Security

40+ Intentionally Vulnerable Websites To (Legally) Practice Your Hacking Skills

by Baz Edwards

Check out and bookmark this ultimate list of over 40 intentionally vulnerable websites to practice your hacking skills

40+ Intentionally Vulnerable Websites To (Legally) Practice Your Hacking Skills

Image credit: Flickr/Pierre (Rennes)

Attack is definitely the best form of defense and this also applies to Cyber Security.

Companies are now hacking their own websites and even hiring ethical hackers in an attempt to find vulnerabilities before the bad guys do. As such ethical hacking is now a much sought after skill but hacking websites without permission can get you on the wrong side of the law, even if you're just practising.

So how do practice your hacking skills whilst staying on the right side of the law? Well there are a number of deliberately vulnerable websites out there designed to allow you to practise and hone your hacking skills, without fear of prosecution. So we've decided to compile a list of over forty of them, each with short description.

Once you feel comfortable finding vulnerabilities, the next step could be a job as a penetration tester or participation in one of the bug bounty programmes where companies reward you based on the severity of the bugs that you find, which could be very lucrative. Facebook is one such company offering a bug bounty programme and has paid out more than a million dollars to date.

So without further ado, here's list of over 40 vulnerable websites. If you know of a good hacking website that's not on this list, let me know and I'll add it. Oh, and don't forget to bookmark this page! :)

1. bWAPP

bWAPP stands for Buggy Web Application and is is "a free and open source deliberately insecure web application" created by Malik Messelem. It's built in PHP and uses a MySQL database. The vulnerabilities are those derived from the OWASP Top 10.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

2. Damn Vulnerable iOS App (DVIA)

This has recently been re-released as a free download by InfoSec Engineer @prateekg14. It's an deliberately vulnerable iOS7 app that's definitely worth a look because there aren't many of them around.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

3. Google Gruyere

This website is fully of 'holes' and is deliberately 'cheesy'. It's designed for the absolute beginner and you can learn how hackers find security vulnerabilities, how they exploit web applications and how to protect applications from being exploited. It's written in Python and offers a range of vulnerabilities including cross-site scripting, cross-site request forgery and remote code execution.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

4. HackThis!!

This site was originally designed to teach how hacks, dumps and defacement are done and to tech how you can secure a website against hackers. There are over 50 levels of difficulty on offer and a great online community to help you with hacking and keep you up to date with security news.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

5. Hack This Site

This is a perfectly legal place to test your hacking skills and also offers hacking news, articles, forums and tutorials. You can build your skills by completing various challenges.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

6. Hellbound Hackers

This website puts the emphasis on being hands-on and offers a wide array of challenges to get you to learn how to identify potential vulnerabilities and it also suggests ways to patch them. Hellbound Hackers has a vast array of tutorials and a thriving community of nearly 100K registered members.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

7. McAfee HacMe Sites

The HacMe sites comprise of the HacMe Banks, HacMe Casino, HacMe Travel and more. They were launched in 2006 and were aimed at pen testers and security professionals. Each site offers a real world experience to help ethical hackers stay ahead of the bad guys.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

8. Mutillidae

This is another deliberately vulnerable web app which runs on Linux and Windows. The web app is written in PHP and contains all of the OWASP Top 10 vulnerabilities. There is also a dedicated YouTube channel and Twitter account to accompany the project.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

9. OverTheWire

OverTheWire is designed for either developers or security professionals and the experience is centered around wargames. You are initially taught the basics and you can progress through the levels to more advanced games with more complex bugs to find and patch.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

10. Peruggia

With Peruggia you can learn and test common attacks on web applications. This website looks similar to an image gallery and allows you to practice on it to find several controlled vulnerabilities.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

11. Root Me

This is a great website to improve your hacking skills and generally improve your cyber security knowledge. With over 200 hacking challenges and 50 virtual environments, there should be enough here to keep you going.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

12. Try2Hack

Try2Hack is one of the oldest challenge sites around and there are numerous security challenges on offer here. Each of the levels are sorted by difficulty and created so that you can practice hacking for fun. There's a community on the IRC channel where you can ask for help and a full walkthrough on GitHub.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

13. Vicnum

This is an OWASP project developed by developed by Mordecai Kraushar consisting of vulnerable web applications based on games " commonly used to kill time". In each application are common security problems such as cross site scripting, SQL injections and session management issues.

The goal of the project is to strengthen the security of web apps by educating different groups of people such as developers, management, users and auditors as to the things that can go wrong with web apps. They also say "of course it's OK to have a little fun".

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

14. WebGoat

WebGoat is one of the most popular OWASP projects as it provides a realistic teaching and learning environment to teach users about complex application security issues. Again its an insecure app available for Windows, OS X Tiger and Linux and also runs in Java and .NET environments. You can just run the web app, or you can download the source from GitHub and modify the source code. There are a series of videos too available to download.

Check out the OWASP project page here.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

15. Juice Shop

This is an insecure web app based on JavaScript and was created by Björn Kimminich. This perfect for anyone that's into coding or testing JavaScript but don't understand the security issues that can arise. Juice Shop provides a fun challenge and can be run on a local or containerized environment. Be sure to check out Björn’s SlideShare too to get an overview of the app and how it was made.  The source code can also be found on GitHub.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

16. Hack.me

Hack.me is a free, community based project powered by eLearnSecurity. It hosts a number of vulnerable apps but allows allows the community the build, host and share their vulnerable application code educational and research purposes. As such, on the website it says it "aims to be the largest collection of "runnable" vulnerable web applications, code samples and CMS's online.".

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

17. Hackademic

Hackademic is another OWASP open source project and offers 10 realistic scenarios which are full of vulnerabilities including those in the OWASP Top 10. It is perfect for use in a classroom or workplace environment for educational purposes and developers are encouraged to contribute by adding new scenarios and vulnerabilities.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

18. SlaveHack

This is actually an hacking simulation game where the goal is to manage your hardware and software and make the computers you hack or defend your 'slaves'. Although this isn't a website to hack per se, I have included as it does help security people to see their systems in the way malicious hackers do. You can also connect with other players in the forum and help each other when you get stuck.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

19. Hackxor

This is a web app hacking game created by @albinowax. It focuses on being realistic and difficult and contains cross-site scripting, cross-site request forgery and sql injection vulnerabilities. The online version has just two levels but the downloadable version has more advanced levels.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

20. BodgeIt Store

This vulnerable web app was created by Simon Bennetts and is full of OWASP Top 10 vulnerabilities. It can be used as a pentesting tool, a code review tool or it can teach you how to look out for exploitable vulnerabilities. There are various hacking challenges too so you can even make a game out of it.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

21. Moth

Created by Bonsai Security, Moth is "a VMware image with a set of vulnerable Web Applications and scripts.". It was originally designed as a way to test application security tools

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

22. EnigmaGroup

This is another challenge site with a community forum. It's designed for anyone that wishes to improve their security knowledge and hosts a wide variety of vulnerabilities including of course, those from the OWASP top 10. The site says that "By knowing your enemy, you can defeat your enemy." and takes a hand-on approach to learning about application security.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

23. OWASP Bricks

OWASP Bricks is a deliberately vulnerable web application built using PHP and MySQL and focuses on commonly seen application security vulnerabilities and exploits. The goal is to 'break the bricks' and in doing so you will learn various aspects of web application security.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

24. Damn Vulnerable Web Application (DVWA)

The Damn Vulnerable Web App is a a PHP/MySQL application that is riddle with vulnerabilities. Created by @ethicalhack3r, the goal of this project is to test the skills and tools used by security professionals in a safe and legal environment. It also teaches web developers the process of how web applications are made secure.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

25. ExploitMe Mobile Android Labs

ExploitMe Mobile Android Labs is designed for developers and security professionals with a slant on the Android operating system. There are ten vulnerabilities to find in total which are found in Android applications. The lessons include password lock screens, insecure logging, file system access permission and more.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

26. XSS game area

XSS game area is a website that focuses specifically on Cross Site Scripting (XSS) bugs which are one of the most dangerous web application vulnerabilities, especially if they are exploited. The website will teach you how to find and exploit XSS bugs and will also teach you how to prevent these bugs from creeping into your applications which will "confuse and infuriate your adversaries".

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

27. W3Challs

W3Challs is a pentesting training platform which has numerous challenges under different categories such as hacking, cracking, wargames, cryptography, steganography and more. The challenges increase in difficulty and provide and are realistic and not based on simulations. There's a forum too where you can discuss the challenges etc with other members.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

28. The ButterFly Security Project

The ButterFly project is an educational project designed to give an insight into common web application and PHP vulnerabilities. There are also examples provided that show you how such vulnerabilities are patched.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

29. Damn Vulnerable Web Services DVWS (PHP)

Damn Vulnerable Web Services is another insecure app with multiple vulnerable web services intended to be used to learn real world web service vulnerabilities such as WSDL enumeration, XPATH injection, OS command injection, JSON Web Token (JWT) secret key brute force and much more.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

30. OWASP Insecure Web App Project

InsecureWebApp was created in 2004 by Lawrence Angrave and is a teaching aid to challenge and improve secure design and coding skills. Again, its an insecure web application containing common web app vulnerabilities and can be used for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modelling. InsecureWebApp assumes some knowledge of web app vulnerabilities such as broken authentication SQL injection and HTML injection.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

31. Acunetix (Forum ASP)

This website is a deliberately vulnerable forum built using ASP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

32. Acunetix (Blog .NET)

This website is a deliberately vulnerable forum built using .NET and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

33. Acunetix (Art shopping PHP)

This website is a deliberately vulnerable forum built using PHP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

34. Cenzic CrackMeBank

This is another vulnerable web app with a focus on online banking. It's designed for application security testing and built using PHP.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

35. HP/SpiDynamics Free Bank Online

This is another vulnerable web app, again with a focus on online banking.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

36. IBM/Watchfire AltoroMutual

Yet another vulnerable online banking website designed to test IBM AppScan products. It's a simple application written in .NET. Instructions are available here to logon to the application with links to more complex web applications and vulnerable web services.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

37. Badstore

Badstore is dedicated to helping you understand how hackers prey on vulnerable websites. It shows you how to reduce your exposure to hackers and is designed to show you common hacking techniques.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

38. Reversing.KR

Reversing KR has 26 challenges designed to test your cracking an reverse engineering capabilities. Unfortunately the site hasn't been updated since 2012 but the stuff available on this site will be relevant for some time to come.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

39. RingZer0 Team Online CTF

RingZer0 Team Online CTF offers over 200 challenges in 13 different categories including Cryptography, Jail Escaping, Malware Analysis, SQL Injection, Shellcoding and more and are designed to test and improve your hacking skills. After you complete a challenge, you can do a write up on it and submit your solution to the RingZer0 team. If your solution is accepted you can earn RingZer0Gold which can be exchanged for hints in future challenges and there's even a score board of the top players.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

40. Hacking-Lab

Hacking-Lab provides the CTF (Capture The Flag) challenges for the European Cyber Security Challenge but host challenges on their own platform which anyone can take part in once you have registered.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

41. OWASP SiteGenerator

The OWASP SiteGenerator allows you to create dynamic websites based on XML files which cover predefined vulnerabilities, some of which are simple, others more complex. The main languages covered are .NET languages but other web languages are covered including HTML, JavaScript. Flash and Java etc. Other uses for the site generator include developer training, evaluation of web app security scanners, evaluation of firewalls, web honey pots and you can even use it for web application hacking contests.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

42. VulnHub

VulnHub provides you with practical and 'hands-on' experience in digital security, computer software & network administration. It provides you with an environment whereby you can break and hack legally 'allowing you to learn in a safe environment and practise 'stuff' out.'

There's a community too so that you can learn from others and you can even watch others hack or follow along at the same time which they call 'white box testing'. A perfect learning environment I would say.  Check out their Twitter page here too.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Love this article?  Please share it with your friends on Facebook