Vulnerable Code

All

113 repositories

serverless-gcf-goof
Public
A vulnerable Serverless application deployed on GCF
JavaScript
•25•0•0•1•Updated Jan 1, 2026Jan 1, 2026
Vulnerable-OAuth-2.0-Applications
Public
vulnerable OAuth 2.0 applications: understand the security implications of your OAuth 2.0 decisions.
JavaScript
•78•0•0•5•Updated Jan 1, 2026Jan 1, 2026
Goatlin
Public
(aka Kotlin Goat) - an intentionally vulnerable Kotlin application
Kotlin
•
GNU General Public License v3.0
•170•0•0•2•Updated Jan 1, 2026Jan 1, 2026
Damn-Vulnerable-Bank
Public
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. This provides an interface to assess your android application security hacking skills.
Java
•
MIT License
•223•0•0•9•Updated Dec 31, 2025Dec 31, 2025
shiftleft-js-demo
Public
JavaScript
•
Apache License 2.0
•439•0•0•5•Updated Dec 31, 2025Dec 31, 2025
java-sec-code
Public
Java web common vulnerabilities and security code which is base on springboot and spring security
Java
•760•0•0•5•Updated Dec 20, 2025Dec 20, 2025
dvja
Public
Damn Vulnerable Java (EE) Application
CSS
•
MIT License
•524•0•0•2•Updated Dec 19, 2025Dec 19, 2025
kubernetes-goat
Public
Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀
HTML
•
MIT License
•934•0•0•9•Updated Dec 12, 2025Dec 12, 2025
wrongsecrets
Public
Vulnerable app with examples showing how to not use secrets
Java
•
GNU Affero General Public License v3.0
•513•0•0•15•Updated Dec 6, 2025Dec 6, 2025
supplygoat
Public
"Vulnerable by Design" supply chain is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
HCL
•
Apache License 2.0
•278•0•0•13•Updated Dec 5, 2025Dec 5, 2025
Damn-Vulnerable-GraphQL-Application
Public
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
JavaScript
•
MIT License
•350•0•0•5•Updated Dec 5, 2025Dec 5, 2025
vulnerablecode
Public
A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
Python
•
Apache License 2.0
•261•0•0•5•Updated Dec 5, 2025Dec 5, 2025
intentionally-vulnerable-golang-project
Public
This is a project we created that has dependencies with vulnerabilities, for us to test out nancy
Shell
•127•0•0•3•Updated Dec 5, 2025Dec 5, 2025
flask-webgoat
Public
flask-webgoat is a deliberately-vulnerable application written with the Flask web framework.
Python
•
Apache License 2.0
•72•0•0•2•Updated Dec 2, 2025Dec 2, 2025
sync-forked-repositories
Public
An scheduler to sync all forked repositories daily
Apache License 2.0
•0•1•0•1•Updated Nov 21, 2025Nov 21, 2025
vulndb
Public
[mirror] The Go Vulnerability Database
Go
•
Other
•73•0•0•3•Updated Nov 20, 2025Nov 20, 2025
NodeGoat
Public
The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
HTML
•
Apache License 2.0
•2.2k•0•0•4•Updated Nov 18, 2025Nov 18, 2025
zipdu
Public
zipdu is a webservice implementation vulnerable to zip bombs and directory traversals. Written in multiple different languages
C++
•
Apache License 2.0
•3•0•0•2•Updated Nov 18, 2025Nov 18, 2025
example-javascript-vulnerable-methods
Public
SourceClear’s example node project with vulnerable methods in third party libraries
JavaScript
•41•0•0•2•Updated Nov 16, 2025Nov 16, 2025
damn-vulnerable-defi
Public
Solidity
•
MIT License
•1.4k•0•0•4•Updated Aug 22, 2025Aug 22, 2025
r0uei
Public
A bad application, a vulnerable application to try SQLi 😈
Ruby
•
Apache License 2.0
•8•0•0•1•Updated May 8, 2025May 8, 2025
pygoat
Public
intentionally vuln web Application Security in django
HTML
•
MIT License
•1.2k•0•0•5•Updated May 8, 2025May 8, 2025
php-goof
Public
Snyk PHP Goof - A vulnerable PHP demo application
PHP
•204•0•0•1•Updated May 6, 2025May 6, 2025
terragoat
Public
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
HCL
•
Apache License 2.0
•5.6k•0•0•2•Updated Apr 29, 2025Apr 29, 2025
AWSGoat
Public
AWSGoat : A Damn Vulnerable AWS Infrastructure
PHP
•
MIT License
•1.4k•0•0•6•Updated Apr 29, 2025Apr 29, 2025
DamnVulnerableCryptoApp
Public
An app with really insecure crypto. To be used to see/test/exploit weak cryptographic implementations as well as to learn a little bit more about crypto, without the need to dive deep into the math behind it
TypeScript
•
MIT License
•23•0•0•3•Updated Apr 29, 2025Apr 29, 2025
DVSA
Public
a Damn Vulnerable Serverless Application
JavaScript
•
GNU General Public License v3.0
•199•0•0•3•Updated Apr 24, 2025Apr 24, 2025
vulhub
Public
Pre-Built Vulnerable Environments Based on Docker-Compose
Dockerfile
•
MIT License
•4.7k•0•0•17•Updated Apr 24, 2025Apr 24, 2025
go-test-bench
Public
Intentionally vulnerable Go web app.
Go
•
MIT License
•53•0•0•2•Updated Apr 16, 2025Apr 16, 2025
juice-shop
Public
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
TypeScript
•
MIT License
•16k•1•0•3•Updated Mar 22, 2025Mar 22, 2025