Testers usually maintain a library of the current and historical operating systems. When testing Microsoft operating systems, Windows XP is used as the reference standard to test vulnerabilities. Although Windows XP will be deprecated in 2014 and no longer supported by Microsoft, it will remain on many networks in servers and workstations as well as embedded in devices such as printers and point-of-sale terminals.
Similarly, the web-based applications can be useful to support enterprise testing as well as specific attacks against web applications.
It seem counterintuitive to the majority of practices that security professionals carry out each day, but most core ideas to create a secure machine are the same as those to create a vulnerable machine.
Following are a list of Working 60+ Vulnerable Web Applications, Mobile Applications and Linux based OS that one can use to learn for their particular interests.