This is the VM for the Open Web Application Security Project (OWASP) Broken Web Applications project. It contains many, very vulnerable web applications, which are listed below. More information about this project can be found in the project User Guide and Home Page.

For details about the known vulnerabilities in these applications, see

!!! This VM has many serious security issues. We strongly recommend that you run it only on the "host only" or "NAT" network in the virtual machine settings !!!

Training Applications

OWASP ESAPI Java SwingSet Interactive OWASP Mutillidae II
OWASP RailsGoat OWASP Bricks
OWASP Security Shepherd Ghost
Magical Code Injection Rainbow bWAPP
Damn Vulnerable Web Application

Realistic, Intentionally Vulnerable Applications

OWASP Vicnum OWASP 1-Liner
Google Gruyere Hackxor
WackoPicko BodgeIt
Cyclone Peruggia

Old (Vulnerable) Versions of Real Applications

WordPress OrangeHRM
Yazd WebCalendar
Gallery2 Tiki Wiki
Joomla AWStats

Applications for Testing Tools


Demonstration Pages/Small Applications

OWASP CSRFGuard Test Application Mandiant Struts Forms
Simple ASP.NET Forms Simple Form with DOM Cross Site Scripting

OWASP Demonstration Application

OWASP AppSensor Demo Application

Vulnerabilities in Applications

For information about the known vulnerabilities in these applications (or to submit some), visit

For More Information

For more information about the specific versions of applications running and how to adminsiter this VM, see

Call for Feedback

If you encounter a problem with this VM (including with any of the installed applications), please submit an issue report on Google Code at

This project is sponsored by Mandiant, a FireEye Company