Awesome-Vulnerable-Labs

# Awesome Vulnerable Labs [](https://awesome.re) English | [中文](README.zh.md) > Vulnerable-by-design labs and practice platforms with a Chinese-language focus. > _See README.zh.md for the Chinese version._ ## Contents - [Coverage Highlights](#coverage-highlights) - [Usage](#usage) - [Web Application Labs](#web-application-labs) - [API / Microservice Labs](#api--microservice-labs) - [AI / LLM Security Labs](#ai--llm-security-labs) - [Blockchain / Web3 / Smart Contract Labs](#blockchain--web3--smart-contract-labs) - [Mobile App Labs](#mobile-app-labs) - [Cloud / Container / Kubernetes Labs](#cloud--container--kubernetes-labs) - [Internal / Active Directory (AD) Labs](#internal--active-directory-ad-labs) - [Systems / Binary / Reverse Engineering](#systems--binary--reverse-engineering) - [IoT / Industrial Control / ICS Labs](#iot--industrial-control--ics-labs) - [CTF / Online Challenge Platforms](#ctf--online-challenge-platforms) - [Security Vendor Demos / Vulnerable Sites](#security-vendor-demos--vulnerable-sites) - [General Labs / Course-based Labs](#general-labs--course-based-labs) - [Security Benchmarks / Datasets](#security-benchmarks--datasets) - [Legacy Software and Supporting Resources](#legacy-software-and-supporting-resources) - [Inclusion Criteria](#inclusion-criteria) - [Disclaimer](#disclaimer) ## Coverage Highlights - Web/API, AI/LLM/MCP, and Web3/Blockchain security labs - Android/iOS/Windows/macOS platforms plus PHP/Java/Node.js/Python stacks - Cloud/Kubernetes, AD, IoT/ICS, CTF, and other specialized domains - Continuously maintained collection of related resources ## Usage - This list collects resources for vulnerability learning/practice, including open-source labs, online demos, cloud labs, course-based environments, and CTF platforms. - Use only within authorized scope; avoid stress testing or destructive actions on online demos. - Descriptions are Chinese-first; English names/aliases are kept for searchability. ## Web Application Labs ### Open Source (Self-Hosted) - [BadStore](https://www.vulnhub.com/entry/badstore-123,41/) - E-commerce scenario Web vulnerability practice lab. - [Butterfly Security Project](http://thebutterflytmp.sourceforge.net/) - PHP/Web vulnerable training environment. - [bWAPP](http://sourceforge.net/projects/bwapp/files/bee-box/) - Includes common vulnerabilities Web lab (bee-box). - [BWVS](https://github.com/bugku/BWVS) - Web vulnerable lab. - [Vulnerable Nginx](https://github.com/detectify/vulnerable-nginx) - Nginx vulnerability demo environment. - [WAVSEP](https://github.com/sectooladdict/wavsep) - Web vulnerability scanning testbed. - [Commix Testbed](https://github.com/stasinopoulos/commix-testbed) - Command injection practice pages collection. - [Damn Vulnerable Node Application (DVNA)](https://github.com/appsecco/dvna) - Node.js Web vulnerable lab. - [AspGoat](https://github.com/Soham7-dev/AspGoat) - Deliberately insecure ASP.NET Core Web application, for learning practice Web security. - [Damn Vulnerable Java (DVJA)](https://github.com/appsecco/dvja) - Damn Vulnerable Java (EE) vulnerability practice app. - [SQL Injection Training App](https://github.com/appsecco/sqlinjection-training-app) - For learning SQL injection PHP practice app. - [Damn Vulnerable Web Sockets](https://github.com/interference-security/DVWS) - WebSocket vulnerability practice app. - [DIWA - Deliberately Insecure Web Application](https://github.com/snsttr/diwa) - Deliberately insecure Web application practice project. - [Extreme Vulnerable Node Application (XVNA)](https://github.com/vegabird/xvna) - Node.js vulnerability practice app. - [GameOver](https://sourceforge.net/projects/null-gameover/) - Web security basic training lab. - [Hackazon](https://github.com/rapid7/hackazon) - E-commerce Web vulnerable lab. - [BodgeIt Store](https://github.com/psiinon/bodgeit) - Java vulnerable practice application. - [LAMPSecurity](http://sourceforge.net/projects/lampsecurity/) - LAMP Web vulnerable lab /VM. - [OWASP Mutillidae II](https://github.com/webpwnized/mutillidae) - OWASP Web vulnerable lab. - [OSS – OopsSec Store](https://github.com/kOaDT/oss-oopssec-store) - Next.js vulnerable e-commerce application. - [OWASP Bricks](https://sourceforge.net/projects/owaspbricks/) - PHP/MySQL Web vulnerability practice platform. - [OWASP BWA](http://code.google.com/p/owaspbwa/) - Web vulnerable application VM. - [DVWA](https://github.com/digininja/DVWA) - PHP Web vulnerable lab. - [GOVWA](https://github.com/0c34/govwa) - Go-based vulnerable web application. - [OWASP Hackademic](https://github.com/Hackademic/hackademic/) - Web security learning lab. - [OWASP Juice Shop](https://github.com/juice-shop/juice-shop) - OWASP Web lab. - [JavaWebSec](https://github.com/gb233/JavaWebSec) - Java Web security teaching platform covering OWASP Top 10, with interactive demos, quizzes, and challenge mode. - [OWASP Security Shepherd](https://www.owasp.org/index.php/OWASP_Security_Shepherd) - Web security training platform (). - [OWASP Security Shepherd (GitHub)](https://github.com/OWASP/SecurityShepherd) - OWASP Security Shepherd. - [OWASP WebGoat 8](https://github.com/webgoat/webgoat) - Vulnerable training platform. - [OWASP WrongSecrets](https://github.com/commjoen/wrongsecrets) - Scenario lab. - [Peruggia](https://sourceforge.net/projects/peruggia/) - Web practice environment. - [Pikachu](https://github.com/zhuifengshaonianhanlu/pikachu) - Chinese Web vulnerable lab. - [Webug4.0](https://github.com/wangai3176/webug4.0) - Chinese Web vulnerable lab (SQLi/XSS/). - [PuzzleMall](https://code.google.com/p/puzzlemall/) - Session vulnerability practice app. - [SentinelTestbed](https://github.com/dobin/SentinelTestbed) - Web testbed. - [SocketToMe](http://digi.ninja/projects/sockettome.php) - Includes vulnerable Web application. - [sqli-labs](https://github.com/Audi-1/sqli-labs) - SQL injection lab. - [NoSQL Injection Lab](https://github.com/digininja/nosqlilab) - No SQL injection practice lab. - [Sqlilabs](https://github.com/himadriganguly/sqlilabs) - SQL injection practice set. - [LFI Labs](https://github.com/paralax/lfi-labs) - Local file inclusion vulnerable practice project. - [upload-labs](https://github.com/c0ny1/upload-labs) - File upload vulnerable lab. - [VulnApp](https://www.nth-dimension.org.uk/blog.php?id=88) - ASP.NET vulnerable example application. - [VulnLab](https://github.com/Yavuzlar/VulnLab) - Docker Web vulnerable lab. - [WackoPicko](https://github.com/adamdoupe/WackoPicko) - For vulnerability scanning Web lab. - [WebGoat.NET](https://github.com/jerryhoff/WebGoat.NET/) - .NET WebGoat. - [WebSecurity Dojo](https://www.mavensecurity.com/web_security_dojo/) - Includes Web security training environment. - [XVWA](https://github.com/s4n7h0/xvwa) - PHP/MySQL Web vulnerable lab. - [tegal1337/0l4bs](https://github.com/tegal1337/0l4bs) - XSS practice lab. - [tegal1337/br0w](https://github.com/tegal1337/br0w) - Security practice lab. - [xss-labs](https://github.com/do0dl3/xss-labs) - XSS vulnerability practice lab. - [OWASP NodeGoat](https://github.com/OWASP/NodeGoat) - Node.js OWASP Top 10 training application. - [OWASP RailsGoat](https://github.com/OWASP/railsgoat) - Rails vulnerable training application. - [PyGoat](https://gitlab.com/varun.manoj/pygoat) - Django vulnerable training application. - [DVLA](https://gitlab.com/dpopkin/DVLA) - Laravel vulnerability practice app. - [vulnerable-sso](https://github.com/dogangcr/vulnerable-sso) - SSO vulnerable practice Web application. - [UnSAFE Bank](https://github.com/lucideus-repo/UnSAFE_Bank) - Web, Android and iOS application. - [Virtual Hacking Lab](https://sourceforge.net/projects/virtualhacking/) - Vulnerability practice app / lab. - [Vulnado](https://github.com/ScaleSec/vulnado) - Purposely vulnerable Java application to help lead secure coding workshops. - [Vulnerable Node Express](https://github.com/kaakaww/vuln_node_express) - SQLi and XSS vulnerability practice app. - [Vulnerable OTP App](https://github.com/mddanish/Vulnerable-OTP-Application) - Vulnerability practice app / lab. - [Vulnerable SAML App](https://github.com/yogisec/VulnerableSAMLApp) - Vulnerability practice app / lab. - [VulnerableXsltConsoleApplication](https://github.com/ctxis/VulnerableXsltConsoleApplication) - Console app demonstrating XSLT transform vulnerabilities relevant to web apps. - [WAVSEP - Web Application Vulnerability Scanner Evaluation Project](https://github.com/zaproxy/wavsep) - Vulnerability practice app / lab. - [WIVET- Web Input Vector Extractor Teaser](https://github.com/bedirhan/wivet) - Vulnerability practice app / lab. - [Wayfarer](https://github.com/samuraiwtf/wayfarer) - Vulnerability practice app / lab. - [WebGoatPHP](https://www.owasp.org/index.php/WebGoatPHP) - Vulnerability practice app / lab. - [WebGoat](https://webgoat.github.io/WebGoat/) - Vulnerability practice app / lab. - [Weird Proxies - Labs](https://github.com/GrrrDog/weird_proxies/tree/master/labs) - Vulnerability practice app / lab. - [XXE](http://xxe.sourceforge.net/) - Vulnerability practice app / lab. - [Zero Health](https://github.com/aligorithm/Zero-Health) - Deliberately vulnerable health tech platform with AI Chatbot for security learning. - [bWAPP](http://www.itsecgames.com/) - Vulnerability practice app / lab. - [insecure-deserialisation-net-poc](https://github.com/omerlh/insecure-deserialisation-net-poc) - Small webserver vulnerable to insecure deserialization. - [jwtdemo](https://github.com/Sjord/jwtdemo/) - Practice hacking JWT tokens. - [play-webgoat](https://github.com/playframework/play-webgoat) - Vulnerability practice app / lab. - [twitterlike](https://github.com/sakti/twitterlike) - Vulnerability practice app / lab. - [vuln-node.js-express.js-app](https://github.com/SirAppSec/vuln-node.js-express.js-app) - Very vulnerable Node.js Express.js Web Application and API for security testing. - [vulnerable-api](https://github.com/mattvaldes/vulnerable-api) - Vulnerability practice app / lab. - [ypreyAPINodeJS](https://yrprey.com) - Vulnerable framework written in Node.js based on the OWASP TOP 10 API. ### Online Demos - [CTFchallenge](https://ctfchallenge.com/) - Web vulnerability practice platform. - [Firing Range](https://public-firing-range.appspot.com/) - Google provides Web lab. - [DOM Clobbering XSS (CXSS)](https://domgo.at/cxss/intro) - DOM XSS training demo pages. - [hackxor](https://hackxor.sourceforge.net/cgi-bin/index.pl) - Web vulnerable challenge practice. - [Pentest-Ground](https://pentest-ground.com/) - Online Web vulnerability practice platform. - [Duck Store](https://duck-store.escape.tech/) - Online Web vulnerability demo application. - [Cyber Scavenger Hunt](https://cyberscavengerhunt.com) - A simple scavenger hunt to learn about pentesting a website or web application. - [Damn Vulnerable AI Bank (DVAIB)](https://www.dvaib.com) - Hands-on AI security training platform for prompt injection and jailbreaking. - [Defend the Web](https://defendtheweb.net/) - Formerly HackThis. - [HackXpert](https://labs.hackxpert.com/) - Online vulnerable practice / demo platform. - [HackYourselfFirst](https://hack-yourself-first.com/) - Online vulnerable practice / demo platform. - [Hacking Lab](https://www.hacking-lab.com/events/) - Online vulnerable practice / demo platform. - [Root Me](https://www.root-me.org) - Non-profit organization providing a learning platform for ethical hacking. - [Solyd - Introdução ao Hacking e Pentest](http://solyd.com.br/treinamentos/introducao-ao-hacking-e-pentest) - Free online training with free online lab (Portuguese). ### Commercial (Trial/Training Platforms) - [PentesterLab](https://pentesterlab.com/) - Web security course practice platform. - [PentesterLab - Web for Pentester](https://www.pentesterlab.com/exercises/web_for_pentester) - PentesterLab Web practice course. - [Web-Security Academy](https://portswigger.net/web-security) - PortSwigger provides Web security learning platform. ## API / Microservice Labs ### Open Source (Self-Hosted) - [Damn Vulnerable Web Services (DVWS)](https://github.com/snoopysecurity/dvws) - Web vulnerability practice platform. - [Damn Vulnerable C# API (DVCSharp-API)](https://github.com/appsecco/dvcsharp-api) - Damn Vulnerable C# API practice project. - [OWASP crAPI](https://github.com/OWASP/crAPI) - OWASP API vulnerability practice platform. - [VAmPI](https://github.com/erev0s/VAmPI) - Flask API vulnerable lab. - [REST API Goat](https://github.com/optiv/rest-api-goat) - OWASP API Top 10 practice lab. - [vAPI](https://github.com/roottusk/vapi) - OWASP API scenario practice project. - [Vulnerable App for API Security](https://github.com/Erdemstar/VulnerableApp4APISecurity) - .NET API vulnerable practice project. - [Websheep](https://github.com/marmicode/websheep) - REST API vulnerability practice platform. - [Pixi](https://github.com/DevSlop/Pixi) - Includes security API MEAN practice app. - [Tiredful-API](https://github.com/payatu/Tiredful-API) - Django/DRF API vulnerable practice project. - [Vulnerable REST API (OWASP 2023)](https://github.com/bnematzadeh/vulnerable-rest-api) - OWASP API Top 10 2023 practice project. - [Damn Vulnerable RESTaurant API Game](https://github.com/Nazacod/Damn-Vulnerable-RESTaurant-API-Game) - API vulnerable challenge practice. - [c{api}tal](https://github.com/Checkmarx/capital) - OWASP API Top 10 API lab. - [dvws-node](https://github.com/snoopysecurity/dvws-node) - Includes API vulnerable platform. - [VulnerableLightApp](https://github.com/Aif4thah/VulnerableLightApp) - Training vulnerable API example. - [Damn Vulnerable GraphQL Application (DVGA)](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application) - GraphQL vulnerability practice app. - [GraphQL Security Labs](https://github.com/dcodx/graphql-security-labs) - GraphQL security practice lab. - [poc-graphql](https://github.com/righettod/poc-graphql) - GraphQL vulnerable PoC/ practice project. - [gRPC Goat](https://github.com/rootxjs/grpc-goat) - gRPC vulnerability practice lab. - [grpc-lab](https://github.com/nxenon/grpc-lab) - gRPC vulnerable practice lab. - [grpc-web-playground](https://github.com/bnematzadeh/grpc-web-playground) - gRPC-Web vulnerability practice app. - [vuln-grpc-kotlin](https://github.com/kaakaww/vuln-grpc-kotlin) - Kotlin gRPC vulnerable example. - [DamnVulnerableMicroServices](https://github.com/ne0z/DamnVulnerableMicroServices) - Vulnerable practice set. - [VRPlayground](https://github.com/f5devcentral/VRPlayground) - Vulnerable practice set. - [cargo-cats](https://github.com/Contrast-Security-OSS/cargo-cats) - Vulnerable exercise application. - [java-microservice-sample-apps](https://github.com/Contrast-Security-OSS/java-microservice-sample-apps) - Vulnerable collection. - [secDevLabs](https://github.com/globocom/secDevLabs) - Application vulnerable lab (includes API). - [Damn Vulnerable RESTaurant (theowni)](https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game) - Web API vulnerable challenge practice project. ### Online Labs / Course Platforms - [APIsec University](https://www.apisecuniversity.com/) - API security training course resources. - [Application Security OWASP Top 10 API](https://application.security/free/owasp-top-10-API) - OWASP API Top 10 training course. - [Escape GraphQL Security Academy](https://escape.tech/academy/) - GraphQL vulnerable learning platform. - [PortSwigger API Testing Path](https://portswigger.net/web-security/learning-paths/api-testing) - Web Security Academy API learning. - [PortSwigger GraphQL Labs](https://portswigger.net/web-security/learning-paths/graphql-api-vulnerabilities) - GraphQL vulnerable. - [Gin & Juice Shop](https://ginandjuice.shop/) - GraphQL vulnerable practice online lab. ## AI / LLM Security Labs ### Online Challenges/Platforms - [Gandalf](https://gandalf.lakera.ai/) - Prompt Injection introductory challenge. - [Prompt Airlines](https://promptairlines.com/) - Prompt Injection CTF. - [GPT Prompt Attack](https://gpa.43z.one/) - Challenge. - [GPT Game](https://gpt.43z.one/) - Challenge. - [HackAPrompt](https://www.hackaprompt.com/) - AI /Prompt Injection platform. - [SaTML LLM CTF](https://ctf.spylab.ai/) - LLM CTF online platform. - [PortSwigger LLM Attacks Labs](https://portswigger.net/web-security/llm-attacks) - LLM lab. ### Open Source (Self-Hosted) - [LLMGoat](https://github.com/SECFORCE/LLMGoat) - OWASP LLM Top 10 practice lab. - [AI Goat](https://github.com/dhammon/ai-goat) - Local LLM CTF challenge. - [AI Red Teaming Playground Labs (Microsoft)](https://github.com/microsoft/AI-Red-Teaming-Playground-Labs) - Provides AI exercise lab practice. - [AIGoat](https://github.com/orcasecurity-research/AIGoat) - Deployable AI security lab environment. - [Damn Vulnerable LLM Agent (ReversecLabs)](https://github.com/ReversecLabs/damn-vulnerable-llm-agent) - ReAct/LangChain LLM Agent exercise project (supports Streamlit/Docker). - [LLM Vulnerable Recruitment App (ReversecLabs)](https://github.com/ReversecLabs/llm-vulnerable-recruitment-app) - Scenario LLM vulnerability practice app. - [Vulnerable MCP Servers Lab](https://github.com/appsecco/vulnerable-mcp-servers-lab) - For learning MCP Server vulnerable collection. - [Vulnerable MCP](https://github.com/akto-api-security/vuln-mcp) - MCP Server example. - [Builder-Breaker Lab](https://github.com/Harry-Ashley/Builder-Breaker-Lab) - PyRIT AI lab (Microsoft AI Red Team Taxonomy). - [Folly](https://github.com/user1342/Folly) - LLM Prompt Injection/Jailbreaking practice Playground. - [La Guerre des Prompts (Devfest 2025)](https://github.com/pi-2r/devfest2025-La-Guerre-des-Prompts-attaques-et-defenses-au-royaume-des-LLM) - Devfest 2025 Prompt Injection attack/defense project. - [Damn Vulnerable MCP](https://github.com/harishsg993010/damn-vulnerable-MCP-server) - MCP vulnerable training project, includes 10 challenge. - [DamnVulnerableLLMProject](https://github.com/harishsg993010/DamnVulnerableLLMProject) - LLM vulnerable practice project. - [satml-llm-ctf](https://github.com/ethz-spylab/satml-llm-ctf) - LLM CTF platform. - [Prompt-Injection-Playground](https://github.com/svenmorgenrothio/Prompt-Injection-Playground) - Prompt Injection practice Playground. ## Blockchain / Web3 / Smart Contract Labs ### Open Source (Self-Hosted) - [GOAT Casino](https://github.com/nccgroup/GOATCasino) - Deployable / vulnerable practice project. - [Ethernaut (OpenZeppelin)](https://github.com/OpenZeppelin/ethernaut) - Ethernaut. - [Paradigm CTF](https://github.com/paradigm-operations/paradigm-ctf-2021) - Blockchain CTF challenge set. - [Blocksec CTFs](https://github.com/blockthreat/blocksec-ctfs) - BlockSec CTF challenge set. - [DeFiVulnLabs](https://github.com/SunWeb3Sec/DeFiVulnLabs) - DeFi vulnerable practice challenge. - [SmartSecRiddles](https://github.com/marjon-call/SmartSecRiddles) - Security / challenge collection. - [Damn Vulnerable DeFi](https://github.com/OpenZeppelin/damn-vulnerable-defi) - DeFi vulnerable challenge practice. ### Online Challenges/Platforms - [Capture the Ether](https://capturetheether.com/) - Security challenge platform. - [The Ethernaut](https://ethernaut.openzeppelin.com/) - Vulnerable challenge platform. - [Etherhack](https://etherhack.positive.com/) - Security challenge platform. - [ciphershastra CTF](https://ciphershastra.com/) - / CTF platform. - [DeFi Hack](https://www.defihack.xyz/) - DeFi security challenge platform. - [Gacha Lab (BSC Testnet)](https://gachalab.inspex.co/) - BSC security platform. - [Only Pwner](https://onlypwner.xyz/) - Security challenge platform. - [QuillCTF](https://quillctf.super.site/) - Learning challenge platform. - [Vulnmachines - Blockchain hacking](https://vulnmachines.com) - Vulnerable practice challenge platform. - [Damn Vulnerable DeFi (Site)](https://www.damnvulnerabledefi.xyz/) - DeFi vulnerable challenge practice. ### Resources/Challenge Sets - [ctf-blockchain](https://github.com/minaminao/ctf-blockchain) - CTF challenges. ## Mobile App Labs ### Open Source (APK/Source) - [EVABS](https://github.com/abhi-r3v0/EVABS) - Android vulnerable lab. - [Goatlin](https://github.com/Checkmarx/Goatlin/) - Vulnerability practice app. - [Vuln-Bank](https://github.com/Commando-X/vuln-bank) - Deliberately vulnerable banking application for practicing security testing of Web App, APIs, and AI integrated applications. - [VyAPI](https://github.com/appsecco/VyAPI) - Cloud Android application. - [Damn Vulnerable FirefoxOS App (DVFA)](https://github.com/arroway/dvfa) - FirefoxOS vulnerable application. - [Damn Vulnerable iOS App (DVIA)](https://damnvulnerableiosapp.com/) - iOS vulnerable application. - [ExploitMe Mobile Android Labs](https://securitycompass.github.io/AndroidLabs/) - Android security practice app. - [ExploitMe Mobile iPhone Labs](https://securitycompass.github.io/iPhoneLabs/) - iPhone security practice app. - [OWASP iGoat (GitHub)](https://github.com/OWASP/igoat) - iOS learning tool. - [OWASP Goatdroid](https://github.com/jackMannino/OWASP-GoatDroid-Project) - Android security training environment. - [OWASP MSTG Hacking Playground](https://github.com/OWASP/MSTG-Hacking-Playground) - OWASP MSTG vulnerable practice set. - [DIVA](https://github.com/payatu/diva-android) - Android vulnerable training application. - [InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) - Android vulnerable lab. - [InsecureShop](https://github.com/optiv/InsecureShop) - Kotlin vulnerability practice app. - [AndroGoat](https://github.com/satishpatnayak/AndroGoat) - OWASP Android training application. - [Vuldroid](https://github.com/jaiswalakshansh/Vuldroid) - Android vulnerable example application. - [DVIA-v2](https://github.com/prateek147/DVIA-v2) - Swift iOS vulnerable application. - [OWASP iGoat-Swift](https://github.com/OWASP/iGoat-Swift) - Swift iOS training application. - [DVHMA](https://github.com/logicalhacking/DVHMA) - Cordova application vulnerable lab. - [OWASP MAS Crackmes](https://github.com/OWASP/mas-crackmes) - Reverse engineering Crackme collection. - [OWASP MSTG Android Crackmes](https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android) - OWASP MSTG provides Android Crackme practice set. - [InjuredAndroid](https://github.com/B3nac/InjuredAndroid) - CTF Android vulnerability practice app. - [Damn Vulnerable Bank](https://github.com/rewanthtammana/Damn-Vulnerable-Bank) - Android vulnerable application. - [OVAA](https://github.com/oversecured/ovaa) - Oversecured Android vulnerable application. - [Android Security Testing (hpAndro1337)](https://github.com/RavikumarRamesh/hpAndro1337) - Kotlin Android vulnerability practice app. - [Frida Labs](https://github.com/DERE-ad2001/Frida-Labs) - Android Frida practice challenge. - [Oversecured Vulnerable iOS App](https://github.com/oversecured/OversecuredVulnerableiOSApp) - iOS vulnerability practice app. ## Cloud / Container / Kubernetes Labs ### Open Source (Self-Hosted) - [CloudGoat](https://github.com/RhinoSecurityLabs/cloudgoat) - AWS vulnerable scenario exercise tool. - [Damn Vulnerable Cloud Application](https://github.com/m6a-UdS/dvca.git) - Application vulnerability practice lab. - [Unguard](https://github.com/dynatrace-oss/unguard) - Cloud-native vulnerability demo application. - [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat) - Kubernetes security practice environment. - [Simulator](https://github.com/controlplaneio/simulator) - Kubernetes security training platform (exercise). - [Metarget](https://github.com/Metarget/metarget) - Cloud-native attack/defense lab automated framework. - [VulApps](https://github.com/Medicean/VulApps) - Docker vulnerable environment collection. - [Vulhub](https://github.com/vulhub/vulhub) - CVE/ vulnerability reproduction collection (Docker). - [Vulfocus](https://github.com/fofapro/vulfocus) - Vulnerable environment platform. - [VulnRange](https://gitee.com/wgpsec/VulnRange) - Lab / vulnerable environment platform. - [vulstudy](https://gitee.com/gid1314/vulstudy) - Docker lab collection. - [pentest_lab](https://github.com/oliverwiegers/pentest_lab) - Docker Compose local lab. - [kube-goat](https://github.com/ksoclabs/kube-goat) - Kubernetes vulnerable practice environment. - [k8s-labs](https://github.com/ProfessionallyEvil/k8s-labs) - Kubernetes vulnerable practice set. - [minik8s-ctf](https://github.com/quarkslab/minik8s-ctf) - Kubernetes introductory CTF. - [k8s-ctf-rocks](https://github.com/NodyHub/k8s-ctf-rocks) - Kubernetes CTF training. - [kubernetes-ctf](https://github.com/thedojoseries/kubernetes-ctf) - Kubernetes CTF exercise project. - [kube-ctf](https://github.com/DownUnderCTF/kube-ctf) - Kubernetes CTF basic. - [kubernetes-ctf-samples](https://github.com/kyohmizu/kubernetes-ctf-samples) - Kubernetes CTF example. - [OWASP EKS Goat](https://owasp.org/www-project-eks-goat) - AWS EKS vulnerable practice lab. - [OWASP GKE Goat](https://owasp.org/www-project-gke-goat/) - GKE vulnerable practice lab. - [OWASP Vulnerable Container Hub](https://github.com/owasp/vulnerable-container-hub) - Vulnerable collection. - [TerraGoat](https://github.com/bridgecrewio/terragoat) - Terraform vulnerable practice. - [CfnGoat](https://github.com/bridgecrewio/cfngoat) - CloudFormation vulnerable practice. - [CDKGoat](https://github.com/bridgecrewio/cdkgoat) - AWS CDK vulnerable practice project. - [KustomizeGoat](https://github.com/bridgecrewio/kustomizegoat) - Kustomize vulnerable practice. - [TerraformGoat](https://github.com/HXSecurity/TerraformGoat) - Terraform vulnerable practice. - [tfgoat-aws](https://github.com/flatt-security/tfgoat-aws) - AWS Terraform vulnerable practice. - [AWSGoat](https://github.com/ine-labs/AWSGoat) - AWS vulnerable scenario practice. - [CloudCommotion](https://github.com/SecurityRunners/cloudcommotion) - Terraform cloud / simulation environment. - [AzureGoat](https://github.com/ine-labs/AzureGoat) - Azure vulnerable scenario practice. - [Azure Goat (XMGoat)](https://github.com/XMCyber/XMGoat) - Includes Azure environment. - [GCPGoat](https://github.com/ine-labs/GCPGoat) - GCP vulnerable scenario practice. - [sadcloud](https://github.com/nccgroup/sadcloud) - AWS security automated practice. - [IAM Vulnerable](https://github.com/BishopFox/iam-vulnerable) - AWS IAM practice scenario. - [OWASP Serverless-Goat](https://github.com/OWASP/Serverless-Goat) - Serverless vulnerable practice project. - [OWASP DVSA](https://github.com/OWASP/DVSA) - Serverless vulnerable application. - [DVFaaS](https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service) - Self-hostable AWS Lambda vulnerable practice project. - [Lambhack](https://github.com/wickett/lambhack) - A very vulnerable serverless application for AWS Lambda. - [CI/CD Goat](https://github.com/cider-security-research/cicd-goat) - CI/CD security practice environment. - [GitHub Actions Goat](https://github.com/step-security/github-actions-goat) - GitHub Actions vulnerable practice environment. - [GHA-Hazmat](https://github.com/woodruffw/gha-hazmat) - GitHub Actions / example. - [CONVEX](https://github.com/Azure/CONVEX) - Azure CTF environment basic. - [caponeme](https://github.com/avishayil/caponeme) - Capital One cloud security environment. - [CNAPPgoat](https://github.com/ermetic-research/cnappgoat) - CNAPP vulnerable exercise environment. - [TerraGoat (5toCode)](https://github.com/5toCode/github-terragoat) - Terraform vulnerable practice project. - [GCP GOAT](https://github.com/JOSHUAJEBARAJ/GCP-GOAT) - GCP vulnerable environment practice project. - [GCP CTF Workshop](https://github.com/n0jam/gcp-ctf-workshop) - BSides NY 2024 GCP vulnerable training environment. - [EKS Goat](https://github.com/OWASP/www-project-eks-goat) - AWS EKS Security Lab and activity. - [Kubernetes Infrastructure Pentest Lab](https://github.com/raesene/kube_security_lab) - Hands-on lab for Kubernetes infrastructure pentesting. - [Scriptease](https://github.com/alexcolb/scriptease) - Vulnerable JavaScript SPA demonstrating client-side security flaws. - [Security Labs & POCs](https://github.com/DataDog/security-labs-pocs) - Self-hostable cloud security vulnerable practice environment. - [crAPI](https://owasp.org/www-project-crapi/) - OWASP crAPI intentionally vulnerable API for security practice. ### Online Challenges/Platforms - [CloudFoxable](https://cloudfoxable.bishopfox.com/) - Cloud security challenge practice platform. - [flAWS](http://flaws.cloud/) - AWS challenge. - [flAWS2](http://flaws2.cloud/) - AWS/Serverless challenge. - [Kubernetes Lan Party](https://k8slanparty.com/) - Kubernetes vulnerable / attack/defense CTF. - [EKS Cluster Games](https://eksclustergames.com/) - EKS challenge. - [Thunder CTF Cloud](https://thunder-ctf.cloud/) - GCP cloud security attack/defense practice platform. - [AWS CTF Challenge](https://bigiamchallenge.com/) - Capture-the-flag challenges for AWS. - [AWS Security Workshop](https://wellarchitectedlabs.com/security/) - Interactive workshop covering AWS security best practices. - [Azure AD CTF Challenge](https://www.brokenazure.cloud/) - Capture-the-flag challenges for Azure AD. - [Azure Infrastructure Workshop](https://github.com/mandiant/Azure_Workshop) - Interactive workshop covering Azure security best practices. - [EntraGoat](https://github.com/Semperis/EntraGoat) - Deliberately vulnerable Microsoft Entra ID environment for identity security practice. - [PwnedLabs](https://pwnedlabs.io/) - Cloud security online platform. ## Internal / Active Directory (AD) Labs ### Open Source (Self-Hosted) - [GOAD (Game Of Active Directory)](https://github.com/Orange-Cyberdefense/GOAD) - Deployable AD attack/defense lab. - [adlab](https://github.com/jckhmr/adlab) - Vagrant/Ansible AD lab. - [Vulnerable-AD-Lab](https://github.com/M507/Vulnerable-AD-Lab) - Automated AD environment. - [ad-training-lab](https://github.com/brmkit/ad-training-lab) - Proxmox automated AD training lab. - [Vulnerable-Active-Directory-Lab](https://github.com/reatva/Vulnerable-Active-Directory-Lab) - OSCP AD lab. - [ADCSGoat](https://github.com/jakehildreth/ADCSGoat) - AD CS vulnerability practice lab. ### Vulnerability Injection/Generators - [vulnerable-AD](https://github.com/safebuffer/vulnerable-AD) - AD environment “ vulnerable ”. - [VulnADLab-Framework](https://github.com/titus-sec/VulnADLab-Framework) - AD lab. - [BadBlood](https://github.com/davidprowe/BadBlood) - Active Directory test data generator. ### Detection / Purple Team Labs - [DetectionLab](https://github.com/clong/DetectionLab) - AD + lab. - [DetectionLabELK](https://github.com/cyberdefenders/DetectionLabELK) - ELK DetectionLab. - [Lab4PurpleSec](https://github.com/0xMR007/Lab4PurpleSec) - GOAD + DMZ lab. - [PurpleCloud](https://github.com/iknowjason/PurpleCloud) - Cloud / lab. ## Systems / Binary / Reverse Engineering ### Open Source (Self-Hosted) - [Metasploitable2](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/) - Vulnerable practice. - [VulnStack（红日靶场）](http://vulnstack.qiyuanxuetang.net/vuln/) - Environment lab. - [NETinVM](https://informatica.uv.es/~carlos/docencia/netinvm/) - Security training environment. - [DVTA (Damn Vulnerable Thick Client App)](https://github.com/srini0x00/dvta) - C#/.NET vulnerability practice app. - [BetaFast](https://github.com/NetSPI/BetaFast) - Vulnerable thick client applications used as examples in the Introduction to Hacking Desktop Applications blog series. - [GRFICS](https://github.com/djformby/GRFICS) - Security platform. - [GRFICSv2](https://github.com/Fortiphyd/GRFICSv2) - GRFICS lab environment. - [GRFICSv3](https://github.com/mrideout/GRFICSv3) - GRFICS lab environment. - [Metasploitable3](https://github.com/rapid7/metasploitable3) - Metasploitable vulnerable VM. - [Vulnerable Kext](https://github.com/ant4g0nist/Vulnerable-Kext) - iOS/macOS vulnerable practice. - [VuCSA](https://github.com/Warxim/vucsa) - Java / vulnerability practice app. - [HEVD](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver) - Windows vulnerable practice. - [Fuzzgoat](https://github.com/fuzzstati0n/fuzzgoat) - For C fuzzing practice. - [Vulnserver](https://github.com/stephenbradshaw/vulnserver) - Vulnerable for practice. - [Damn Vulnerable C Program](https://github.com/hardik05/Damn_Vulnerable_C_Program) - Common vulnerabilities example C program. - [exploit_me](https://github.com/bkerler/exploit_me) - ARM/ARM64 vulnerable practice project. ### Online Challenges - [Reversing.kr](http://reversing.kr/) - Reverse engineering online challenge platform. - [Pwnable.kr](http://pwnable.kr/) - Vulnerable challenge platform. - [Pwnable.tw](http://pwnable.tw/) - Pwn/ challenge platform. - [PwnAdventure](https://pwnadventure.com) - Vulnerable online challenge. - [Under the Wire](https://underthewire.tech/) - PowerShell challenge security training platform. ## IoT / Industrial Control / ICS Labs ### Open Source (Self-Hosted) - [OWASP IoTGoat](https://github.com/OWASP/IoTGoat) - IoT vulnerability practice lab. - [IoT-vulhub](https://github.com/Vu1nT0tal/IoT-vulhub) - IoT vulnerability reproduction environment, provides simulation Docker Compose. - [FirmAE](https://github.com/pr0v3rbs/FirmAE) - Firmware emulation analysis tool. - [BLE CTF](https://github.com/hackgnar/ble_ctf) - BLE security practice CTF project. - [DVID (Damn Vulnerable IoT Device)](https://github.com/Vulcainreo/DVID) - IoT vulnerable project. - [Damn-Vuln-IoT-SoC](https://github.com/damn-vuln-iot-soc/damn-vuln-iot-soc) - /SoC vulnerable training platform. - [ICSGoat](https://github.com/ine-labs/ICSGoat) - ICS/SCADA vulnerable exercise lab. - [ICSSIM](https://github.com/AlirezaDehlaghi/ICSSIM) - ICS security simulation platform. - [Digital Bond Basecamp](https://github.com/digitalbond/Basecamp) - PLC/ICS vulnerable exercise scripts collection. - [ICS-SCADA Vulnerable Virtual Lab](https://github.com/TheWardonianEffect/ICS-SCADA-Vulnerable-Virtual-Lab) - SCADA/ vulnerable lab. - [ICS Pentest Lab Example](https://github.com/yigitcantunay35/ICS_Pentest_Lab_Example) - ICS lab environment example. - [DVRF](https://github.com/praetorian-inc/DVRF) - Vulnerable practice project. - [Raspwn OS](https://github.com/alphacharlie/raspwn/) - Raspberry Pi. ### Online Platforms - [ICS Range](https://www.icsrange.com/) - /OT online training platform. - [Cloud Range (OT/ICS)](https://www.cloudrangecyber.com/critical-infrastructure) - Basic security training platform. - [Labshock](https://www.labshocksecurity.com/) - OT/ICS security platform. - [Fortiphyd Logic](https://learn.fortiphyd.com/) - / security training platform. ## CTF / Online Challenge Platforms ### Open Source (CTF Platforms/Frameworks) - [CTFd](https://github.com/isislab/CTFd) - CTF platform framework. - [Mellivora](https://github.com/Nakiami/mellivora) - PHP CTF. - [NightShade](https://github.com/UnrealAkama/NightShade) - CTF framework. - [CTF Challenges (Probely)](https://github.com/Probely/CTF-Challenges) - Security CTF challenge set. ### Open Source (Challenge Sets/Datasets) - [InterCode-CTF](https://intercode-benchmark.github.io/) - picoCTF challenge set with Web/PWN/reverse engineering challenges. - [NYU CTF Bench](https://nyu-llm-ctf.github.io/) - CSAW 2017-2023 challenge set (200), introductory, /Web/PWN/ reverse engineering //. - [CyBench](https://cybench.github.io/) - HackTheBox、Sekai CTF、Glacier、HKCert (2022-2024) 40, (FST). - [pwn.college CTF Archive](https://github.com/pwncollege/ctf-archive) - Runnable CTF challenge set for research. ### Online Challenge Platforms (China) - [NSSCTF](https://www.nssctf.cn/index) - CTF competition platform. - [BUUCTF / BUUOJ](https://buuoj.cn/) - CTF platform. - [CTFshow](https://ctf.show/) - Web/CTF practice platform. - [CTFHub](https://www.ctfhub.com/#/index) - CTF training platform lab. - [攻防世界（XCTF）](https://adworld.xctf.org.cn/home/index) - XCTF training competition platform. - [Bugku](https://ctf.bugku.com/) - CTF challenge set competition platform. - [看雪CTF](https://ctf.kanxue.com/) - Reverse engineering security challenge platform. - [合天网安 CTF](https://www.hetianlab.com/) - Online CTF practice platform. ### Online Challenge Platforms (International) - [Embedded Security CTF](https://microcorruption.com) - Security challenge platform. - [EnigmaGroup](http://www.enigmagroup.org/) - Online security challenge platform. - [Escape](http://escape.alf.nu/) - XSS challenge. - [Hack The Box](https://www.hackthebox.com/) - Attack/defense VM challenge platform. - [TryHackMe](https://tryhackme.com/) - Security training platform. - [Hack This Site](http://www.hackthissite.org/) - Online challenge platform. - [HackThis](http://www.hackthis.co.uk/) - Online security challenge platform. - [Hack.me](https://hack.me) - Online vulnerable application challenge platform. - [Hacking-Lab](https://www.hacking-lab.com) - Online security training platform. - [Hacker Test](http://www.hackertest.net/) - Online security challenge platform. - [Hax.Tor](http://hax.tor.hu/) - Security challenge. - [OverTheWire](http://www.overthewire.org/wargames/) - Wargame. - [Hack arrrg](https://hack.arrrg.de/) - Online security challenge platform. - [Netgarage Wargame](https://io.netgarage.org/) - Wargame challenge. - [Root Me](http://www.root-me.org/?lang=en) - Security challenge platform. - [RootTheBox](https://github.com/moloch--/RootTheBox) - Practice platform for security challenges. - [Smash The Stack](http://www.smashthestack.org/) - Wargame challenge platform. - [TheBlackSheep and Erik](http://www.bright-shadows.net/) - Security challenge platform. - [ThisIsLegal](http://thisislegal.com/) - Challenge. - [Try2Hack](http://www.try2hack.nl/) - Security challenge. - [XSS Challenges](http://xss-quiz.int21h.jp/) - XSS online challenge. - [XSS Game](https://xss-game.appspot.com/) - XSS training. - [XSS: ProgPHP](http://xss.progphp.com/) - XSS challenge. - [alert(1) to win](https://alf.nu/) - XSS challenge platform. - [PicoCTF](https://picoctf.com/) - CTF platform. - [CTF Learn](http://ctflearn.com/) - Challenge set CTF platform. - [w3challs](https://w3challs.com/) - Web security challenge platform. - [WeChall](https://www.wechall.net/) - Wargame/ challenge platform. - [RingZer0 Team](https://ringzer0team.com/) - Online CTF platform. - [HellBound Hackers](http://www.hellboundhackers.org/) - Challenge platform. - [Komodo Consulting](http://ctf.komodosec.com) - Application security challenge. - [pwn.college](https://pwn.college/) - / online training platform. - [Webhacking.kr](https://webhacking.kr/) - Web security online challenge platform. - [Hacker101 CTF](https://ctf.hacker101.com/) - HackerOne practice platform. - [CMD Challenge](https://cmdchallenge.com/) - Challenge practice platform. - [Exploit Education](https://exploit.education/) - Vulnerability practice platform. - [The Cryptopals Crypto Challenges](https://cryptopals.com/) - Challenge. - [CryptoHack](https://cryptohack.org/) - Practice platform. - [247CTF](https://247ctf.com/) - Online CTF practice platform. - [247CTF Dashboard](https://247ctf.com/dashboard) - 247CTF practice. - [Lord of SQL Injection](https://los.rubiya.kr/) - SQL injection challenge platform. - [HackMyVM](https://hackmyvm.eu/) - VM challenge platform. ## Security Vendor Demos / Vulnerable Sites ### Public Vendor Demos - [Acunetix acuforum](https://testasp.vulnweb.com/) - Acunetix vulnerability demo. - [Acunetix acublog](https://testaspnet.vulnweb.com/) - Acunetix vulnerability demo. - [Acunetix acuart](https://testphp.vulnweb.com/) - Acunetix PHP vulnerability demo site. - [Acunetix REST API](http://rest.vulnweb.com/) - REST API vulnerability demo site. - [Acunetix SecurityTweets](http://testhtml5.vulnweb.com) - Acunetix HTML5 vulnerability demo site. - [Fortify Zero Bank](http://zero.webappsecurity.com) - Fortify vulnerability demo. - [Fortify IWA.NET](https://github.com/fortify/IWA-DotNet) - Fortify.NET vulnerable example application. - [Fortify IWA.JAVA](https://github.com/fortify/IWA-Java) - Fortify Java vulnerable example application. - [IBM altoromutual](http://demo.testfire.net/) - IBM vulnerability demo site. - [Mavituna testsparker (ASP.NET)](http://aspnet.testsparker.com) - Netsparker vulnerability demo site (ASP.NET). - [Mavituna testsparker (PHP)](http://php.testsparker.com) - Netsparker vulnerability demo site (PHP). - [Mavituna testsparker (Angular)](http://angular.testsparker.com) - Netsparker vulnerability demo site (Angular). ## General Labs / Course-based Labs ### Open Source (Self-Hosted) - [MCIR (Magical Code Injection Rainbow)](https://github.com/SpiderLabs/MCIR) - Vulnerable testbed framework. - [CryptOMG](https://github.com/SpiderLabs/CryptOMG) - Vulnerable testbed. - [SocengLab](https://github.com/dalpan/Pretexta) - Simulation training platform. - [CiLocks](https://github.com/tegal1337/CiLocks) - Vulnerable practice project. - [IHA089 Labs](https://github.com/IHA089/IHA089-LABS) - Common vulnerabilities (SQLi/XSS/) practice lab collection. - [OWASP Mantra](https://sourceforge.net/projects/getmantra/) - Security tool framework. - [OWASP VulnCodeLab](https://owasp.org/www-project-vulncodelab/) - Security training platform. - [OWASP SamuraiWTF](https://www.samuraiwtf.org/) - Web security training VM/ toolkit. - [OWASP SKF labs](https://github.com/blabla1337/skf-labs) - OWASP SKF Docker example. - [Google Security Testbeds](https://github.com/google/security-testbeds) - Vulnerability scanning testbed resources collection. - [DVXTE](https://github.com/davevs/dvxte) - Docker vulnerable application training environment,. - [Digital Forensics Lab](https://github.com/frankwxu/digital-forensics-lab) - Lab (training). - [log-snare](https://github.com/sea-erkin/log-snare) - Log security analysis and detection practice project. - [DamnVulnerableCryptoApp](https://github.com/DamnVulnerableCryptoApp/DamnVulnerableCryptoApp) - Security practice app. ### Code Review / Secure Coding Training - [java-sec-code](https://github.com/JoyChou93/java-sec-code) - Java vulnerable security example. - [Hello-Java-Sec](https://github.com/j3ers3/Hello-Java-Sec) - Java security learning vulnerable example. - [JavaSecLab](https://github.com/whgojp/JavaSecLab) - Java vulnerable platform (vulnerable / example /SINK). - [JavaVulnerableLab](https://github.com/CSPF-Founder/JavaVulnerableLab) - Java vulnerability practice platform. - [Java Goof](https://github.com/snyk-labs/java-goof) - Java vulnerable application demo. - [OWASP VulnerableApp](https://github.com/SasanLabs/VulnerableApp) - Java/Spring vulnerable training application. - [python_security](https://github.com/gbleaney/python_security) - Python security API and exploitation examples. - [Vulnerable Code Snippets](https://github.com/yeswehack/vulnerable-code-snippets) - Vulnerable (Docker practice). - [VulnPlanet](https://github.com/yevh/VulnPlanet) - Includes vulnerable (Web/API//IaC). - [Vulnerable Codes](https://vulnerable.codes/) - Vulnerable practice platform. ### Online Labs / Course Platforms - [Blue Team Labs Online](https://blueteamlabs.online/) - Blue team training platform. - [Google Gruyere](http://google-gruyere.appspot.com/) - Web vulnerable learning demo platform. - [Forensic Practical](http://www.forensickb.com/2008/01/forensic-practical.html) - Digital forensics practice and malware analysis resources. - [Gh0st Lab](http://www.gh0st.net/) - Security challenge. - [HackQuest](http://www.hackquest.com/) - Security learning resources. - [Security Treasure Hunt](http://www.securitytreasurehunt.com/) - Challenge. - [Maxkersten Binary Analysis](https://maxkersten.nl/binary-analysis-course/) - Course. - [INE](https://ine.com/) - Security platform. - [Hacksplaining](https://www.hacksplaining.com/) - Common vulnerabilities course. - [Google Phishing Quiz](https://phishingquiz.withgoogle.com) - Online. - [LabEx](https://labex.io/skilltrees/cybersecurity) - Online platform. - [Arizona Cyber Warfare Range](http://azcwr.org/az-cyber-warfare-ranges) - Attack/defense training platform. - [Hack The Box Academy](https://academy.hackthebox.com/) - HTB course platform. - [Offensive Security Proving Grounds](https://www.offensive-security.com/labs/individual/) - Offensive Security training lab. - [VulnHub](https://vulnhub.com/) - Download VM challenge collection. - [PwnTillDawn Online Battlefield](https://online.pwntilldawn.com/) - Online training lab. - [CyberDefenders](https://cyberdefenders.org/) - Training platform. - [LetsDefend](https://letsdefend.io/) - SOC/ training platform. - [RangeForce](https://www.rangeforce.com/) - Training platform. - [Immersive Labs](https://www.immersivelabs.com/) - Security training platform. ### Commercial (Trial/Training Platforms) - [春秋云境](https://yunjing.ichunqiu.com/) - Scenario training platform. - [玄机靶场](https://xj.edisec.net/) - Online platform. - [墨者学院靶场](https://www.mozhe.cn/bug) - Online lab course. - [封神台](https://hack.zkaq.cn/battle) - Online attack/defense training platform. - [东塔在线靶场](https://labs.do-ta.com/index/course/index) - Course-based online lab. - [MS08067 实战型训练平台](http://bachang.ms08067.com) - Online training platform. ### Environment / Infrastructure Tools - [Vagrant](https://www.vagrantup.com/) - Lab environment tool. - [SmartOS](https://smartos.org/) - Open-source virtualization platform. - [vSphere Hypervisor](https://www.vmware.com/products/vsphere-hypervisor/) - Platform. - [GNS3](http://sourceforge.net/projects/gns-3/) - Tool. - [XAMPP](https://www.apachefriends.org/index.html) - Local Web. ## Security Benchmarks / Datasets ### Benchmarks / Evaluation Suites - [Kalm Benchmark](https://github.com/dynatrace-oss/Kalm-Benchmark) - Kubernetes security platform, includes. - [OWASP BenchmarkJava](https://github.com/OWASP-Benchmark/BenchmarkJava) - OWASP, for vulnerable tool (runnable Java Web application). - [OWASP BenchmarkUtils](https://github.com/OWASP-Benchmark/BenchmarkUtils) - OWASP Benchmark toolkit, provides tool. - [OWASP BenchmarkPython](https://github.com/OWASP-Benchmark/BenchmarkPython) - Python tool OWASP Benchmark. - [Open Prompt Injection](https://github.com/liu00222/Open-Prompt-Injection) - LLM Prompt Injection attack/defense. - [PINT Benchmark](https://github.com/lakeraai/pint-benchmark) - Prompt Injection. - [leaky-repo](https://github.com/Plazmaz/leaky-repo) - Secret leak scanning benchmark repository. - [Terrabuck](https://github.com/SymbioticSec/terrabuck) - Security tool IaC collection. - [javascript-cwe-codeql](https://github.com/StackOverflowIsBetterThanAnyAI/javascript-cwe-codeql) - For SAST JavaScript vulnerable. - [ZagBench](https://github.com/Zag-Research/ZagBench) - Dynamic language benchmark suite. - [python-benchmark-tasks](https://github.com/saiajith-muduthanapelli/python-benchmark-tasks) - Python collection. ## Legacy Software and Supporting Resources ### Vulnerability Archives and Legacy Downloads - [Old Version](http://www.oldversion.com/) - Legacy software downloads. - [Exploit-DB](https://www.exploit-db.com/) - Exploit and vulnerability database. - [PortableApps](http://www.PortableApps.com/) - Repository. ### Indexes / Resource Lists - [Hello CTF 快速开始](https://hello-ctf.com/hc-start/) - CTF/ lab navigation. - [CTFtime](https://ctftime.org/) - CTF platform. - [Sploitcraft](https://github.com/R3DRUN3/sploitcraft) - Attack guides, demos, and PoC collection. - [LLM Attacks](https://github.com/llm-attacks/llm-attacks) - LLM collection. - [渊龙Sec 安全团队导航](https://dh.aabyss.cn/) - Security resources navigation. - [OWASP Vulnerable Web Applications Directory](https://owasp.org/www-project-vulnerable-web-applications-directory/) - OWASP vulnerable application directory. - [Vulhub 官方站](https://vulhub.org) - Vulnerable environment collection. - [WeChall 活跃挑战站点](https://www.wechall.net/active_sites) - CTF/ challenge index. - [CTF Sites Directory](https://ctfsites.github.io/) - Online CTF platform directory. - [SudoNinjaBook 云安全靶场目录](https://sudoninja.gitbook.io/sudoninjabook/security-area/cloud-security/vulnerable-cloud-labs) - Cloud security lab index. - [Awesome Mobile CTF](https://github.com/xtiankisutsa/awesome-mobile-CTF) - Security lab / challenge set index. - [Awesome Cloud Security Labs](https://github.com/iknowjason/Awesome-CloudSec-Labs) - Cloud security lab index. - [Awesome DVA](https://github.com/rarecoil/awesome-dva) - Download lab /VM index. - [Awesome Damn Vulnerable Applications](https://github.com/yogikortisa/awesome-damn-vulnerable-applications) - DVA. - [Awesome AI Security](https://github.com/ottosulin/awesome-ai-security) - AI security resources index. - [Awesome LLMSecOps](https://github.com/wearetyomsmnv/Awesome-LLMSecOps) - LLM security platform. ## Inclusion Criteria **Relevance:** Directly related to vulnerability learning, penetration testing practice, or attack/defense training (vulnerable-by-design or provides a practice environment). **Availability:** Provide an accessible demo link or clear self-hosting instructions (docs/images/source). **Completeness:** Include name, link, one-line description, and tags. **Transparency:** Prefer indicating cost and delivery; omit if unknown. **Tone:** Keep descriptions objective, neutral, and concise. ## Disclaimer - This list is for security research and education only; test only with explicit authorization. - For third-party online demos, follow their terms and avoid actions that impact availability. - Maintainers and contributors are not responsible for misuse. ## Contributing See [CONTRIBUTING.md](CONTRIBUTING.md).