Break things safely. Prove coverage before attackers do.

10 live targets: web apps, REST APIs, GraphQL, real CVEs, Redis, Tomcat, WebLogic, and a full network lab. No login, no setup. Auto-reset every 30 minutes for repeatable benchmarks.

10 Targets Web + API + Network Free Access Auto-Reset 30m

Vulnerable systems

Open a web target directly or copy the endpoint into your scanner. All services reset to clean state every 30 minutes.

Name	URL	Technology	Vulnerabilities
OWASP Juice ShopModern web app with 90+ security challenges	juice-shop.lab.pentest-forge.com	Modern WebAPI	OWASP Top 10XSSSQLiJWT
Damn Vulnerable Web AppPHP/MySQL with vulnerabilities at 4 difficulty levels	dvwa.lab.pentest-forge.com	Classic Web	CSRFXSSSQLiLFI/RFIRCE
MutillidaeExtended classic web app with 100+ vulnerabilities	mutillidae.lab.pentest-forge.com	Classic Extended	OWASP Top 10+UploadSessionCommand Injection
crAPIVulnerable REST API for API security testing	crapi.lab.pentest-forge.com	REST API	BOLAMass AssignmentSQLiAuth BypassJWTRate Limit
VAmPILightweight vulnerable API for quick testing	vampi.lab.pentest-forge.com	Lightweight API	BOLAAuth BypassInjectionMass AssignmentJWT NonePrivilege
Damn Vulnerable GraphQLGraphQL-specific attacks and abuse patterns	dvga.lab.pentest-forge.com	GraphQL	InjectionIntrospectionSSRFDoSSQLiBatch Abuse
ShadowLogic — WebLogicOracle WebLogic Server with real CVE-2023-21839 RCE	weblogic.lab.pentest-forge.com	Real CVE	CVE-2023-21839RCET3/IIOP
CipherHeart — RedisRedis with CVE-2022-0543 Lua sandbox escape	redis.lab.pentest-forge.com:6379	Real CVE	CVE-2022-0543RCEUnauth AccessCONFIG WRITE
GuardianLeaks — TomcatApache Tomcat with CVE-2017-12615 PUT RCE	tomcat.lab.pentest-forge.com	Real CVE	CVE-2017-12615RCEJSP Upload
Metasploitable3 Network LabMulti-port Ubuntu: FTP, SSH, SMB, databases, VNC, IRC	lab.pentest-forge.com	Network	SMBDatabasesVNCBackdoors

OWASP Juice Shop

Modern web app with 90+ security challenges

juice-shop.lab.pentest-forge.com

Technology

Modern WebAPI

Vulnerabilities

OWASP Top 10XSSSQLiJWT

Damn Vulnerable Web App

PHP/MySQL with vulnerabilities at 4 difficulty levels

dvwa.lab.pentest-forge.com

Technology

Classic Web

Vulnerabilities

CSRFXSSSQLiLFI/RFIRCE

Mutillidae

Extended classic web app with 100+ vulnerabilities

mutillidae.lab.pentest-forge.com

Technology

Classic Extended

Vulnerabilities

OWASP Top 10+UploadSessionCommand Injection

crAPI

Vulnerable REST API for API security testing

crapi.lab.pentest-forge.com

Technology

REST API

Vulnerabilities

BOLAMass AssignmentSQLiAuth BypassJWTRate Limit

VAmPI

Lightweight vulnerable API for quick testing

vampi.lab.pentest-forge.com

Technology

Lightweight API

Vulnerabilities

BOLAAuth BypassInjectionMass AssignmentJWT NonePrivilege

Damn Vulnerable GraphQL

GraphQL-specific attacks and abuse patterns

dvga.lab.pentest-forge.com

Technology

GraphQL

Vulnerabilities

InjectionIntrospectionSSRFDoSSQLiBatch Abuse

ShadowLogic — WebLogic

Oracle WebLogic Server with real CVE-2023-21839 RCE

weblogic.lab.pentest-forge.com

Technology

Real CVE

Vulnerabilities

CVE-2023-21839RCET3/IIOP

CipherHeart — Redis

Redis with CVE-2022-0543 Lua sandbox escape

redis.lab.pentest-forge.com:6379

Technology

Real CVE

Vulnerabilities

CVE-2022-0543RCEUnauth AccessCONFIG WRITE

GuardianLeaks — Tomcat

Apache Tomcat with CVE-2017-12615 PUT RCE

tomcat.lab.pentest-forge.com

Technology

Real CVE

Vulnerabilities

CVE-2017-12615RCEJSP Upload

Metasploitable3 Network Lab

Multi-port Ubuntu: FTP, SSH, SMB, databases, VNC, IRC

lab.pentest-forge.com

Technology

Network

Vulnerabilities

SMBDatabasesVNCBackdoors

Metasploitable3 — Open Ports

Use these host ports for network-service checks, credential audits, and scanner regression tests.

10021 FTP 10022 SSH 10023 Telnet 10025 SMTP 10445 SMB 11524 Bindshell 13306 MySQL 15432 PostgreSQL 15900 VNC 16667 IRC 18182 Jetty 18888 Apache

Redis — Direct Connection

Redis is intentionally exposed as a raw TCP target for service discovery, unauthenticated access, and exploit safety validation.

redis-cli -h redis.lab.pentest-forge.com -p 6379

Reminder: targets are shared. Treat results as lab evidence, not a private assessment.

Copied to clipboard