Top 10 Vulnerable Operating Systems

Vulnerable Operating Systems

There are many Operating Systems, Applications, and Websites that are deliberately made vulnerable for people to practice various methods of security training, test security tools, practice common penetration testing techniques, or hacking.

Be it Pentesting, Metasploitable, or DVWA everything requires real-life experience for anyone to learn and this software helps them out. These types of software are altogether called Virtual Machines or VM. So, here I have a list of the top 10 Vulnerable Operating Systems for pen-testing, metasploitable, etc.



                            Metasploitable is a vulnerable Linux virtual machine that is used to conduct security training, practice penetration testing techniques, test security tools, and find security breaches. This platform has two other variants, Metaploitable 2 and Metasploitable 3.

This is an open-source virtual machine that has two versions, Windows and Ubuntu and you get to exploit both Linux and Windows if you practice on Metasplotable 3. However, Metasploitable 2 is the most popular and commonly used vulnerable web application. It is used for network testing and it has built-in DVWA, WebDAV, TWiki, and phpMyAdmin.     

2.Damn Vulnerable Web Application:

Damn Vulnerable Web Application

                       Damn Vulnerable Web Application or DVWA is as the name suggests is very vulnerable.This platform is a PHP-based software that runs on MySQL database servers. It is specially designed for security professionals to test their skills and tools in a legal environment.

The damn web application also helps web developers to understand the process of securing web applications. Many teachers use DVWA for education to teach their students web application security. DVWA has vulnerabilities like CSRF, SQL injection, XSS, file injection, upload flaws, and many more. The database can be reset to start over again if you want to try exploiting it again by trying a different method.



                 Badstore that was released in 2004 was built just to understand how hackers hack and exploit Web Application vulnerabilities. It has vulnerabilities like SQL injection, clickjacking, cross-site scripting or XSS, password hash or MD5 decoding, and robot.txt.

Just like Metasploit Badstore also runs on VMware Workstation. Badstore has supported NICs, full implementation of MySQL, JavaScript Redirect in index.html, JavaScript validation of a couple of key fields, Numerous cosmetic updates, ‘Scanbot Killer’ directory structure to detect scanners, favicon.ico, Dynamic dates and times in databases, and many more.

4.Web Security Dojo:

Web Security Dojo

                                   Web Security Dojo is also a virtual machine that provides tools to practice web application security testing. It provides hands-on practice for bug bounties, captures the flag or CTF, and ethical hackers. Web Security Dojo is a decent package for getting used to working with some commonly available cyber security tools.

It makes it easy to get started with learning about web application vulnerabilities. Some features of Web Security Dojo are that no internet connection is required to use it, common web security testing tools, popular industry web application security guidelines, vulnerable web applications, and walk-throughs of several targets (no peeking ahead).

5.Mutillidae 2:

Mutillidae 2

                       Mutillidae 2 is a free open source vulnerable web application that is designed for web-security enthusiasts. It is developed by OWASP and has vulnerabilities like HTML injection, clickjacking, SQL injection, XSS, authentication bypass, and many others.

It is loaded with features like System can be restored to default with a single click of “Setup” button, User can switch between secure and insecure modes, Updated frequently, Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA), Used in graduate security courses, incorporate web sec training courses, and as an “assess the assessor” target for vulnerability software, Has over 40 vulnerabilities and challenges.

Contains at least one vulnerability for each of the OWASP Top Ten, is actually vulnerable, and Mutillidae can be installed on Linux or Windows *AMP stacks making it easy for users who do not want to install or administrate their own webserver. Mutillidae is confirmed to work on XAMPP, WAMP, and LAMP. 



                  Webgoat is the best platform for security professionals to test their tools to ensure everything works fine. It creates a de-facto interactive teaching environment for web application security.

Webgoat allows you to test vulnerabilities that are mostly found in Java-based applications since they use common and open source components.

7.Security Sheperd:

Security Sheperd

                               Security Sheperd is an OWASP product that is used for security training on the web and mobile applications. This virtual machine helps AppSec rookies and experienced engineers to hone their skills in penetration testing and get security expert status.

Apart from this, it is a great teaching tool for all application security. Many people choose Security Sheperd because it has Wide Topic Coverage, Layman Write-Ups, real-world examples, scalability, highly customizable, perfect for a classroom to teach, user management, robust service, configurable feedback, and granular logging.    

8.Buggy Web App:

Buggy Web App

                              Buggy Web App also known as bWAPP. It also is a PHP-based software that runs on MySQL database servers. bWAPP is an extremely buggy web application that is free and open-source made deliberately vulnerable for enthusiasts, students, and developers to learn how to prevent web vulnerabilities. This has the maximum number of web vulnerabilities to exploit and that is 100. This is also an OWASP project.     

9.Damn Vulnerable Node Application:

Damn Vulnerable Node Application

                                                                Damn Vulnerable Node Application again as the name suggests is very vulnerable. It is a node.js web application. DVNA provides a legal environment for security professionals to test their tools and skills.

It has various levels to its vulnerabilities with different difficulty levels and has a simple interface. There are documented and undocumented vulnerabilities in this virtual machine. DVNA many times also serves as a cyber range for capture the flag events.    

10.Juice Shop:

Juice Shop

                    Juice Shop is the most sophisticated and modern insecure web application. This virtual machine is written in Node.js, Angular, JavaScript, and Express. Juice Shop is a flagship project by OWASP.

Pentesting Proxies and security scanners use this platform to test their tools. There are many hacking challenges on this application which also has a scoreboard to rank you based on your hacking progress.

These virtual machines are legal to use for pen-testing and various other vulnerability exploitations. However, there are also many platforms that are not legal and could cause you trouble even if your intentions are good. So always be aware and rightfully informed about the virtual machine you are using to learn or test stuff. 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top