- Damn vulnerable web application – a vulnerable PHP/MySQL web application.
- Multillidae – a free and open source web application developed by Irongeek and webpwnized.
- SQLol – a configured SQLi test bed.
- Hackxor – a web application hacking game developed by albino.
- The Bodgelt Store – an open source and vulnerable web application which requires Java and a servlet engine (e.g. Tomcat).
- Exploit KB / exploit.co.li vulnerable web application – a vulnerable web application designed as a learning platform to test various SQLi.
- WackoPicko – a vulnerable web application written by Adam Doupe.
- WebGoat – a deliberately insecure J2EE web application developed by OWASP.
- OWASP Hackademic Challenges Project – another OWASP project that helps you test your knowledge on web application security.
- XSSeducation – a set of XSS attack challenges for people to learn about XSS.
Source: PenTest laboratory