training products?
Will this repository be updated with new vulnerable applications?
Custom software development services
Adopting OWASP-VWAD is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Migrate to the Active Project
This repository is no longer maintained. Visit https://github.com/OWASP/www-project-vulnerable-web-applications-directory for current vulnerable application listings and ongoing updates.