OWASP Broken Web Applications

OWASP Broken Web Applications is a collection of vulnerable web applications that is distributed as VMware virtual machine. Vulnerable applications off different kinds are packed and configured as ready to run. Most of the applications uses Java, PHP, Javascript and HTML languages.

Features
OWASP Broken Web Applications includes vulnerable open source web applications of different types as a VMWare package. Being VMWare package, users can download, extract and run the application easily. The latest version of OWASP BWA has following applications:
 * Training applications
 * OWASP WebGoat
 * OWASP WebGoat.NET
 * OWASP ESAPI Java SwingSet
 * Mutillidae
 * Damn Vulnerable Web Application
 * Ghost
 * Realistic, intentionally vulnerable applications
 * OWASP Vicnum
 * Peruggia
 * Google Gruyere
 * Hackxor
 * WackoPicko
 * BodgeIt
 * Old Versions of some web applications that are vulnerable
 * WordPress
 * myGallery
 * Spreadsheet
 * OrangeHRM
 * GetBoo
 * gtd-php
 * Yazd
 * WebCalendar
 * Gallery2
 * TikiWiki
 * Joomla
 * AWStats
 * Applications for testing tools
 * OWASP ZAP-WAVE
 * WAVSEP
 * WIVET
 * Demonstration pages and applications
 * OWASP CSRFGuard Test Application
 * Mandiant Struts Forms
 * Simple ASP.NET Forms
 * Simple Form with DOM Cross Site Scripting
 * OWASP AppSensor Demo Application