File: testapps.md | Updated: 11/18/2025
These pages detail how to set up ZAP to scan a variety of test vulnerable web apps.
ZAP is primarily designed to scan “real world” apps, but we understand why people like testing against deliberately vulnerable apps.
Some of these apps act in “unusual” ways that are not often seen in real world app. Hence these pages 😁
If you have questions about using ZAP to test a specific vulnerable app, that isn’t answered here, please ask in the User Group .
**AltoroJ / Testfire ** - a traditional app, infrequently updated
**Gin & Juice Shop ** - a well maintained modern app
**OWASP crAPI ** - the Completely Ridiculous API
**OWASP Juice Shop ** - a well maintained modern app