Vicnum is an OWASP project consisting of vulnerable web applications based on games commonly used to kill time. These applications demonstrate common web security problems such as cross site scripting, sql injections, and session management issues.

Being small web applications with no complex framework involved, Vicnum applications can easily be invoked and tailored to meet a specific need. For example if a test vulnerable application is needed in evaluating a web security scanner or a web application firewall, you might want to control a target web application to see what the scanner can find and what the firewall can protect.

Ultimately the major goal of this project is to strengthen the security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it's OK to have a little fun.



Click here to play Guessnum, a game to guess a number the computer has picked.
Click here to play Jotto, a game to guess a word the computer has picked.
Click here for the Union Challenge used as a CTF at Appsec Ireland 2012.
Click here for Cyclone, an intentionally vulnerable Ruby on Rails application.


Vicnum applications can be demonstrated at security conferences and used in "Capture the Flag" type events. Click here to contact us if you would like to discuss customizing Vicnum applications for a specific purpose. For general comments on the project please visit the OWASP project page.

Mordecai Kraushar