appsec.study

List of vulnerable machines for testing and training. Nothing more. Nothing less.

View on GitHub

List of vulnerable machines for testing and training. Nothing more. Nothing less.

Every machine is automatically restarted every 2 hours (on even hours, local time).

Deliberately insecure by design. For testing and training.

Machines

Machine Vulns Source Live
Boxcutter Store Mixed injection, XSS, broken access control, API & GraphQL, business logic, info disclosure source boxcutter.appsec.study
Stalker Leaked Git artifacts, hidden admin panel, SQL injection, code execution source stalker.appsec.study
DVWA (fork of DVWA) SQL injection (incl. blind), command injection, file inclusion (LFI/RFI), file upload, XSS (reflected/stored/DOM), CSRF, brute force, weak session IDs source dvwa.appsec.study
frontend-str-react React-specific client-side bugs: dangerouslySetInnerHTML, javascript: href, props-spread injection, dynamic-component render source freact.appsec.study
frontend-str-vue Vue-specific client-side bugs: v-html, :href javascript:, runtime-compiler CSTI, <component :is> source fvue.appsec.study
frontend-str-angular Angular-specific client-side bugs: bypassSecurityTrust* (HTML/URL/ResourceUrl), open redirect, JIT CSTI source fangular.appsec.study
nomnom Food-ordering REST API (~117 endpoints, Swagger UI): BOLA/IDOR, BFLA, mass assignment, price tampering, referral race condition, SSRF, SQLi, JWT (alg:none/weak secret), XXE, SSTI, file upload, open redirect, CORS, GraphQL source nomnom.appsec.study

Scanner coverage

Planted vulnerabilities each scanner discovered (valid findings / total embedded). A new column is added per scan.

Machine boxcutter web-full (unauthed)
Boxcutter Store 19 / 109
DVWA 9 / 14
nomnom 5 / 42
Stalker 1 / 4
frontend-str-react 0 / 5
frontend-str-vue 0 / 5
frontend-str-angular 0 / 5