Vuln web apps

1. Offline: The following list references downloadable vulnerable web applications to play with that can be installed on a standard operating system (Linux, Windows, Mac OS X, etc) using a standard web platform (Apache/PHP, Tomcat/Java, IIS/.NET, etc).
2.  
3. The BodgeIt Store (Java): http://code.google.com/p/bodgeit/ (download)
4. OWASP Bricks (PHP): http://sechow.com/bricks/index.html (download & docs)
5. The ButterFly Security Project (PHP): http://sourceforge.net/projects/thebutterflytmp/ (download)
6. bWAPP - an extremely buggy web application! (PHP): http://www.itsecgames.com (download) (docs)
7. Damn Vulnerable Web Application - DVWA (PHP): http://www.dvwa.co.uk (download)
8. Damn Vulnerable Web Services - DVWS (PHP): http://dvws.secureideas.net (download)
9. OWASP Hackademic Challenges Project (PHP): https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project (download)
10. Google Gruyere (Python): http://google-gruyere.appspot.com (download)
11. Hacme Bank (.NET): http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx (download)
12. Hacme Books (Java): http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx (download)
13. Hacme Casino (Ruby on Rails): http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx (download)
14. Hacme Shipping (ColdFusion): http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx (download)
15. Hacme Travel (C++): http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx (download)
16. OWASP Insecure Web App Project (Java): https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project (download - orphaned)
17. Mutillidae (PHP): http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 (download)
18. OWASP .NET Goat (C#): https://owasp.codeplex.com (download)
19. Peruggia (PHP): http://peruggia.sourceforge.net (download)
20. Puzzlemall (Java): https://code.google.com/p/puzzlemall/ (download) (docs)
21. Stanford Securibench (Java) & Micro: http://suif.stanford.edu/~livshits/securibench/ (download)
22. SQLI-labs (PHP): https://github.com/Audi-1/sqli-labs (download) (blog)
23. SQLol (PHP): https://github.com/SpiderLabs/SQLol (download)
24. OWASP Vicnum Project (Perl & PHP): https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project (download)
25. VulnApp (.NET): http://www.nth-dimension.org.uk/blog.php?id=88 (CVS download & vulns)
26. WackoPicko (PHP): https://github.com/adamdoupe/WackoPicko (download) (whitepaper)
27. OWASP WebGoat (Java): https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project (download) (guide)
28. OWASP ZAP WAVE - Web Application Vulnerability Examples (Java): http://code.google.com/p/zaproxy/downloads/list
29. Wavsep - Web Application Vulnerability Scanner Evaluation Project (Java): https://code.google.com/p/wavsep/ (download) (docs)
30. WIVET - Web Input Vector Extractor Teaser: https://code.google.com/p/wivet/ (download) (tests)
31.  
32. Virtual Machines (VMs) or ISO images: The following list references preinstalled and ready to use virtual machines (VMs) or ISO images that contain one or multiple vulnerable web applications to play with.
33.  
34. BadStore (ISO): http://www.badstore.net (download - registration required)
35. Bee-Box (bWAPP VMware): http://sourceforge.net/projects/bwapp/files/bee-box/
36. OWASP BWA - Broken Web Applications Project (VMware - list): https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project (download)
37. Drunk Admin Web Hacking Challenge (VMware): https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/ (download)
38. Exploit.co.il Vuln Web App (VMware): http://exploit.co.il/projects/vuln-web-app/ (download)
39. GameOver (VMware): http://sourceforge.net/projects/null-gameover/ (download)
40. Hackxor (VMware): http://hackxor.sourceforge.net/cgi-bin/index.pl (download) (hints&tips)
41. Hacme Bank Prebuilt VM (VMware): http://ninja-sec.com/index.php/hacme-bank-prebuilt-vmware-image-ninja-sec-com/ (download)
42. Kioptrix4 (VMware & Hyper-V): http://www.kioptrix.com/blog/?p=604 (download)
43. LAMPSecurity (VMware): http://sourceforge.net/projects/lampsecurity/ (download) (doc)
44. Metasploitable (VMware): http://blog.metasploit.com/2010/05/introducing-metasploitable.html (download - torrent) (doc)
45. Metasploitable 2 (VMware): https://community.rapid7.com/docs/DOC-1875 (download)
46. Moth (VMware): http://www.bonsai-sec.com/en/research/moth.php (download)
47. PentesterLab - The Exercises (ISO & PDF): https://www.pentesterlab.com/exercises/
48. PHDays I-Bank (VMware): http://phdays.blogspot.com.es/2012/05/once-again-about-remote-banking.html (download)
49. Samurai WTF (ISO - list): http://www.samurai-wtf.org (download)
50. Sauron (Quemu) [Spanish]: http://sg6-labs.blogspot.com/2007/12/secgame-1-sauron.html (solutions)
51. UltimateLAMP (VMware - list): http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/ (download)
52. Virtual Hacking Lab (ZIP): http://sourceforge.net/projects/virtualhacking/ (download)
53. Web Security Dojo (VMware, VirtualBox - list): http://www.mavensecurity.com/web_security_dojo/ (download)
54.  
55. Online/Live: The following list references online and live vulnerable web applications available on the Internet to play with.
56.  
57. Acunetix:
58. http://testasp.vulnweb.com (Forum - ASP)
59. http://testaspnet.vulnweb.com (Blog - .NET)
60. http://testphp.vulnweb.com (Art shopping - PHP)
61. Cenzic CrackMeBank: http://crackme.cenzic.com
62. Google Gruyere (Python): http://google-gruyere.appspot.com/start
63. Hacking-Lab (eg. OWASP Top 10): https://www.hacking-lab.com/events/registerform.html?eventid=245
64. Hack.me (beta): https://hack.me
65. HackThisSite (HTS - Basic & Realistic (web) Missions): http://www.hackthissite.org
66. Hackxor online demo: http://hackxor.sourceforge.net/cgi-bin/index.pl#demo (algo/smurf)
67. HP/SpiDynamics Free Bank Online: http://zero.webappsecurity.com (admin/admin)
68. IBM/Watchfire AltoroMutual: http://demo.testfire.net (jsmith/Demo1234)
69. NTOSpider Web Scanner Test Site: http://www.webscantest.com (testuser/testpass)
70. OWASP Hackademic Challenges Project - Live (PHP - Joomla): http://hackademic1.teilar.gr
71. Pentester Academy: http://pentesteracademylab.appspot.com
72.  
73. For completeness, there have been some other similar lists published in the past that I'm aware of, and also some "in-the-cloud" commercial training lab options are getting popular (let's call them "pay-per-hack" :-). Enjoy all these different web vulnerable environments and sharp your web app pen-testing skills and tools practicing with them!
74.  
75. Updates: (Thanks to everybody that sent me new vulnerable web-apps)
76. 2011-10-31: Added VulnApp (.NET) & Sauron (Quemu).
77. 2012-06-17: Added Metasploitable 2, Positive Hack Days (PHDays) I-Bank, and Hacme Bank Prebuilt VM.
78. 2012-07-23: Added GameOver, Virtual Hacking Lab, and Hacking-Lab.
79. 2012-12-19: Added SQLol, SQLI-labs, and WIVET.
80. 2012-12-27: Hack.me (beta).
81. 2013-01-21: bWAPP.
82. 2013-01-31: Drunk Admin Web Hacking Challenge, Hackxor online demo, Kioptrix4, and check The Hacker Games (VM) - some new additions via vulnhub.com.
83. 2013-03-15: DVWS.
84. 2013-09-09: Added PentesterLab and OWASP Bricks (thanks to m0wgli).
85. 2013-10-08: Added Pentester Academy (thanks to m0wgli) and Bee-Box, and updated bWAPP homepage.
86. 2013-10-20: List moved to OWASP VWAD project.
87.  
88. NOTE: WAVE and Wapsec main goal is to evaluate the features, quality, and accuracy of automatic web application vulnerability scanners. WIVET main goal is to statistically analyze web link extractors.