http://hackyourselffirst.troyhunt.com/

Now that it's all JSON, shall we switch to a single file? https://github.com/OWASP/OWASP-VWAD/tree/master/src/owasp-wiki

Adding a type(s) array as an element?

  "types": ["online","offline","vm-iso"]

Or, having multiple entries if a project is available as multiple type(s)?

http://racetheweb.io/bank

https://github.com/insp3ctre/race-the-web

• https://mobile.twitter.com/DVSAowasp/status/1078008081177559042
• http://serverless.fail

Should add Ticket Magpie from @thetestdoctor [Dan Billing]

https://github.com/dhatanian/ticketmagpie

I will probably tackle this myself, just wanted to make sure I didn't lose track of the details.

https://github.com/omerlh/insecure-deserialisation-net-poc

https://github.com/cr0hn/vulnerable-node

https://github.com/SpiderLabs/MCIR

Announcement: https://twitter.com/digininja/status/1126769952512327681
Docs: https://digi.ninja/projects/authlab.php
Source: https://github.com/digininja/authlab
Live: https://authlab.digi.ninja/

A learning demo example of a vulnerable Ruby on Rails application found in the wild. It leaks cloud API keys through a vulnerable middleware component. Docker container support as well as build instructions.

Link: https://github.com/iknowjason/hammer

See: https://github.com/CSPF-Founder/JavaVulnerableLab/

Add Vulnerable OTP App
https://github.com/mddanish/Vulnerable-OTP-Application

Would anyone mind if I change the References property to an Array?

My proposal is to change

"References": "https://github.com/bkimminich/juice-shop https://hub.docker.com/r/bkimminich/juice-shop/ https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop"

into

"References": [
  "https://github.com/bkimminich/juice-shop",
  "https://hub.docker.com/r/bkimminich/juice-shop/",
  "https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop"
]

Furthermore, right now JSON would suffer from information loss compared with the TSV format, as it does not have the link labels at the moment. So, we might go one step further and make it

"References": [
  {"Name": "download", "URL": "https://github.com/bkimminich/juice-shop"},
  {"Name": "docker", "URL": "https://hub.docker.com/r/bkimminich/juice-shop/"},
  {"Name": "guide", "URL": "https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop"}
]

https://github.com/red-and-black/DjangoGoat

When browsing https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project the Interview with Simon Bennetts – The OWASP Web Applications Vulnerability Project http://www.trustedsoftwarealliance.com/ returns "Error establishing a database connection".

Add Damn Small Vulnerable Web:
https://github.com/stamparm/DSVW

Tech: Python

Damn Small Vulnerable Web (DSVW) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports majority of (most popular) web application vulnerabilities together with appropriate attacks.

https://github.com/satishpatnayak/AndroGoat

As OWASP has many mobile related projects by now, giving mobile vuln apps their own category in here seems reasonable, doesn't it?

As a fallback it could be added to "Offline" first and we only add a new "Mobile" category once we find a couple more candidates.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/offline.tsv#L2

Should be updated to point to Github: https://github.com/psiinon/bodgeit

Add Deliberately Insecure Web Application (DIWA):
https://github.com/snsttr/diwa

PHP

https://mobile.twitter.com/abhaybhargav/status/1083032632332562432

https://github.com/anxolerd/dvpwa

https://github.com/playframework/play-webgoat

Java and Scala: https://www.playframework.com

• Indicate that the data and scripts are currently moving from tsv to json.
• Update the tsv paths.

Edit: see: #27

https://github.com/ScaleSec/vulnado

Purposely vulnerable Java application to help lead secure coding workshops

Suggestion - how about we move the 'db' off https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project#tab=Off-Line_apps and instead host it on github pages.
The OWASP page would then just point to those pages.
Advantages - we'd just need to maintain one format and only need to support editing via PRs rather than also having to support direct media wiki editing.

As an occasional editor of the VWAD
I want to be able to edit in the GitHub web interface
and after checkout in a tool as simple as a text editor
so that the file format is not regularly broken after even the simplest change.

TSV is not exactly a file format that would make this user story possible... 😈

By Rapid7 appspider: http://www.webscantest.com

https://github.com/bkimminich/juice-shop

Refs:

• Write-up: https://medium.com/@rzepsky/playing-with-cloudgoat-part-1-hacking-aws-ec2-service-for-privilege-escalation-4c42cc83f9da
• Author Announcement: https://rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-aws-environment/
• Source: https://github.com/RhinoSecurityLabs/cloudgoat

https://hub.docker.com/r/deadrobots/pixi/

https://www.slideshare.net/TanyaJanca/api-and-web-service-hacking-with-pixi-part-of-owasp-devslop

MEAN stack.

A learning demo example of a vulnerable Ruby on Rails application found in the wild. It leaks cloud API keys through a vulnerable middleware component. Docker container support as well as build instructions.

Link: https://github.com/iknowjason/hammer

Maybe add https://www.hackthis.co.uk/, also on Github https://github.com/HackThis/hackthis.co.uk

https://www.owasp.org/index.php/OWASP_Serverless_Goat

https://github.com/LunaM00n/File-Upload-Lab

• https://www.hackthebox.eu/
• https://pentesterlab.com/

Both excellent training grounds.

Per discussion elsewhere, ensure all of these are covered/added:
https://www.bonkersabouttech.com/security/40-intentionally-vulnerable-websites-to-practice-your-hacking-skills/392

These are likely errors that crept in during the tsv > json conversion.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L13
Should list Simon Bennetts (psiinon) as author.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L26
Remove trailing space in references content.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L37-L41
Name should be moved from URL to name element. Current name entry should move to technology element.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L72
Remove trailing space in name element.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L86
Remove trailing space in name element. (All Hacme entries in fact)

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L142
Remove trailing space in name element.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L149
Remove trailing space in name element.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L158
Move references element content to author element.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L239-L243
Add missing notes element. Remove trailing space in references content.

https://github.com/OWASP/OWASP-VWAD/blob/master/src/owasp-wiki/offline.json#L248
Remove trailing space in references content.

Add Damn Vulnerable Stateful Webapp: https://github.com/silentsignal/damn-vulnerable-stateful-web-app

Hackazon is under the Off-Line category. Add these extra links:

https://github.com/rapid7/hackazon/blob/master/REST.md
https://medium.com/faun/automating-authenticated-api-vulnerability-scanning-with-owasp-zap-eaddba0c2e94
https://github.com/tahmed11/OWASP_ZAP_API_scripts

https://github.com/lucideus-repo/UnSAFE_Bank

See: https://github.com/SpiderLabs/CryptOMG

Supplemental mention: https://isc.sans.edu/forums/diary/Modern+Web+Application+Penetration+Testing+Hash+Length+Extension+Attacks/22792/

When browsing https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project clicking the Open Hub URL https://www.openhub.net/p/OWASP-VWAD results in "Something seems wrong with your URL".

Per OWASP Slack:

@kingthorin_rm there’s two versions of WebGoat.NET - jerryhoff hasn’t been updated since 2014, but there is also one that’s 2018 - https://github.com/rapPayne/WebGoat.Net

Entry should probably be updated something like:

	{
		"url": "https://github.com/rapPayne/WebGoat.Net",
		"name": ".NET Goat",
		"technology": [
			"C#"
		],
		"references": [
			{
				"name": "download",
				"url": "https://github.com/rapPayne/WebGoat.Net"
			},
			{
				"name": "download",
				"url": "http://github.com/jerryhoff/WebGoat.NET"
			}
		],
		"author": "OWASP",
		"notes": null
	}

Vulnerable XSLT Console Application

Category:
Offline

URL:
https://github.com/ctxis/VulnerableXsltConsoleApplication

Author:
Context IS

References:
Documentation
https://www.contextis.com/us/blog/xslt-server-side-injection-attacks

Technologies:
.NET

https://digi.ninja/projects/nosqli_lab.php

Mention: https://mobile.twitter.com/yogisec/status/1128419097790824448
Source: https://github.com/yogisec/VulnerableSAMLApp

https://github.com/cschneider4711/Marathon

Vulnerable demo application

Reminder to add https://github.com/mattvaldes/vulnerable-api by @mattvaldes.

With the new Jekyll-powered OWASP website it should be easy to dynamically parse the JSON data sets and render each in its own tab on https://owasp.org/www-project-vulnerable-web-applications-directory.

Tasks

• Find out if Jekyll can load JSON from this repo into www-project-vulnerable-web-applications-directory
  • If not, either move the files over (effectively sunsetting this repo with all its ⭐️s...) or
  • Implement an automatic copy job e.g. via Travis-CI or GH-Actions
• Add a tab per category and dynamically create a table on each from the JSON data

https://github.com/payatu/Tiredful-API