| Domain | URL | Environment / Project | Technologies | Vulnerabilities / Scenarios |
|---|---|---|---|---|
| public-firing-range.appspot.com | https://public-firing-range.appspot.com/ | Google Firing Range | Google App Engine | Address XSS, Angular XSS, bad JavaScript imports, clickjacking, CORS issues, DOM XSS, escaped XSS, Flash injection, leaked HttpOnly cookie, mixed content, redirect XSS, reflected XSS, remote inclusion XSS, reverse clickjacking, HSTS tests, tag-based XSS, URL-based DOM XSS, vulnerable libraries, insecure third-party scripts |
| pentest-ground.com:81 | https://pentest-ground.com:81/ | GuardianLeaks | Web App | XSS, SSRF, Code Injection |
| pentest-ground.com:4280 | https://pentest-ground.com:4280/ | Damn Vulnerable Web Application | Classic Web App | CSRF, XSS, SQLi |
| pentest-ground.com:5013 | https://pentest-ground.com:5013/ | Damn Vulnerable GraphQL Application | GraphQL | Command Injection, XSS, SQLi |
| pentest-ground.com:7001 | https://pentest-ground.com:7001/console/login/LoginForm.jsp | ShadowLogic | WebLogic | CVE-2023-21839, Remote Code Execution |
| pentest-ground.com:9000 | https://pentest-ground.com:9000/ | RestFlaw | REST API | SQLi, Code Injection, XXE |
| vulnweb.rootbrain.com | http://vulnweb.rootbrain.com/ | Rootbrain VulnWeb target | N.A. | N.A. |
| demo.testfire.net | https://demo.testfire.net/ | Altoro Mutual / AltoroJ demo banking app | Java/JSP, REST API, Swagger | Web application vulnerabilities, login testing, search testing, feedback testing, parameter-based content loading, REST API testing |
| angular.testinvicti.com | http://angular.testinvicti.com/ | SPA Angular - TestInvicti | Ubuntu, Apache, PHP, Angular 5, MySQL, jQuery, Bootstrap, Select2 | XSS, DOM XSS, injection, client-side routing and API/backend testing |
| graphql.testinvicti.com | http://graphql.testinvicti.com/ | GraphQL - TestInvicti | Ubuntu 22.04, NodeJS, GraphQL, React | GraphQL query/mutation testing, schema discovery, resolver injection, authentication and authorization testing, XSS |
| vulnapi.testinvicti.com | http://vulnapi.testinvicti.com/ | Invicti Vulnerable API | Ubuntu, NodeJS, Swagger, SQLite, Bootstrap | OWASP API Security Top 10 2023, static bearer tokens, API authentication testing, API authorization testing |
| php.testsparker.com | http://php.testsparker.com/ | Invicti / NetSparker PHP test site | Apache 2.2.8, Windows, PHP 5.2.6 | SQL Injection, XSS, local file inclusion, remote file inclusion |
| rest.vulnweb.com | http://rest.vulnweb.com/ | Invicti Vulnerable REST API | Ubuntu 18, Apache, PHP 7.1, MySQL, JSON, XML, JWT, Basic Auth, OAuth2, Swagger/OpenAPI, Postman, Fiddler | REST API testing, authentication testing, authorization testing, input validation, injection, JSON/XML parsing |
| testasp.vulnweb.com | http://testasp.vulnweb.com/ | Acunetix AcuForum | Classic ASP | SQL Injection, directory traversal, web-based attacks |
| testaspnet.vulnweb.com | http://testaspnet.vulnweb.com/ | Acunetix AcuBlog | ASP.NET, C#, ViewState, EventValidation | SQL Injection, XSS, login testing, signup testing, comment testing, RSS testing |
| testhtml5.vulnweb.com | http://testhtml5.vulnweb.com | Acunetix HTML5 test site | HTML5 | N.A. |
| testphp.vulnweb.com | http://testphp.vulnweb.com/ | Acunetix PHP test site | PHP, MySQL | SQL Injection, XSS, web application vulnerabilities |
| zero.webappsecurity.com | http://zero.webappsecurity.com/ | Zero Bank / Micro Focus Fortify WebInspect demo | HTML, JavaScript, Bootstrap, jQuery 1.8.2 | Web application vulnerabilities, login testing, search testing, feedback testing, online banking workflow testing |
Created
June 10, 2026 10:15
-
-
Save Balzabu/a699349dd89cb629d1489dfa2f098ac5 to your computer and use it in GitHub Desktop.
Updated list of vulnerable test websites
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment