10 Sites to Find Vulnerable VMs for Testing

Below is my list of old virtualbox appliances and intentionally vulnerable virtual machines (VMs) that you can use to develop your security assessment and audit skills. Never expose these VM (or any vulnerable VM) to an untrusted network (use NAT or Host-only mode). Download and use at your won risk (Disclaimer).

Damn Vulnerable Web Application (DVWA)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its primary goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment. (See https://github.com/ethicalhack3r/DVWA).

Download Damn Vulnerable Web Application (DVWA) herehttp://www.dvwa.co.uk/


De-ICE provides eight separate ISO for testing.

Download De_ICE Images here: https://www.vulnhub.com/series/de-ice,2/#

Google Gruyere

This codelab is built around Gruyere /ɡruːˈjɛər/ – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

Download Google Gruyere here: http://google-gruyere.appspot.com/


Mutillidae is a free, open-source web application provided to allow security enthusiast to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their webserver. It is already installed on Samurai WTF.

Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and other tools. If you would like to practice pen-testing/hacking a web application by exploiting cross-site scripting, SQL injection, response-splitting, HTML injection, javascript injection, clickjacking, cross-frame scripting, forms-caching, authentication bypass, or many other vulnerabilities, then Mutillidae is for you (See http://www.irongeek.com/i.php?page=mutillidae/

Rapid 7

Metasploitable 2

Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.

Download Metasploitable 2 here: https://information.rapid7.com/metasploitable-download.html

Metasploitable 3

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. You can use it to test vulnerabilities in a realistic but also controllable and safe environment.

Download Metasploitable 3 here: https://github.com/rapid7/metasploitable

Ubuntu ISOs

Download old Ubuntu ISOs here: http://old-releases.ubuntu.com/releases/8.04.0/

VirtualBox Virtual Appliances

In its day, VirtualBoxImages.com claimed to be the worlds leading source for pre-installed virtualbox virtual computers. This is the mother lode of old VirtualBox virtualization software and VDI images. Old VDI images of pre-installed “Open Source” Operating System distros. Old pre-installed virtualbox images ready for you to explore and play with. Here you will find linux vdi image downloads of many of the popular Linux distributions. VirtualBox runs on SunOS, OpenSolaris, Mac OS X, Windows, OS/2 and Linux. It’s a computer inside your computer.

Vulnerable By Design

Vulnerable By Design offers a 100s of vulnerable VMs.

Download Vulnerable By Design VMs here: https://www.vulnhub.com/

OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine. The project is sponsored in part by Mandiant. OWASP Broken Web Applications Project is free to use. Any custom code / modifications are GPLv2, but this does not override the license of each software package we incorporate. All software is open source. You can use it to test web applications in a realistic but also controllable and safe environment.

Download OWASP Broken Web Applications Project here:  https://www.owasp.org/index.php/OWASP_Broken_ Web_Applications_Project

OWASP Hackademic Challenges

The OWASP Hackademic Challenges Project helps you test your knowledge of web application security. You can use it to test web applications in a realistic but also controllable and safe environment.

Download OWASP Hackademic Challenges here: https://code.google.com/archive/p/owasp-hackademic-challenges/downloads

OWASP WebGoat Project

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

Download OWASP WebGoat Project here: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project


WackoPicko is a vulnerable web application used to test web application vulnerability scanners.

Download WackoPicko here: https://github.com/adamdoupe/WackoPickoz

Old Apps
OLDApps.com and OLDVERSIONS.com do not offer VMs but they are two sites where you can find old applications for testing:

Download OLDApps here: http://www.oldapps.com/

Download OLDVERSIONS here: http://www.oldversion.com/

About the Author

David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.



Leave a Reply

Your email address will not be published. Required fields are marked *