Alternatives and similar repositories for owaspbwa

Users that are interested in owaspbwa are comparing it to the libraries listed below

• rapid7 / hackazon

  View on GitHub
  A modern vulnerable web app
  ☆1,018Mar 11, 2021Updated 4 years ago
• webpwnized / mutillidae

  View on GitHub
  OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. This is…
  ☆1,468Aug 3, 2025Updated 6 months ago
• rapid7 / metasploitable3

  View on GitHub
  Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.
  ☆5,430Feb 13, 2025Updated last year
• jayeshchauhan / SKANDA

  View on GitHub
  OWASP Skanda - SSRF Exploitation Framework
  ☆38Jul 6, 2013Updated 12 years ago
• OWASP / OWASP-VWAD

  View on GitHub
  This repo is no longer in use. Please refer to https://github.com/OWASP/www-project-vulnerable-web-applications-directory
  ☆883Dec 15, 2025Updated 2 months ago
• adamdoupe / WackoPicko

  View on GitHub
  WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
  ☆344May 25, 2024Updated last year
• OWASP / SecurityShepherd

  View on GitHub
  Web and mobile application security training platform
  ☆1,423Updated this week
• Hackademic / hackademic

  View on GitHub
  the main hackademic code repository
  ☆324Oct 30, 2020Updated 5 years ago
• tosebro / SqlPoC

  View on GitHub
  A burp extension to generate sqlmap PoC from target HTTP request.
  ☆27Jan 8, 2017Updated 9 years ago
• digininja / DVWA

  View on GitHub
  Damn Vulnerable Web Application (DVWA)
  ☆12,588Jan 21, 2026Updated 3 weeks ago
• stamparm / DSVW

  View on GitHub
  Damn Small Vulnerable Web
  ☆856Dec 21, 2025Updated last month
• WebGoat / WebGoat

  View on GitHub
  WebGoat is a deliberately insecure application
  ☆8,912Updated this week
• OWASP / OWASP-WebScarab

  View on GitHub
  OWASP WebScarab
  ☆617Aug 13, 2021Updated 4 years ago
• andresriancho / w3af-kali

  View on GitHub
  w3af packaging for Kali distribution
  ☆26Nov 29, 2015Updated 10 years ago
• dsopas / XSS-oneliner-payload

  View on GitHub
  Compilation of JavaScript XSS oneliners payloads that rocks your nuts!
  ☆24Jul 14, 2017Updated 8 years ago
• monikamorrow / Burp-Suite-Extension-Examples

  View on GitHub
  ☆15Sep 24, 2015Updated 10 years ago
• pwntester / XStreamPOC

  View on GitHub
  POC for XStream RCE
  ☆13Dec 23, 2013Updated 12 years ago
• psiinon / bodgeit

  View on GitHub
  The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
  ☆281Aug 13, 2024Updated last year
• cheetz / brutescrape

  View on GitHub
  A web scraper for generating password files based on plain text found
  ☆130Jul 19, 2023Updated 2 years ago
• xmendez / wfuzz

  View on GitHub
  Web application fuzzer
  ☆6,411Jan 21, 2026Updated 3 weeks ago
• SamuraiWTF / samuraiwtf

  View on GitHub
  The main SamuraiWTF collaborative distro repo.
  ☆550Mar 10, 2025Updated 11 months ago
• smiegles / certs

  View on GitHub
  Parse X509 certificates to get the (sub)domains in it.
  ☆28Jun 14, 2018Updated 7 years ago
• augustd / burp-suite-error-message-checks

  View on GitHub
  Burp Suite extension to passively scan for applications revealing server error messages
  ☆64Dec 15, 2023Updated 2 years ago
• appsecco / devsecops-using-cloudnative-workshop

  View on GitHub
  This repo contains workshop material delivered at #nullcon2020
  ☆16Mar 6, 2020Updated 5 years ago
• patrickwire / attack-defense-CTF-demo

  View on GitHub
  demo of an attack & defense CTF
  ☆16Jun 4, 2018Updated 7 years ago
• samhaxr / TakeOver-v1

  View on GitHub
  Takeover script extracts CNAME record of all subdomains at once. TakeOver saves researcher time and increase the chance of finding subdom…
  ☆102Apr 7, 2023Updated 2 years ago
• sectooladdict / wavsep

  View on GitHub
  The Web Application Vulnerability Scanner Evaluation Project
  ☆240Oct 5, 2022Updated 3 years ago
• andresriancho / w3af

  View on GitHub
  w3af: web application attack and audit framework, the open source web vulnerability scanner.
  ☆4,853Feb 22, 2023Updated 2 years ago
• fuzzdb-project / fuzzdb

  View on GitHub
  Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
  ☆8,810Nov 10, 2023Updated 2 years ago
• 1N3 / IntruderPayloads

  View on GitHub
  A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and…
  ☆3,897Sep 27, 2021Updated 4 years ago
• foospidy / payloads

  View on GitHub
  Git All the Payloads! A collection of web attack payloads.
  ☆3,891May 15, 2023Updated 2 years ago
• citizen-stig / dockermutillidae

  View on GitHub
  Docker container for OWASP Mutillidae II Web Pen-Test Practice Application
  ☆71Dec 13, 2021Updated 4 years ago
• chengable / safe_code

  View on GitHub
  absolute safe code
  ☆27Mar 20, 2017Updated 8 years ago
• leojcollard / cve-search-docker

  View on GitHub
  ☆16Mar 10, 2017Updated 8 years ago
• Varbaek / xsser

  View on GitHub
  From XSS to RCE 2.75 - Black Hat Europe Arsenal 2017 + Extras
  ☆426Feb 18, 2020Updated 5 years ago
• EnableSecurity / wafw00f

  View on GitHub
  WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
  ☆6,157Jan 27, 2026Updated 2 weeks ago
• JavaPentesters / java_vul_target

  View on GitHub
  ☆28Oct 16, 2017Updated 8 years ago
• PortSwigger / java-deserialization-scanner

  View on GitHub
  All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
  ☆28Feb 4, 2022Updated 4 years ago
• OWASP / joomscan

  View on GitHub
  OWASP Joomla Vulnerability Scanner Project https://www.secologist.com/
  ☆1,168Sep 11, 2024Updated last year