# Labs

{% embed url="<https://owasp.org/www-project-vulnerable-web-applications-directory/>" %}

Online:&#x20;

* [OWASP Juice Shop](https://juice-shop.herokuapp.com/#/search)
* [Home of Acunetix Art](http://testphp.vulnweb.com/)
* [Firing Range](https://public-firing-range.appspot.com/)
* [XSS game](https://xss-game.appspot.com/)
* [Web Application Exploits and Defenses](https://google-gruyere.appspot.com/)
* [Hackazon](http://hackazon.webscantest.com/)

Offline&#x20;

* <https://github.com/appsecco/dvna>
* [bWAPP, or a buggy web application](http://www.itsecgames.com/)
* [Bricks is a web application security learning platform built on PHP and MySQL](https://sechow.com/bricks/index.html)
* [eoftedal/deserialize: Vulnerable Spring MVC API](https://github.com/eoftedal/deserialize)
* [DVWA - Damn Vulnerable Web Application](http://www.dvwa.co.uk/)
* [snoopysecurity/dvws: Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.](https://github.com/snoopysecurity/dvws)
* [secvulture/dvta: Damn Vulnerable Thick Client App](https://github.com/secvulture/dvta)
* [interference-security/DVWS: OWSAP Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication.](https://github.com/interference-security/DVWS)
* [OWASP/NodeGoat: The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.](https://github.com/OWASP/NodeGoat)
* [OWASP/railsgoat: A vulnerable version of Rails that follows the OWASP Top 10](https://github.com/OWASP/railsgoat)
* [sqlmapproject/testenv: A collection of web pages vulnerable to SQL injection flaws](https://github.com/sqlmapproject/testenv)
* [Audi-1/sqli-labs: SQLI labs to test error based, Blind boolean based, Time based.](https://github.com/Audi-1/sqli-labs)
* [WebGoat/WebGoat: WebGoat 8.0](https://github.com/WebGoat/WebGoat)
* [s4n7h0/xvwa: XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.](https://github.com/s4n7h0/xvwa)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://evanluke.gitbook.io/appsec/labs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.