40+ Intentionally Vulnerable Websites (Updated 2020) – Practice Your Ethical hacking!

By Adam | Security
Disclosure: Bonkers About Tech is supported by its readers. When you purchase through links on our site, we may earn an affiliate commission. Thank you.

Image credit: Flickr/Pierre (Rennes)

Attack is definitely the best form of defense and this also applies to Cyber Security.

Companies are now hacking their own websites and even hiring ethical hackers in an attempt to find vulnerabilities before the bad guys do. As such ethical hacking is now a much sought after skill but hacking websites without permission can get you on the wrong side of the law, even if you’re just practising.

Check out these Cyber Security T-Shirts on Amazon! (#CommissionsEarned)

So how do learn how to hack and practice your hacking skills whilst staying on the right side of the law? 

Well there’s many ways to learn ethical hacking.  You can learn to hack through online hacking tutorials, watch YouTube videos on hacking, learn through online courses like this complete ethical hacking course on Udemy (#CommissionsEarned) or you can learn from reading ethical hacking books.

Now there are a number of deliberately vulnerable websites out there designed to allow you to practise and hone your hacking skills, without fear of prosecution. So I’ve decided to compile a list of over forty of them, each with short description.

Once you feel comfortable finding vulnerabilities, the next step could be a job as a penetration tester or participation in one of the bug bounty programmes where companies reward you based on the severity of the bugs that you find, which could be very lucrative. Facebook is one such company offering a bug bounty programme and has paid out more than a million dollars to date.

So without further ado, here’s list of over 40 vulnerable websites. If you know of a good hacking website that’s not on this list, let me know and I’ll add it. Oh, and don’t forget to bookmark this page! 🙂

Must read:  The Web Application Hacker’s Handbook (Amazon, #CommissionsEarned)

bWAPP

bWAPP stands for Buggy Web Application and is is “a free and open source deliberately insecure web application” created by Malik Messelem. It’s built in PHP and uses a MySQL database. The vulnerabilities are those derived from the OWASP Top 10.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Damn Vulnerable iOS App (DVIA)

This has recently been re-released as a free download by InfoSec Engineer @prateekg14. It’s a deliberately vulnerable iOS7 app that’s definitely worth a look because there aren’t many of them around.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Google Gruyere

This website is fully of ‘holes’ and is deliberately ‘cheesy’. It’s designed for the absolute beginner and you can learn how hackers find security vulnerabilities, how they exploit web applications and how to protect applications from being exploited. It’s written in Python and offers a range of vulnerabilities including cross-site scripting, cross-site request forgery and remote code execution.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

HackThis!!

This site was originally designed to teach how hacks, dumps and defacement are done and to tech how you can secure a website against hackers. There are over 50 levels of difficulty on offer and a great online community to help you with hacking and keep you up to date with security news.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Hack This Site

This is a perfectly legal place to test your hacking skills and also offers hacking news, articles, forums and tutorials. You can build your skills by completing various challenges.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Hellbound Hackers

This website puts the emphasis on being hands-on and offers a wide array of challenges to get you to learn how to identify potential vulnerabilities and it also suggests ways to patch them. Hellbound Hackers has a vast array of tutorials and a thriving community of nearly 100K registered members.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

McAfee HacMe Sites

The HacMe sites comprise of the HacMe Banks, HacMe Casino, HacMe Travel and more. They were launched in 2006 and were aimed at pen testers and security professionals. Each site offers a real world experience to help ethical hackers stay ahead of the bad guys.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Mutillidae

This is another deliberately vulnerable web app which runs on Linux and Windows. The web app is written in PHP and contains all of the OWASP Top 10 vulnerabilities. There is also a dedicated YouTube channel and Twitter account to accompany the project.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

OverTheWire

OverTheWire is designed for either developers or security professionals and the experience is centered around wargames. You are initially taught the basics and you can progress through the levels to more advanced games with more complex bugs to find and patch.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Peruggia

With Peruggia you can learn and test common attacks on web applications. This website looks similar to an image gallery and allows you to practice on it to find several controlled vulnerabilities.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Root Me

This is a great website to improve your hacking skills and generally improve your cyber security knowledge. With over 200 hacking challenges and 50 virtual environments, there should be enough here to keep you going.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Try2Hack

Try2Hack is one of the oldest challenge sites around and there are numerous security challenges on offer here. Each of the levels are sorted by difficulty and created so that you can practice hacking for fun. There’s a community on the IRC channel where you can ask for help and a full walkthrough on GitHub.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Vicnum

This is an OWASP project developed by developed by Mordecai Kraushar consisting of vulnerable web applications based on games ” commonly used to kill time”. In each application are common security problems such as cross site scripting, SQL injections and session management issues.

The goal of the project is to strengthen the security of web apps by educating different groups of people such as developers, management, users and auditors as to the things that can go wrong with web apps. They also say “of course it’s OK to have a little fun”.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

WebGoat

WebGoat is one of the most popular OWASP projects as it provides a realistic teaching and learning environment to teach users about complex application security issues. Again its an insecure app available for Windows, OS X Tiger and Linux and also runs in Java and .NET environments. You can just run the web app, or you can download the source from GitHub and modify the source code. There are a series of videos too available to download.

Check out the OWASP project page here.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Juice Shop

This is an insecure web app based on JavaScript and was created by Björn Kimminich. This perfect for anyone that’s into coding or testing JavaScript but don’t understand the security issues that can arise. Juice Shop provides a fun challenge and can be run on a local or containerized environment. Be sure to check out Björn’s SlideShare too to get an overview of the app and how it was made.  The source code can also be found on GitHub.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Hack.me

Hack.me is a free, community based project powered by eLearnSecurity. It hosts a number of vulnerable apps but allows allows the community the build, host and share their vulnerable application code educational and research purposes. As such, on the website it says it “aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online.”.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Hackademic

Hackademic is another OWASP open source project and offers 10 realistic scenarios which are full of vulnerabilities including those in the OWASP Top 10. It is perfect for use in a classroom or workplace environment for educational purposes and developers are encouraged to contribute by adding new scenarios and vulnerabilities.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

SlaveHack

This is actually an hacking simulation game where the goal is to manage your hardware and software and make the computers you hack or defend your ‘slaves’. Although this isn’t a website to hack per se, I have included as it does help security people to see their systems in the way malicious hackers do. You can also connect with other players in the forum and help each other when you get stuck.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Hackxor

This is a web app hacking game created by @albinowax. It focuses on being realistic and difficult and contains cross-site scripting, cross-site request forgery and sql injection vulnerabilities. The online version has just two levels but the downloadable version has more advanced levels.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

BodgeIt Store

This vulnerable web app was created by Simon Bennetts and is full of OWASP Top 10 vulnerabilities. It can be used as a pentesting tool, a code review tool or it can teach you how to look out for exploitable vulnerabilities. There are various hacking challenges too so you can even make a game out of it.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Moth

Created by Bonsai Security, Moth is “a VMware image with a set of vulnerable Web Applications and scripts.”. It was originally designed as a way to test application security tools

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

EnigmaGroup

This is another challenge site with a community forum. It’s designed for anyone that wishes to improve their security knowledge and hosts a wide variety of vulnerabilities including of course, those from the OWASP top 10. The site says that “By knowing your enemy, you can defeat your enemy.” and takes a hand-on approach to learning about application security.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

OWASP Bricks

OWASP Bricks is a deliberately vulnerable web application built using PHP and MySQL and focuses on commonly seen application security vulnerabilities and exploits. The goal is to ‘break the bricks’ and in doing so you will learn various aspects of web application security.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Damn Vulnerable Web Application (DVWA)

The Damn Vulnerable Web App is a a PHP/MySQL application that is riddle with vulnerabilities. Created by @ethicalhack3r, the goal of this project is to test the skills and tools used by security professionals in a safe and legal environment. It also teaches web developers the process of how web applications are made secure.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

ExploitMe Mobile Android Labs

ExploitMe Mobile Android Labs is designed for developers and security professionals with a slant on the Android operating system. There are ten vulnerabilities to find in total which are found in Android applications. The lessons include password lock screens, insecure logging, file system access permission and more.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

XSS game area

XSS game area is a website that focuses specifically on Cross Site Scripting (XSS) bugs which are one of the most dangerous web application vulnerabilities, especially if they are exploited. The website will teach you how to find and exploit XSS bugs and will also teach you how to prevent these bugs from creeping into your applications which will “confuse and infuriate your adversaries”.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

W3Challs

W3Challs is a pentesting training platform which has numerous challenges under different categories such as hacking, cracking, wargames, cryptography, steganography and more. The challenges increase in difficulty and provide and are realistic and not based on simulations. There’s a forum too where you can discuss the challenges etc with other members.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

The ButterFly Security Project

The ButterFly project is an educational project designed to give an insight into common web application and PHP vulnerabilities. There are also examples provided that show you how such vulnerabilities are patched.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Damn Vulnerable Web Services DVWS (PHP)

Damn Vulnerable Web Services is another insecure app with multiple vulnerable web services intended to be used to learn real world web service vulnerabilities such as WSDL enumeration, XPATH injection, OS command injection, JSON Web Token (JWT) secret key brute force and much more.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

OWASP Insecure Web App Project

InsecureWebApp was created in 2004 by Lawrence Angrave and is a teaching aid to challenge and improve secure design and coding skills. Again, its an insecure web application containing common web app vulnerabilities and can be used for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modelling. InsecureWebApp assumes some knowledge of web app vulnerabilities such as broken authentication SQL injection and HTML injection.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Acunetix (Forum ASP)

This website is a deliberately vulnerable forum built using ASP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Acunetix (Blog .NET)

This website is a deliberately vulnerable forum built using .NET and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Acunetix (Art shopping PHP)

This website is a deliberately vulnerable forum built using PHP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Cenzic CrackMeBank

This is another vulnerable web app with a focus on online banking. It’s designed for application security testing and built using PHP.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

HP/SpiDynamics Free Bank Online

This is another vulnerable web app, again with a focus on online banking.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

IBM/Watchfire AltoroMutual

Yet another vulnerable online banking website designed to test IBM AppScan products. It’s a simple application written in .NET. Instructions are available here to logon to the application with links to more complex web applications and vulnerable web services.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Badstore

Badstore is dedicated to helping you understand how hackers prey on vulnerable websites. It shows you how to reduce your exposure to hackers and is designed to show you common hacking techniques.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Reversing.KR

Reversing KR has 26 challenges designed to test your cracking an reverse engineering capabilities. Unfortunately the site hasn’t been updated since 2012 but the stuff available on this site will be relevant for some time to come.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

RingZer0 Team Online CTF

RingZer0 Team Online CTF offers over 200 challenges in 13 different categories including Cryptography, Jail Escaping, Malware Analysis, SQL Injection, Shellcoding and more and are designed to test and improve your hacking skills. After you complete a challenge, you can do a write up on it and submit your solution to the RingZer0 team. If your solution is accepted you can earn RingZer0Gold which can be exchanged for hints in future challenges and there’s even a score board of the top players.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

Hacking-Lab

Hacking-Lab provides the CTF (Capture The Flag) challenges for the European Cyber Security Challenge but host challenges on their own platform which anyone can take part in once you have registered.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

OWASP SiteGenerator

The OWASP SiteGenerator allows you to create dynamic websites based on XML files which cover predefined vulnerabilities, some of which are simple, others more complex. The main languages covered are .NET languages but other web languages are covered including HTML, JavaScript. Flash and Java etc. Other uses for the site generator include developer training, evaluation of web app security scanners, evaluation of firewalls, web honey pots and you can even use it for web application hacking contests.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

VulnHub

VulnHub provides you with practical and ‘hands-on’ experience in digital security, computer software & network administration. It provides you with an environment whereby you can break and hack legally ‘allowing you to learn in a safe environment and practise ‘stuff’ out.’

There’s a community too so that you can learn from others and you can even watch others hack or follow along at the same time which they call ‘white box testing’. A perfect learning environment I would say.  Check out their Twitter page here too.

40+ Intentionally Vulnerable Websites To Practice Your Hacking Skills

See also: How To Browse The Internet Safely Without Using A VPN Using A Socks Proxy With SSH (step-by-step)