Skip to content

Instantly share code, notes, and snippets.

@Balzabu
Created June 10, 2026 10:15
Show Gist options
  • Select an option

  • Save Balzabu/a699349dd89cb629d1489dfa2f098ac5 to your computer and use it in GitHub Desktop.

Select an option

Save Balzabu/a699349dd89cb629d1489dfa2f098ac5 to your computer and use it in GitHub Desktop.
Updated list of vulnerable test websites

Vulnerable Test Websites

Domain URL Environment / Project Technologies Vulnerabilities / Scenarios
public-firing-range.appspot.com https://public-firing-range.appspot.com/ Google Firing Range Google App Engine Address XSS, Angular XSS, bad JavaScript imports, clickjacking, CORS issues, DOM XSS, escaped XSS, Flash injection, leaked HttpOnly cookie, mixed content, redirect XSS, reflected XSS, remote inclusion XSS, reverse clickjacking, HSTS tests, tag-based XSS, URL-based DOM XSS, vulnerable libraries, insecure third-party scripts
pentest-ground.com:81 https://pentest-ground.com:81/ GuardianLeaks Web App XSS, SSRF, Code Injection
pentest-ground.com:4280 https://pentest-ground.com:4280/ Damn Vulnerable Web Application Classic Web App CSRF, XSS, SQLi
pentest-ground.com:5013 https://pentest-ground.com:5013/ Damn Vulnerable GraphQL Application GraphQL Command Injection, XSS, SQLi
pentest-ground.com:7001 https://pentest-ground.com:7001/console/login/LoginForm.jsp ShadowLogic WebLogic CVE-2023-21839, Remote Code Execution
pentest-ground.com:9000 https://pentest-ground.com:9000/ RestFlaw REST API SQLi, Code Injection, XXE
vulnweb.rootbrain.com http://vulnweb.rootbrain.com/ Rootbrain VulnWeb target N.A. N.A.
demo.testfire.net https://demo.testfire.net/ Altoro Mutual / AltoroJ demo banking app Java/JSP, REST API, Swagger Web application vulnerabilities, login testing, search testing, feedback testing, parameter-based content loading, REST API testing
angular.testinvicti.com http://angular.testinvicti.com/ SPA Angular - TestInvicti Ubuntu, Apache, PHP, Angular 5, MySQL, jQuery, Bootstrap, Select2 XSS, DOM XSS, injection, client-side routing and API/backend testing
graphql.testinvicti.com http://graphql.testinvicti.com/ GraphQL - TestInvicti Ubuntu 22.04, NodeJS, GraphQL, React GraphQL query/mutation testing, schema discovery, resolver injection, authentication and authorization testing, XSS
vulnapi.testinvicti.com http://vulnapi.testinvicti.com/ Invicti Vulnerable API Ubuntu, NodeJS, Swagger, SQLite, Bootstrap OWASP API Security Top 10 2023, static bearer tokens, API authentication testing, API authorization testing
php.testsparker.com http://php.testsparker.com/ Invicti / NetSparker PHP test site Apache 2.2.8, Windows, PHP 5.2.6 SQL Injection, XSS, local file inclusion, remote file inclusion
rest.vulnweb.com http://rest.vulnweb.com/ Invicti Vulnerable REST API Ubuntu 18, Apache, PHP 7.1, MySQL, JSON, XML, JWT, Basic Auth, OAuth2, Swagger/OpenAPI, Postman, Fiddler REST API testing, authentication testing, authorization testing, input validation, injection, JSON/XML parsing
testasp.vulnweb.com http://testasp.vulnweb.com/ Acunetix AcuForum Classic ASP SQL Injection, directory traversal, web-based attacks
testaspnet.vulnweb.com http://testaspnet.vulnweb.com/ Acunetix AcuBlog ASP.NET, C#, ViewState, EventValidation SQL Injection, XSS, login testing, signup testing, comment testing, RSS testing
testhtml5.vulnweb.com http://testhtml5.vulnweb.com Acunetix HTML5 test site HTML5 N.A.
testphp.vulnweb.com http://testphp.vulnweb.com/ Acunetix PHP test site PHP, MySQL SQL Injection, XSS, web application vulnerabilities
zero.webappsecurity.com http://zero.webappsecurity.com/ Zero Bank / Micro Focus Fortify WebInspect demo HTML, JavaScript, Bootstrap, jQuery 1.8.2 Web application vulnerabilities, login testing, search testing, feedback testing, online banking workflow testing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment