OWASP VulnerableApp is a modular deliberately vulnerable application designed primarily for validating and benchmarking security scanners through reproducible test scenarios, while also supporting learning and experimentation.
Unlike traditional vulnerable applications, VulnerableApp is designed as a testable security ecosystem, not a static training app.

Most vulnerable apps are: - Static - Hard to extend - Designed only for manual learning
automation, reproducibility, and evolution

There are 2 ways to run the project:
1. The simplest way to run the project is using Docker containers which will run the full-fleged VulnerableApplication with all the components. For running as Docker application, follow following steps:
1. Download and Install Docker Compose
2. Clone this Github repository
3. Open the terminal and Navigate to the Project root directory
4. Run the command docker-compose pull && docker-compose up
5. Navigate to browser and visit http://localhost and this will give the User Interface for VulnerableApp.
6. Mailpit is also available at http://localhost:8025 for viewing emails captured by the local SMTP server.
**Note**: The above steps will run the latest unreleased VulnerableApp version. If you want to run the latest released version, please use docker **latest** tag.
java -jar VulnerableApp-*http://localhost:9090/VulnerableApp. This will give the Legacy User Interface for the VulnerableApp.There are 2 ways in which this project can be built and used:
1. As a Docker application which will help in running the full-fledged VulnerableApplication. For running as Docker application, follow following steps:
1. Build the docker image by running ./gradlew jibDockerBuild
2. Download Docker-Compose and run in the same directory docker-compose up
3. Navigate to browser and visit http://localhost and this will give the User Interface for VulnerableApp.
2. As a SpringBoot application which will run with the Legacy UI or Rest API but gives the benefit of debugging and solving issues. This is the simple way,
1. Import the project into your favorite IDE and run it
2. Navigate to browser and visit: http://localhost:9090/VulnerableApp and this will give the Legacy User Interface for VulnerableApp which you can use to debug and test.
There are multiple ways in which you can contribute to the project:
1. If you are a developer and trying to start on to the project, then the suggestion is to go through the list of issues which contains good first issue which can be a good starter.
2. If you are a developer or a security professional looking to add new Vulnerability type then you can Generate the Sample Vulnerability by running ./gradlew GenerateSampleVulnerability. It will generate the Sample Vulnerability template which has placeholders and comments. Modified files can be seen in the logs of the command or in the github history. You can navigate to those files, fill in the placeholders and then build the project to see the effect of the changes.
3. In case you are looking to contribute to the project by publicising it or working on the growth of the project, please feel free to add your thoughts to discussions section or issues and we can discuss over them.
VulnerableApp-facade provides a modern UI for VulnerableApp. To test your local changes with the Modern UI:
.\scripts\testWithModernUI.bat./scripts/testWithModernUI.shThis script will build your local changes into a Docker image (sasanlabs/owasp-vulnerableapp:unreleased) and start the full stack (including facade, jsp, and php services) using docker-compose.local.yml.
Access the UI: Navigate to http://localhost to see the modern UI with your changes.
Access Mailpit: Navigate to http://localhost:8025 to view emails captured by the local SMTP server.
For accessing database from browser, visit: http://localhost:9090/VulnerableApp/h2
Database Connection properties:
JDBC Url: jdbc:h2:mem:testdb
User Name: admin
Password: hacker
VulnerableApp ships a comparator that grades a scanner's findings against the project's built-in ground truth and writes a coverage / missed / unmatched report. Both DAST and SAST scanners are supported via the same endpoint:
POST http://<baseurl>/VulnerableApp/scanner/benchmark{ tool, scanType: "DAST", findings: [ { url, type, cwe, wascId } ] } (scanType is optional and defaults to DAST; type/cwe/wascId are individually optional — any one axis matching is enough){ tool, scanType: "SAST", findings: [ { filePath, line, cwe, type } ] }benchmarks/<tool>-results.json on disk: coverage reportRunning the scanner itself is out of scope — you supply the JSON. See
benchmarks/README.md for the full input/output
schemas, matching rules, canonical vulnerability-type vocabulary, and curl
examples.
In case you are stuck with any of the steps or understanding anything related to project and its goals, feel free to shoot a mail at karan.sasan@owasp.org or raise an issue and we will try our best to help you.
$ claude mcp add VulnerableApp \
-- python -m otcore.mcp_server <graph>