tips tools reconnaissance

SecurityTrails Blog · Nov 19 · SecurityTrails team

Top 10 vulnerable websites for penetration testing and ethical hacking training

Reading time: 8 minutes

The infamous cybersecurity skills gap is rising, and more than ever, companies are in need of security professionals to protect their networks and systems. So whether you’re just starting out in cybersecurity or you’re established as an expert, you constantly need to work on practising and sharpening your hacking skills.

There are many ways to learn ethical hacking and pen testing, whether it’s through online tutorials, YouTube videos, courses, books, podcasts, etc., but we all know that nothing beats a practical approach. For ethical hackers and penetration testers it can be hard to test their skills legally so having websites that are designed to be vulnerable and provide a safe environment to test hacking skills is a great way to continue challenging yourself.

We’ve talked about the top 5 best Linux distros for ethical hackers and pen testers, and today we’re exploring a list of the top 10 deliberately vulnerable websites for penetration testing and ethical hacking training. There are fun, game-oriented platforms here, with both web and mobile applications and more, so you can find the one to suit your skills:

1. bWAPP

bWAPP

Created by Malik Messelem, bWAPP (short for “buggy web application”) is a free and open source application that is, just as the name implies, deliberately vulnerable. It’s one of the best—if not the best—buggy websites available for practising and sharpening your hacking skills. Whether you’re a security enthusiast, hobbyist, student, developer or even a professional merely looking to have some fun, this website will help you conduct ethical hacking and pen testing in a legal environment.

What makes bWAPP unique is that it offers more than 100 web application vulnerabilities and bugs derived from OWASP’s Top 10 Project. Some of the vulnerabilities are:

  • Cross-site scripting (XSS), cross-site tracing (XST) and cross-site request forgery (CSRF)
  • Man-in-the-middle attacks
  • Server-side request forgery (SSRF)
  • DoS attacks
  • SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections

But it doesn’t end there. Beside the 100 bugs, you can use a so-called “bee-box,” a custom pre-installed Linux VM.

bWAPP Is built on PHP and uses a MySQL database. It can be hosted on both Windows and Linux OS: on Windows you can host it on xampp and wamp server; on Linux, Apache, and it’s also great to use on Kali Linux.

You can easily download bWAPP here.

2. HackThisSite

HackThisSite

One of our favorites, HackThisSite, or HTS, is a great hacking website that was founded by Jeremy Hammond but has been maintained by the community. It offers numerous different challenges that contain beginner as well as advanced hacking skills.

The challenges are fun and engaging, with real-life scenarios and different characters. Each challenge has thread on a forum where you can discuss it with other members of the community and offer resources to solve the puzzle more quickly. You even get a chance to hack a voting system!

Some other challenges on HackThisSite are:

  • Realistic missions
  • Application missions
  • Phonephreaking missions
  • Forensic missions
  • Programming missions

And don’t forget their CTFs. They also encourage people to exploit this site literally, and reward those who disclose them by adding them to their hall of fame. HTS is an enjoyable place with a vibrant community and no matter your skill level, you’ll find a mission that will both challenge and entertain you.

3. Google Gruyere

Google Gruyere

It’s not often we see the pairing of cheese and hacking, but this website is a lot like good cheese—full of holes. It also uses “cheesy” code and the entire design is cheese-based. Gruyere is a great option for beginners who want to dive into finding and exploiting vulnerabilities, but also learn how to play on the other side and defend against exploits.

Gruyere is written in Python, with bugs that aren’t specific to Python, and offers a substantial number of security vulnerabilities chosen to suit beginners. Some of the vulnerabilities are:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (XRF)
  • Remote code execution
  • DoS attacks
  • Information disclosure

Gruyere codelab has divided vulnerabilities into different sections, and in each section you will have a task to find that vulnerability. Using both black and white box hacking, you’ll need to find and exploit bugs. Some previous knowledge is necessary, but we think this is the best choice for beginners.

4. Damn Vulnerable iOS App - DVIA

Damn Vulnerable iOS App - DVIA

DVIA is an iOS mobile application meant to help mobile security hobbyists, professionals and mobile developers practise penetration testing. It was recently re-released and is available for free on GitHub.

DVIA contains common iOS app vulnerabilities following the OWASP Top 10 mobile risks. It’s written in Swift, with all vulnerabilities tested up to iOS 11, and you do need to have Xcode installed (the best way to install it is by using Cydia Impactor).

Some of the vulnerabilities you can play with are:

  • Phishing
  • Jailbreak detection
  • Debugging
  • Touch/Face ID bypass
  • Side channel data leakage
  • Broken cryptography
  • Network layer security
  • Application patching

Although DVIA is open source, if you’re unable to solve a challenge you can buy the solutions and donate to support the DVIA project, allowing you to contribute to the open source community. It’s a great place for beginners as well as anyone else who wants to practise hacking mobile apps. In that sense, it’s fairly unique.

5. Hellbound Hackers

Hellbound Hackers

Hellbound Hackers is an all-around computer security platform, as it not only offers hands-on challenges, articles, forums and a wide array of hacking tutorials, but also has one of the biggest hacking communities around, with over 100,000 registered members.

On Hellbound Hackers, you’ll have the chance to participate in timed challenges requiring you to find a vulnerability and a way to patch it. Learning how malicious actors break into systems will also teach you how to defend against them. It’s great for beginners as it offers some simpler challenges, but it can also be enjoyed by professionals. Note: Before diving into Hellbound Hackers, you should be familiar with HTML, JS and PHP.

The many different challenges in Hellbound Hackers include:

  • Application hacking
  • Basic web hacking
  • Javascript hacking
  • Rooting challenges
  • Pen-testing challenges

6. OWASP Mutillidae II

Another OWASP project to consider here is the OWASP Mutillidae II, better known simply as Mutillidae. Written in PHP, this is an open source vulnerable web application that can be used on Linux and Windows using lamp, wamp and xampp servers. It also comes pre-installed on Rapid7 Metasploitable 2, Samurai WTF and OWASP BWA. For easier installation, they offer tutorials for each step.

It features over 40 vulnerabilities and contains a large number of the OWASP Top 10 vulnerabilities. Mutillidae is a safe and legal environment where security enthusiasts, professionals, students and CTFs can practise web hacking.

7. HackThis!!

OWASP Mutillidae II

Defend the Web, originally known as HackThis!!, is an interactive cybersecurity platform designed to offer challenges for all skill levels. It features over 60 hacking levels and articles that cover all areas of security including those specifically contained on the level.

There are different categories, such as some featuring fictional “real world” scenarios that have you working as a security professional who’s challenged to secure the website against hackers. It even holds CTF competitions from time to time and engages a lively community of over 600 thousand members where you can exchange knowledge and discuss security news and articles.

8. WebGoat

Yet another OWASP entry on this list, and one of the more beloved. WebGoat is a highly insecure[a] app that provides a learning environment for common server-side application flaws. It’s designed to help people learn about application security and practise pen testing skills.

Each lesson gives you a chance to learn about a certain security issue and exploit it in the app. WebGoat is available for Windows, OSX Tiger and Linux and downloads[b] for J2EE and .NET environment.

Some of the vulnerabilities and attacks explored in WebGoat are:

  • Cache poisoning
  • SQL injection
  • Trojan horse attacks
  • Spyware
  • Unicode encoding

9. Root Me

Root Me

A multilanguage security training platform, Root Me is a great place for testing and advancing your hacking skills. It features over 300 challenges which are updated regularly and more than 50 virtual environments, all to provide a realistic environment. Root Me also has a passionate community of over 200,0000 members, all of whom are encouraged to participate in the development of the project and earn recognitions.

Different subjects covered on Root Me include:

  • Digital investigation
  • Automation
  • Breaking encryption
  • Cracking
  • Network challenges
  • SQL injection

It’s a solid platform and a great way to practise your hacking skills, although it’s not as beginner-friendly as some of the other entries on this list.

10. OverTheWire

OverTheWire

Another terrific place for fun and learning, OverTheWire offers wargames and warzones for different skill levels, although it does lean toward more advanced hacking concepts. Each level features specific scenarios; you start as a Bandit and work your way up to the more complex exploits.

First you’ll be challenged by wargames that cover basic concepts and skills, then continue to different scenarios and more involved stories. OverTheWire also has a competitive side, the warzone, an isolated network simulating the IPv4 Internet. All connected devices are targets to be hacked, placing you in competition with other hackers.

Conclusion

Whether you’re a developer, security professional, student or enthusiast, vulnerable websites designed to be hacked are a great way to learn while putting your knowledge and skill to the test. With so many options out there, most of them free, we’re sure you’ll find something that will, at the very least, provide a fun and enjoyable experience.


Once you’ve put your skills to the test, make sure to add SecurityTrails API to your security toolkit. We love helping researchers in threat hunting, cyber forensics and digital investigation with powerful DNS and domain intel through our API. Sign up for your API key today to access our current and historical data.