Exploitable Vulnerable Apps Operating Systems Virtual Machines VMs for Testing

Badstore: Badstore is one of the most vulnerable web application on which security researchers can practice their skills. It has vulnerabilities like cross-site scripting (XSS), SQL injection, clickjacking, password hash (MD5 decoding) and, if you’re good at penetration testing, you may find the robot.txt file and use it for further exploits.

You need to download VM (Virtual Machine) to use this application, and run it on VMware Workstation. After installing this application on VMware workstation, run the *ipconfig* command so that you come to know the IP address on which it is running. Now open your favorite browser and enter that same IP in the address bar. You will see that the Badstore Webpage is now displayed on your screen. It’s time to play! Download it:

  • Name: Badstore: 1.2.3
  • Date release: 24 Feb 2004



Metasploitable 2 – Metasploitable 2 is the most common vulnerable web application amongst security researchers. Security enthusiasts can use high-end tools like Metasploit and Nmap to test this application.

This vulnerable application is mainly used for network testing. It was designed after the popular tool Metasploit, which is used by security researchers to find security breaches. You may even find a shell for this application. It has built-in TWiki, phpMyAdmin, WebDAV, and DVWA.

You may not find the GUI of this application, but you can still exploit it by using various tools in the terminal or command line. You can scan its ports, services, service version and lots more. This will help you to evaluate your skills learn the Metasploit tool.

You will have to download VM (Virtual Machine) for this application, run it on VMWare Workstation, and determine its IP by entering command *ipconfig* or *ifconfig* into its terminal. Download it here:






Web Security Dojo – WSD is a VM which holds many tools (like Burp Suite, w3af, Ratproxy and SQLmap.) and target machines (WebGoat and Hacme Casino, among others) in itself. It is an open-source training environment based on Xubuntu 12.04. It also holds training materials and user guides for some targets.

To use it, you don’t need to run other tools, just this VM. You first need to install and run VirtualBox 5 (or later), or you can also run it on VMware. After that, import the ova file to VirtualBox/VMware and there you go. It will feel like any other Ubuntu OS.

This VM is great for beginners to self-study and learn, for professionals and for teachers to teach their students about vulnerabilities.

Web Security Dojo

An open source self-contained training environment for Web Application Security penetration testing.
Tools + Targets = Dojo


Various web application security testing tools and vulnerable web applications were added to a clean install of xubuntu 12.04. Build scripts are available in git at Sourceforge.


For learning and practicing web app security testing techniques. It does not need a network connection since it contains both tools and targets. Therefore, it is ideal for self-study, training classes, and conferences. Also, this removes the possibility of remote attack on the targets, which are insecure by design.

Download it here: https://sourceforge.net/projects/websecuritydojo/files/Version_3.4/




Mutillidae II – An open-source and free application developed by OWASP itself, Mutillidae II contains various vulnerabilities and hints to help the user to exploit them. Many security enthusiasts have used it because it provides easy-to-use web hacking environment. If penetration testing or hacking is your hobby, then this web application is for you to brush up your skills.

It has vulnerabilities to test like XSS, SQL injection, HTML injection, clickjacking, authentication bypass and many other vulnerabilities. It also has subcategories in its vulnerabilities section which provides further options.

You will need to install XAMPP onto your machine, but you will get XAMPP with Mutillidae. The user can even switch between secure and insecure modes. Mutillidae comprises everything you need and provides a complete lab environment.

One specialty of Mutillidae is that whenever you’ve messed up, there is “setup” button by which the system can be restored to default. It also provides a data capture page that captures data in the database and file. It really helps you to gain confidence in pentesting. You must try this application! Download it here.

Other Vulnerable Products to check out

  1. Juice Shop
  2. Zero Bank
  3. bWAPP
  4. WebGoat
  5. Hackxor
  6.  XXE
Please follow and like us: