Update: 08/08/2010: Created a tabled output of the listing. Platforms for most applications added. More applications added to list thanks to comments.

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected all vulnerable web applications and listed them below for reference:

If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.