Public Vulnerable Websites

Cheat Sheet

You can use this for copying and pasting. Note that you will need to set up authentication for some of these sites.

See Recording Authentication (Interactive Logins) for instructions on how to set up authentication.
Where authentication is required, see the sections below on Website Credentials and REST API Credentials

# Google Public Firing Range (no authentication required)
https://public-firing-range.appspot.com/

# Vulnweb
http://testphp.vulnweb.com
http://testhtml5.vulnweb.com
http://testasp.vulnweb.com

# Testsparker
http://aspnet.testsparker.com/
http://php.testsparker.com/

# REST APIs
http://rest.testsparker.com

# Testfire
http://demo.testfire.net/

# OWASP Juice Shop
https://juice-shop.herokuapp.com/

Website Credentials

See the table below for a list of deliberately vulnerable public websites you can use for scanning.

Site	URL	Username	Password
Google Public Firing Range	https://public-firing-range.appspot.com	None	None
OWASP Juice Shop	https://juice-shop.herokuapp.com	`admin@juice-sh.op`	`admin123`
PHP Vulnweb	http://testphp.vulnweb.com	`test`	`test`
HTML5 Vulnweb	http://testhtml5.vulnweb.com	`admin`	`admin`
ASP Vulnweb	http://testasp.vulnweb.com	Registration required	Registration required
ASP.Net Vulnweb	http://testaspnet.vulnweb.com	Registration required	Registration required
ASP.NET Testsparker	http://aspnet.testsparker.com	`alan@turing.com`	`theturingtest`
PHP TestSparker	http://php.testsparker.com	`admin`	`admin123456`

REST API Credentials

The table below lists deliberately vulnerable public REST APIs you can use for scanning. For an in-depth tutorial, see the example on Scanning REST APIs.

Site	Base Target URL	OpenAPI File Location	Header Name	Header Value
TestSparker	http://rest.testinvicti.com/jwt/api	http://rest.testsparker.com/files/openapi-swagger_jwt.yaml	`Authorization`	`Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6InNlY3JldC50eHQifQ.eyJ1c2VyIjoidGVzdCJ9.jqBFzyBB68KWiOvEJhcaDgMY0Gea-t0KNnf-fR2Ioyc`