DEV.co
Open-Source Security · OWASP

OWASP-VWAD

OWASP-VWAD is a directory of known vulnerable web applications used for security testing and learning. The repository is being wound down; future work has moved to the www-project-vulnerable-web-applications-directory repository.

Source: GitHub — github.com/OWASP/OWASP-VWAD
884
GitHub stars
222
Forks
Unknown
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryOWASP/OWASP-VWAD
OwnerOWASP
Primary languageUnknown
LicenseApache-2.0 — OSI-approved
Stars884
Forks222
Open issues0
Latest releaseUnknown
Last updated2026-06-22
Sourcehttps://github.com/OWASP/OWASP-VWAD

What OWASP-VWAD is

A curated registry of vulnerable web applications indexed by type and maintained as an OWASP Lab project. The project consolidates metadata and links to known vulnerable applications for penetration testing and security research purposes.

Quickstart

Get the OWASP-VWAD source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/OWASP/OWASP-VWAD.gitcd OWASP-VWAD# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security training and education

Reference catalog for security professionals and students to identify available vulnerable applications for hands-on lab exercises and skill development.

Penetration testing resource discovery

Centralized directory to locate and select appropriate vulnerable applications for authorized security assessments and proof-of-concept work.

AppSec curriculum development

Foundation for building security training programs by providing a comprehensive inventory of real-world vulnerable application examples.

Implementation considerations

  • Project is archived and no longer actively maintained; use only as a reference or redirect to the active repository.
  • Directory functions as a metadata index; actual vulnerable applications must be sourced, deployed, and managed separately.
  • No release artifacts or binary distributions; content is reference documentation only.
  • Ensure all vulnerable application usage is authorized and isolated in non-production environments.
  • Regularly cross-reference the active www-project-vulnerable-web-applications-directory for current application listings and updates.

When to avoid it — and what to weigh

  • Active production use required — Repository is explicitly being wound down; ongoing maintenance and updates are no longer provided in this repository.
  • Need current tooling — Latest development and feature additions have moved to www-project-vulnerable-web-applications-directory; this repository will not receive new enhancements.
  • Require direct code contributions — Project is in wind-down mode with zero open issues and minimal recent activity; community contribution velocity is not expected.
  • Seeking integrated deployment platform — This is a directory/registry only, not a deployment or orchestration tool; does not provide automated setup or hosted vulnerable environments.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution under stated terms.

Apache-2.0 allows commercial use. However, this repository is archived and no longer maintained. Verify applicability with the successor repository (www-project-vulnerable-web-applications-directory) before relying on this for commercial tooling.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceStale
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

This is a registry of intentionally vulnerable applications intended for authorized security testing only. Deployment of vulnerable applications must occur in isolated, non-production environments with proper authorization. No assessment of the security practices or code quality of listed applications is provided here; security due diligence on individual applications is the responsibility of the deployer.

Alternatives to consider

OWASP www-project-vulnerable-web-applications-directory (active)

Official successor project with active maintenance, current application listings, and ongoing community support. Use this instead for production reference needs.

DVWA (Damn Vulnerable Web Application)

Single, well-maintained vulnerable application designed for security training; provides hands-on learning if a specific application is preferred over a directory reference.

WebGoat (OWASP project)

Active OWASP educational application with structured lessons; focuses on teaching security concepts rather than providing a directory of external vulnerable apps.

Software development agency

Build on OWASP-VWAD with DEV.co software developers

This repository is no longer maintained. Visit https://github.com/OWASP/www-project-vulnerable-web-applications-directory for current vulnerable application listings and ongoing updates.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

OWASP-VWAD FAQ

Should I use this repository for new projects?
No. The project is explicitly being wound down. Refer to https://github.com/OWASP/www-project-vulnerable-web-applications-directory for current, actively maintained listings.
Can I use listed vulnerable applications for security training?
Yes, but only in authorized, isolated, non-production environments. Each listed application should be independently reviewed for licensing, prerequisites, and security best practices before deployment.
Is the Apache-2.0 license sufficient for commercial security training products?
The license itself permits commercial use. However, verify the licenses of individual vulnerable applications referenced in the directory, as they may have different terms. Legal review is recommended.
Will this repository be updated with new vulnerable applications?
No. All future updates and new entries are being handled via the active www-project-vulnerable-web-applications-directory project.

Custom software development services

Adopting OWASP-VWAD is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Migrate to the Active Project

This repository is no longer maintained. Visit https://github.com/OWASP/www-project-vulnerable-web-applications-directory for current vulnerable application listings and ongoing updates.