OWASP ZAP Web Application Vulnerability Examples

The vulnerabilities included are only those that can (or should be) detectable via automated scanners.
They have been developed to test OWASP ZAP but can be used for any other legitimate purpose.

Each page should contain only one vulnerability, and should be as simple as possible an example.
Only essential links should be included so that automated spidering can be constrained as easily as possible.

See source code for licence details.

Categories

• Active vulnerabilities, which can (probably;) only be tested by active scanners
• Passive vulnerabilities, which can be tested by passive scanners
• False positives, which are not vulnerabilites, but look like them