Just as the gap grows, so does the number of vulnerabilities, attack vectors and attack techniques. Companies need to ensure their computer systems and networks are secured, and devoid of any holes for attackers to leverage for access to, and possession of, sensitive data.
Ethical hackers (or “white hats”) and bug bounty hunters play a tremendously valuable role in safeguarding systems and networks from vulnerability to malicious actors. They represent some of the most attractive professions in the modern landscape. And because cybercriminals are constantly finding new ways to break into systems and networks and developing new tools and techniques, ethical hackers—whether merely starting out in cybersecurity or established as experts—are in constant need of practicing and sharpening their hacking skills.
There are many ways to learn ethical hacking and pen testing, whether it’s through online tutorials, YouTube videos, courses, books, podcasts, etc., but we all know that nothing beats a practical approach. For ethical hackers and penetration testers it can be hard to test their skills legally so having websites that are designed to be vulnerable and provide a safe environment to test hacking skills is a great way to continue challenging yourself.
Websites and web applications that are vulnerable by design and offer a safe hacking space are fertile ground for learning. By using them, new hackers can get comfortable with finding vulnerabilities, security researchers and bug bounty hunters can expand their knowledge and find new vulnerabilities, and seasoned professional hackers, developers and pen testers can keep their own skills sharp and current.
We’ve talked about the top 5 best Linux distros for ethical hackers and pen testers, and today we’re exploring a list of the top 10 deliberately vulnerable websites for penetration testing and ethical hacking training. There are fun, game-oriented platforms here, with both web and mobile applications and more, so you can find the one to suit your skills:
1. Hack The Box
Since the first time we published this post, Hack The Box has taken the community by storm. It now counts more than 500,000 new hackers, students, security professionals and gamers from all over the world. An online pentesting platform, Hack The Box (HTB) allows you to test your cybersecurity (and pentesting) skills as well as exchange ideas and experiences with this amazing community.
HTB contains vulnerable machines that you are invited to hack—it even goes so far as to require you to hack your way to the invitation code that allows you to begin practising on it. Several of its challenges are constantly being updated, with some that simulate real-world scenarios and some that lean more towards CTFs. HTB also organizes CTFs on their platform that are very popular throughout the hacker community, as are the dedicated labs available to rent for your college or business. Over 1,000 organizations are already using this feature..
While HTB is only a few years old, its multitude of options and vast community establish its standing as a go-to for both new and experienced hackers.
CTFlearn is another highly popular ethical hacking platform. Offered as “The most beginner-friendly way to get into hacking”, CTF learn boasts a worldwide following of over 70,000 individuals who are there to learn, practice and compete.
The platform’s name derives from Capture The Flag (CTF), which is popular in the hacking community for its contents and reputation as a favorite cybersecurity challenge for beginners as well as professional hackers. CTFlearn also features challenges and competitions that give the users the ability to act as both attacker and defender.
Different labs involve numerous cybersecurity topics that users can create themselves. Challenges are grouped into categories and organized by level of difficulty. These include:
- Reverse engineering
Created by Malik Messelem, bWAPP (short for “buggy web application”) is a free and open source application that is, just as the name implies, deliberately vulnerable. It’s one of the best—if not the best—buggy websites available for practising and sharpening your hacking skills. Whether you’re a security enthusiast, hobbyist, student, developer or even a professional merely looking to have some fun, this website will help you conduct ethical hacking and pen testing in a legal environment.
What makes bWAPP unique is that it offers more than 100 web application vulnerabilities and bugs derived from OWASP’s Top 10 Project. Some of the vulnerabilities are:
- Cross-site scripting (XSS), cross-site tracing (XST) and cross-site request forgery (CSRF)
- Man-in-the-middle attacks
- Server-side request forgery (SSRF)
- DoS attacks
- SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections
But it doesn’t end there. Beside the 100 bugs, you can use a so-called “bee-box,” a custom pre-installed Linux VM.
bWAPP Is built on PHP and uses a MySQL database. It can be hosted on both Windows and Linux OS: on Windows you can host it on xampp and wamp server; on Linux, Apache, and it’s also great to use on Kali Linux.
You can easily download bWAPP here.
One of our favorites, HackThisSite, or HTS, is a great hacking website that was founded by Jeremy Hammond but has been maintained by the community. It offers numerous different challenges that contain beginner as well as advanced hacking skills.
The challenges are fun and engaging, with real-life scenarios and different characters. Each challenge has thread on a forum where you can discuss it with other members of the community and offer resources to solve the puzzle more quickly. You even get a chance to hack a voting system!
Some other challenges on HackThisSite are:
- Realistic missions
- Application missions
- Phonephreaking missions
- Forensic missions
- Programming missions
And don’t forget their CTFs. They also encourage people to exploit this site literally, and reward those who disclose them by adding them to their hall of fame. HTS is an enjoyable place with a vibrant community and no matter your skill level, you’ll find a mission that will both challenge and entertain you.
5. Google Gruyere
It’s not often we see the pairing of cheese and hacking, but this website is a lot like good cheese—full of holes. It also uses “cheesy” code and the entire design is cheese-based. Gruyere is a great option for beginners who want to dive into finding and exploiting vulnerabilities, but also learn how to play on the other side and defend against exploits.
Gruyere is written in Python, with bugs that aren’t specific to Python, and offers a substantial number of security vulnerabilities chosen to suit beginners. Some of the vulnerabilities are:
- Cross-site scripting (XSS)
- Cross-site request forgery (XRF)
- Remote code execution
- DoS attacks
- Information disclosure
Gruyere codelab has divided vulnerabilities into different sections, and in each section you will have a task to find that vulnerability. Using both black and white box hacking, you’ll need to find and exploit bugs. Some previous knowledge is necessary, but we think this is the best choice for beginners.
6. Damn Vulnerable iOS App - DVIA
DVIA is an iOS mobile application meant to help mobile security hobbyists, professionals and mobile developers practise penetration testing. It was recently re-released and is available for free on GitHub.
DVIA contains common iOS app vulnerabilities following the OWASP Top 10 mobile risks. It’s written in Swift, with all vulnerabilities tested up to iOS 11, and you do need to have Xcode installed (the best way to install it is by using Cydia Impactor).
Some of the vulnerabilities you can play with are:
- Jailbreak detection
- Touch/Face ID bypass
- Side channel data leakage
- Broken cryptography
- Network layer security
- Application patching
Although DVIA is open source, if you’re unable to solve a challenge you can buy the solutions and donate to support the DVIA project, allowing you to contribute to the open source community. It’s a great place for beginners as well as anyone else who wants to practise hacking mobile apps. In that sense, it’s fairly unique.
7. Hellbound Hackers
Hellbound Hackers is an all-around computer security platform, as it not only offers hands-on challenges, articles, forums and a wide array of hacking tutorials, but also has one of the biggest hacking communities around, with over 100,000 registered members.
On Hellbound Hackers, you’ll have the chance to participate in timed challenges requiring you to find a vulnerability and a way to patch it. Learning how malicious actors break into systems will also teach you how to defend against them. It’s great for beginners as it offers some simpler challenges, but it can also be enjoyed by professionals. Note: Before diving into Hellbound Hackers, you should be familiar with HTML, JS and PHP.
The many different challenges in Hellbound Hackers include:
- Application hacking
- Basic web hacking
- Rooting challenges
- Pen-testing challenges
8. OWASP Mutillidae II
Another OWASP project to consider here is the OWASP Mutillidae II, better known simply as Mutillidae. Written in PHP, this is an open source vulnerable web application that can be used on Linux and Windows using lamp, wamp and xampp servers. It also comes pre-installed on Rapid7 Metasploitable 2, Samurai WTF and OWASP BWA. For easier installation, they offer tutorials for each step.
It features over 40 vulnerabilities and contains a large number of the OWASP Top 10 vulnerabilities. Mutillidae is a safe and legal environment where security enthusiasts, professionals, students and CTFs can practise web hacking.
Defend the Web, originally known as HackThis!!, is an interactive cybersecurity platform designed to offer challenges for all skill levels. It features over 60 hacking levels and articles that cover all areas of security including those specifically contained on the level.
There are different categories, such as some featuring fictional “real world” scenarios that have you working as a security professional who’s challenged to secure the website against hackers. It even holds CTF competitions from time to time and engages a lively community of over 600 thousand members where you can exchange knowledge and discuss security news and articles.
Yet another OWASP entry on this list, and one of the more beloved. WebGoat is a highly insecure app that provides a learning environment for common server-side application flaws. It’s designed to help people learn about application security and practise pen testing skills.
Each lesson gives you a chance to learn about a certain security issue and exploit it in the app. WebGoat is available for Windows, OSX Tiger and Linux and downloads[[b]] for J2EE and .NET environment.
Some of the vulnerabilities and attacks explored in WebGoat are:
- Cache poisoning
- SQL injection
- Trojan horse attacks
- Unicode encoding
11. Root Me
A multilanguage security training platform, Root Me is a great place for testing and advancing your hacking skills. It features over 300 challenges which are updated regularly and more than 50 virtual environments, all to provide a realistic environment. Root Me also has a passionate community of over 200,0000 members, all of whom are encouraged to participate in the development of the project and earn recognitions.
Different subjects covered on Root Me include:
- Digital investigation
- Breaking encryption
- Network challenges
- SQL injection
It’s a solid platform and a great way to practise your hacking skills, although it’s not as beginner-friendly as some of the other entries on this list.
Another terrific place for fun and learning, OverTheWire offers wargames and warzones for different skill levels, although it does lean toward more advanced hacking concepts. Each level features specific scenarios; you start as a Bandit and work your way up to the more complex exploits.
First you’ll be challenged by wargames that cover basic concepts and skills, then continue to different scenarios and more involved stories. OverTheWire also has a competitive side, the warzone, an isolated network simulating the IPv4 Internet. All connected devices are targets to be hacked, placing you in competition with other hackers.
Whether you’re a developer, security professional, student or enthusiast, vulnerable websites designed to be hacked are a great way to learn while putting your knowledge and skill to the test. With so many options out there, most of them free, we’re sure you’ll find something that will, at the very least, provide a fun and enjoyable experience.
Once you’ve put your skills to the test, make sure to add SecurityTrails API to your security toolkit. We love helping researchers in threat hunting, cyber forensics and digital investigation with powerful DNS and domain intel through our API. Sign up for your API key today to access our current and historical data.