Image credit: Flickr/Pierre (Rennes)
Attack is definitely the best form of defense and this also applies to Cyber Security.
Companies are now hacking their own websites and even hiring ethical hackers in an attempt to find vulnerabilities before the bad guys do. As such ethical hacking is now a much sought after skill but hacking websites without permission can get you on the wrong side of the law, even if you’re just practising.
Check out these Cyber Security T-Shirts on Amazon! (#CommissionsEarned)
So how do learn how to hack and practice your hacking skills whilst staying on the right side of the law?
Well there’s many ways to learn ethical hacking. You can learn to hack through online hacking tutorials, watch YouTube videos on hacking, learn through online courses like this complete ethical hacking course on Udemy (#CommissionsEarned) or you can learn from reading ethical hacking books.
Now there are a number of deliberately vulnerable websites out there designed to allow you to practise and hone your hacking skills, without fear of prosecution. So I’ve decided to compile a list of over forty of them, each with short description.
Once you feel comfortable finding vulnerabilities, the next step could be a job as a penetration tester or participation in one of the bug bounty programmes where companies reward you based on the severity of the bugs that you find, which could be very lucrative. Facebook is one such company offering a bug bounty programme and has paid out more than a million dollars to date.
So without further ado, here’s list of over 40 vulnerable websites. If you know of a good hacking website that’s not on this list, let me know and I’ll add it. Oh, and don’t forget to bookmark this page! 🙂
Must read: The Web Application Hacker’s Handbook (Amazon, #CommissionsEarned)
bWAPP
bWAPP stands for Buggy Web Application and is is “a free and open source deliberately insecure web application” created by Malik Messelem. It’s built in PHP and uses a MySQL database. The vulnerabilities are those derived from the OWASP Top 10.
Damn Vulnerable iOS App (DVIA)
This has recently been re-released as a free download by InfoSec Engineer @prateekg14. It’s a deliberately vulnerable iOS7 app that’s definitely worth a look because there aren’t many of them around.
Google Gruyere
This website is fully of ‘holes’ and is deliberately ‘cheesy’. It’s designed for the absolute beginner and you can learn how hackers find security vulnerabilities, how they exploit web applications and how to protect applications from being exploited. It’s written in Python and offers a range of vulnerabilities including cross-site scripting, cross-site request forgery and remote code execution.
HackThis!!
This site was originally designed to teach how hacks, dumps and defacement are done and to tech how you can secure a website against hackers. There are over 50 levels of difficulty on offer and a great online community to help you with hacking and keep you up to date with security news.
Hack This Site
This is a perfectly legal place to test your hacking skills and also offers hacking news, articles, forums and tutorials. You can build your skills by completing various challenges.
Hellbound Hackers
This website puts the emphasis on being hands-on and offers a wide array of challenges to get you to learn how to identify potential vulnerabilities and it also suggests ways to patch them. Hellbound Hackers has a vast array of tutorials and a thriving community of nearly 100K registered members.
McAfee HacMe Sites
The HacMe sites comprise of the HacMe Banks, HacMe Casino, HacMe Travel and more. They were launched in 2006 and were aimed at pen testers and security professionals. Each site offers a real world experience to help ethical hackers stay ahead of the bad guys.
Mutillidae
This is another deliberately vulnerable web app which runs on Linux and Windows. The web app is written in PHP and contains all of the OWASP Top 10 vulnerabilities. There is also a dedicated YouTube channel and Twitter account to accompany the project.
OverTheWire
OverTheWire is designed for either developers or security professionals and the experience is centered around wargames. You are initially taught the basics and you can progress through the levels to more advanced games with more complex bugs to find and patch.
Peruggia
With Peruggia you can learn and test common attacks on web applications. This website looks similar to an image gallery and allows you to practice on it to find several controlled vulnerabilities.
Root Me
This is a great website to improve your hacking skills and generally improve your cyber security knowledge. With over 200 hacking challenges and 50 virtual environments, there should be enough here to keep you going.
Try2Hack
Try2Hack is one of the oldest challenge sites around and there are numerous security challenges on offer here. Each of the levels are sorted by difficulty and created so that you can practice hacking for fun. There’s a community on the IRC channel where you can ask for help and a full walkthrough on GitHub.
Vicnum
This is an OWASP project developed by developed by Mordecai Kraushar consisting of vulnerable web applications based on games ” commonly used to kill time”. In each application are common security problems such as cross site scripting, SQL injections and session management issues.
The goal of the project is to strengthen the security of web apps by educating different groups of people such as developers, management, users and auditors as to the things that can go wrong with web apps. They also say “of course it’s OK to have a little fun”.
WebGoat
WebGoat is one of the most popular OWASP projects as it provides a realistic teaching and learning environment to teach users about complex application security issues. Again its an insecure app available for Windows, OS X Tiger and Linux and also runs in Java and .NET environments. You can just run the web app, or you can download the source from GitHub and modify the source code. There are a series of videos too available to download.
Check out the OWASP project page here.
Juice Shop
This is an insecure web app based on JavaScript and was created by Björn Kimminich. This perfect for anyone that’s into coding or testing JavaScript but don’t understand the security issues that can arise. Juice Shop provides a fun challenge and can be run on a local or containerized environment. Be sure to check out Björn’s SlideShare too to get an overview of the app and how it was made. The source code can also be found on GitHub.
Hack.me
Hack.me is a free, community based project powered by eLearnSecurity. It hosts a number of vulnerable apps but allows allows the community the build, host and share their vulnerable application code educational and research purposes. As such, on the website it says it “aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online.”.
Hackademic
Hackademic is another OWASP open source project and offers 10 realistic scenarios which are full of vulnerabilities including those in the OWASP Top 10. It is perfect for use in a classroom or workplace environment for educational purposes and developers are encouraged to contribute by adding new scenarios and vulnerabilities.
SlaveHack
This is actually an hacking simulation game where the goal is to manage your hardware and software and make the computers you hack or defend your ‘slaves’. Although this isn’t a website to hack per se, I have included as it does help security people to see their systems in the way malicious hackers do. You can also connect with other players in the forum and help each other when you get stuck.
Hackxor
This is a web app hacking game created by @albinowax. It focuses on being realistic and difficult and contains cross-site scripting, cross-site request forgery and sql injection vulnerabilities. The online version has just two levels but the downloadable version has more advanced levels.
BodgeIt Store
This vulnerable web app was created by Simon Bennetts and is full of OWASP Top 10 vulnerabilities. It can be used as a pentesting tool, a code review tool or it can teach you how to look out for exploitable vulnerabilities. There are various hacking challenges too so you can even make a game out of it.
Moth
Created by Bonsai Security, Moth is “a VMware image with a set of vulnerable Web Applications and scripts.”. It was originally designed as a way to test application security tools
EnigmaGroup
This is another challenge site with a community forum. It’s designed for anyone that wishes to improve their security knowledge and hosts a wide variety of vulnerabilities including of course, those from the OWASP top 10. The site says that “By knowing your enemy, you can defeat your enemy.” and takes a hand-on approach to learning about application security.
OWASP Bricks
OWASP Bricks is a deliberately vulnerable web application built using PHP and MySQL and focuses on commonly seen application security vulnerabilities and exploits. The goal is to ‘break the bricks’ and in doing so you will learn various aspects of web application security.
Damn Vulnerable Web Application (DVWA)
The Damn Vulnerable Web App is a a PHP/MySQL application that is riddle with vulnerabilities. Created by @ethicalhack3r, the goal of this project is to test the skills and tools used by security professionals in a safe and legal environment. It also teaches web developers the process of how web applications are made secure.
ExploitMe Mobile Android Labs
ExploitMe Mobile Android Labs is designed for developers and security professionals with a slant on the Android operating system. There are ten vulnerabilities to find in total which are found in Android applications. The lessons include password lock screens, insecure logging, file system access permission and more.
XSS game area
XSS game area is a website that focuses specifically on Cross Site Scripting (XSS) bugs which are one of the most dangerous web application vulnerabilities, especially if they are exploited. The website will teach you how to find and exploit XSS bugs and will also teach you how to prevent these bugs from creeping into your applications which will “confuse and infuriate your adversaries”.
W3Challs
W3Challs is a pentesting training platform which has numerous challenges under different categories such as hacking, cracking, wargames, cryptography, steganography and more. The challenges increase in difficulty and provide and are realistic and not based on simulations. There’s a forum too where you can discuss the challenges etc with other members.
The ButterFly Security Project
The ButterFly project is an educational project designed to give an insight into common web application and PHP vulnerabilities. There are also examples provided that show you how such vulnerabilities are patched.
Damn Vulnerable Web Services DVWS (PHP)
Damn Vulnerable Web Services is another insecure app with multiple vulnerable web services intended to be used to learn real world web service vulnerabilities such as WSDL enumeration, XPATH injection, OS command injection, JSON Web Token (JWT) secret key brute force and much more.
OWASP Insecure Web App Project
InsecureWebApp was created in 2004 by Lawrence Angrave and is a teaching aid to challenge and improve secure design and coding skills. Again, its an insecure web application containing common web app vulnerabilities and can be used for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modelling. InsecureWebApp assumes some knowledge of web app vulnerabilities such as broken authentication SQL injection and HTML injection.
Acunetix (Forum ASP)
This website is a deliberately vulnerable forum built using ASP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.
Acunetix (Blog .NET)
This website is a deliberately vulnerable forum built using .NET and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.
Acunetix (Art shopping PHP)
This website is a deliberately vulnerable forum built using PHP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.
Cenzic CrackMeBank
This is another vulnerable web app with a focus on online banking. It’s designed for application security testing and built using PHP.
HP/SpiDynamics Free Bank Online
This is another vulnerable web app, again with a focus on online banking.
IBM/Watchfire AltoroMutual
Yet another vulnerable online banking website designed to test IBM AppScan products. It’s a simple application written in .NET. Instructions are available here to logon to the application with links to more complex web applications and vulnerable web services.
Badstore
Badstore is dedicated to helping you understand how hackers prey on vulnerable websites. It shows you how to reduce your exposure to hackers and is designed to show you common hacking techniques.
Reversing.KR
Reversing KR has 26 challenges designed to test your cracking an reverse engineering capabilities. Unfortunately the site hasn’t been updated since 2012 but the stuff available on this site will be relevant for some time to come.
RingZer0 Team Online CTF
RingZer0 Team Online CTF offers over 200 challenges in 13 different categories including Cryptography, Jail Escaping, Malware Analysis, SQL Injection, Shellcoding and more and are designed to test and improve your hacking skills. After you complete a challenge, you can do a write up on it and submit your solution to the RingZer0 team. If your solution is accepted you can earn RingZer0Gold which can be exchanged for hints in future challenges and there’s even a score board of the top players.
Hacking-Lab
Hacking-Lab provides the CTF (Capture The Flag) challenges for the European Cyber Security Challenge but host challenges on their own platform which anyone can take part in once you have registered.
OWASP SiteGenerator
The OWASP SiteGenerator allows you to create dynamic websites based on XML files which cover predefined vulnerabilities, some of which are simple, others more complex. The main languages covered are .NET languages but other web languages are covered including HTML, JavaScript. Flash and Java etc. Other uses for the site generator include developer training, evaluation of web app security scanners, evaluation of firewalls, web honey pots and you can even use it for web application hacking contests.
VulnHub
VulnHub provides you with practical and ‘hands-on’ experience in digital security, computer software & network administration. It provides you with an environment whereby you can break and hack legally ‘allowing you to learn in a safe environment and practise ‘stuff’ out.’
There’s a community too so that you can learn from others and you can even watch others hack or follow along at the same time which they call ‘white box testing’. A perfect learning environment I would say. Check out their Twitter page here too.
See also: How To Browse The Internet Safely Without Using A VPN Using A Socks Proxy With SSH (step-by-step)