Overview
Want to see MindFort in action before testing your own applications? These intentionally vulnerable web applications let you evaluate MindFort’s capabilities in a safe environment.Quick Setup Steps
- Run the app locally using Docker
- Expose to internet via tunnel or cloud deployment
- Point a domain you control at the exposed app
- Add as target in MindFort and run an assessment
Recommended Test Applications
OWASP Juice Shop
The gold standard for modern web app testing. A fully functional e-commerce store with real vulnerabilities in a modern Single Page Application architecture. Tech Stack: Node.js, Express, Angular, SQLite What It Tests: XSS, injection vulnerabilities, authentication flaws, business logic issueshttp://localhost:3000
Repository
juice-shop/juice-shop
AltoroJ (Banking Application)
A classic enterprise banking application simulating account transfers and transaction history. Ideal for testing session management and business logic exploits. Tech Stack: Java, JSP, Apache Tomcat What It Tests: Authentication bypass, session management, business logic flawshttp://localhost:8080/altoro
Default Credentials: jsmith / demo1234 or admin / admin
Repository
HCL-TECH-SOFTWARE/AltoroJ
Hackazon (E-Commerce)
A rich e-commerce application with mobile API backend and AJAX-driven features. Designed specifically for automated security testing. Tech Stack: PHP, MySQL, JavaScript What It Tests: SQL injection, XSS, REST API vulnerabilities, AJAX securityhttp://localhost:8081
Repository
rapid7/hackazon
Broken Crystals (Modern React App)
A modern “crystal shop” with React frontend and GraphQL/REST backend. Excellent for testing modern API discovery and SPA crawling. Tech Stack: React, Node.js, GraphQL, PostgreSQL What It Tests: GraphQL vulnerabilities, modern API security, React SPA issueshttp://localhost:3000
Repository
NeuraLegion/brokencrystals
Damn Vulnerable Bank (API-First)
A banking API backend perfect for testing API logic flaws without a heavy UI. Focus on IDOR, authentication, and JWT vulnerabilities. Tech Stack: Python, Flask What It Tests: API logic flaws, IDOR, JWT vulnerabilities, improper authorizationhttp://localhost:5000
Repository
rewanthtammana/Damn-Vulnerable-Bank
Comparison Table
| Application | Type | Complexity | Best For |
|---|---|---|---|
| Juice Shop | E-Commerce | High | Modern SPAs, DOM XSS, business logic |
| AltoroJ | Banking | Medium | Legacy flows, authentication, sessions |
| Hackazon | E-Commerce | High | AJAX, REST APIs, SQL injection |
| Broken Crystals | E-Commerce | High | GraphQL, React, API discovery |
| Damn Vuln Bank | Banking API | Medium | API logic, IDOR, JWT |
Exposing to the Internet
MindFort requires internet-accessible targets. Here are your options:Option 1: Tunnel Service (Quickest)
Use ngrok, Cloudflare Tunnel, or similar to expose your local app:https://abc123.ngrok.io that you can use as your MindFort target.
Option 2: Cloud Deployment
Deploy to a cloud provider (AWS, GCP, Azure, DigitalOcean) with a public IP, then point your domain at it.Option 3: Self-Hosted Server
Run Docker on a server with a public IP and configure your domain’s DNS to point to it.Domain Verification: You’ll need to verify domain ownership in MindFort before running assessments. Make sure you control the domain pointing to your test application.
Tips for Testing
- Start with Juice Shop - It’s the most comprehensive and well-documented
- Use Turbo mode - Quick assessments are perfect for evaluation
- Add authentication - Test with the default credentials for deeper coverage
- Compare results - These apps have known vulnerabilities you can verify MindFort finds