July 23, 2020

A Look Under the Hood: The White Hat Hacker (Ethical Hacker)

in CYBER SECURITY

July 21, 2020

What Is White Box Testing? 5 Popular White Box Testing Techniques

in CYBER SECURITY

July 17, 2020

Open Source Intelligence: What Is OSINT & How Does It Work?

in CYBER SECURITY

July 14, 2020

How to Fix the ERR_SSL_PROTOCOL_ERROR in 8 Easy Steps (2020 Edition)

in CYBER SECURITY

July 10, 2020

Watch Out for These 8 Different Types of Malware

in CYBER SECURITY

July 7, 2020

What Is SSL Inspection and How Does It Work?

in CYBER SECURITY
July 1, 2020

13 Vulnerable Websites & Web Apps for Pen Testing and Research

in WEB SECURITY

June 29, 2020

Zero Day: What Is a Zero Day Attack, Exploit or Vulnerability?

in CYBER SECURITY

June 26, 2020

A Man in the Browser Attack: What It Is & How to Prevent It

in CYBER SECURITY

June 25, 2020

What Is HSTS and Why Should Your Organization Use It?

in WEB SECURITY

July 23, 2020

A Look Under the Hood: The White Hat Hacker (Ethical Hacker)

in CYBER SECURITY

July 20, 2019

Hashing vs Encryption — The Big Players of the Cyber Security World

in ENCRYPTION

July 8, 2019
0

The 7 Biggest Data Breaches of All Time

in WEB SECURITY

June 20, 2019

Key Differences Between SSL Certificates and Code Signing Certificates

in ENCRYPTION WEB SECURITY

May 31, 2019

How to Install SSL Certificates on WordPress: The Ultimate Migration Guide

in ENCRYPTION WEB SECURITY WORDPRESS SECURITY

April 3, 2019

What is Always on SSL (AOSSL) and Why Do All Websites Need It?

in ENCRYPTION WEB SECURITY

March 15, 2019

8 Crucial Tips To Secure Your WordPress Website

in WORDPRESS SECURITY

November 11, 2018

Comodo CA is now Sectigo: FAQs

in SECTIGOSTORE

November 6, 2018

0
5 Ridiculous (But Real) Reasons IoT Security is Critical

in IOT

November 2, 2018

2018 Top 100 Ecommerce Retailers Benchmark Study

in WEB SECURITY

Search this site

InfoSec Insights

13 Vulnerable Websites & Web Apps for Pen Testing and Research

July 1, 2020

13 Vulnerable Websites & Web Apps for Pen Testing and Research

in WEB SECURITY

1 Star2 Stars3 Stars4 Stars5 Stars (17 votes, average: 3.53 out of 5)

Looking for the best vulnerable website list for 2020? We’ve got you covered with these vulnerable web
apps and vulnerable websites for testing

Knowing where to find the best vulnerable websites, web apps, and battlegrounds is useful for every
new or established hacker. Why do I say this? Because using websites and web applications that are
designed specifically for hacking is a safe way for:

New hackers to cut their teeth on,

Researchers to expand their knowledge or potentially discover new vulnerabilities, and

Experienced hackers, developers, webmasters, pen testers and auditors to keep their skills current.

Of course, when we say “hacking,” we mean “ethical hacking.” And using these intentionally vulnerable
websites and web apps for testing provides you with a safe environment to legally practice your craft
while staying on the right side of the law. This way, you can hack without treading into murky waters
that could result in your arrest. (Unless, of course, the idea of spending time in prison sounds like a good
time — then, hey, you do you.)
Why These Resources Are Useful to Developers in Particular

It’s no secret that vulnerabilities in your websites and web applications leaves you (and your users)
vulnerable to attack by bad guys. But what makes matters worse is that in their Web Application
Vulnerability Report 2020, the web security company Acunetix states that 63% of web applications and
perimeter network security technologies have medium severity vulnerabilities and another 26%
demonstrate high severity vulnerabilities.

Although this data is lower than what they previously reported, frankly, it’s still too high.

As a developer, you’re likely responsible for designing, creating, and testing new and secure websites,
applications, operating systems or other technologies. Doing this successfully requires:

Integrating cybersecurity best practices and approaches into your development structure and processes;

Understanding which development platforms or languages are most vulnerable; and

What you can do to make them more secure.

This means that you must have the necessary cybersecurity knowledge and skills to identify and mitigate
these vulnerabilities. And to keep these attributes as up to date as possible, you need to be aware of
cybercrime industry trends but also the real-world approaches cybercriminals use. This is where using
vulnerable websites and web apps can come in handy.

But where can you find such useful vulnerable websites (or a list of such resources)? Look no further.

The 13 Best Vulnerable Web Applications & Vulnerable Websites for Testing

This list contains a variety of vulnerable websites, vulnerable web apps, battlegrounds and wargames
communities.

And before you ask, no, there isn’t a particular order to this vulnerable website list in terms of
importance or which resources would be considered the “best.” Frankly, I’m not a hacker myself, so I’m
just going to list them in alphabetical order for the sake of making things easy and to avoid starting any
online arguments about how X is better than Y. Try these resources out for yourself to see how you
might rank each different website.

These suggestions came from my colleagues or are among the most popular choices that are frequently
recommended within hacker online communities.

1. Buggy Web Application (BWAPP)

Screenshot of the BWAPP vulnerable web app website

Image source: MMEBVBA

The Buggy Web Application, or BWAPP, is a great free and open source tool for students, devs, and
security pros alike. It’s a PHP app that relies on a MySQL database. Whether you’re preparing for a
project or just want to get some practice in to keep your ethical hacking skills up to par, this solution
with the cute and happy little bee mascot contains more than 100 bugs for you to practice on. This
includes all of the major (and most common) known vulnerabilities.

2. CTFlearn

Screenshot of the CTFlearn vulnerable website for CTF contests

Image source: CTFlearn

CTFlearn is a popular ethical hacking platform that tens of thousands of people use worldwide. The
name of the site is based on capture the flag (CTF) contests that are common to the industry. These are
usually cybersecurity competitions that are designed for hackers and other IT pros — often by other
users of the site — that provide users with a chance to solve specific issues as either an attacker or
defender.

For example, a common CTF challenge might require you to break into a Linux web server and capture
the “flag,” which could be a text file stored on the server. Inside the text file might be a pass phrase you
can provide to prove that you completed the challenge. Depending on your mood and how the
challenge is setup, this is a platform that allows you to wear your white hat or black hat.

The challenge categories are organized by difficulty levels or a variety of topics, which include:
Forensics

Programming

Binary

Crypto

3. Damn Vulnerable IOS App (DVIA)

Screenshot of the DVIA vulnerable web app website

Image source: DVIA

Okay, I’d be genuinely surprised if you’ve never heard of this one. Damn Vulnerable iOS App (DVIA),
much like the name would imply, is an iOS application that’s intentionally penetrable. This open source
resource allows mobile security pros and enthusiasts to flex their skills in a series of challenges within a
safe (and legal) environment.

What’s particularly great about this one compared to the rest of this list of vulnerable websites and
vulnerable web apps is that it’s focused specifically on mobile apps. While there are lots of vulnerable
web apps available, there are fewer intentionally vulnerable mobile app platforms to practice on. It’s the
equivalent of a unicorn in a herd of wild horses.

Want to experiment with some network layer security issues? Got it. What about local data storage
vulnerabilities? It covers that, too. To use the tool, simply download and install DVIA on your iOS device.

4. Damn Vulnerable Web Application (DVWA)

Screenshot of the DVWA vulnerable web app website

Image source: DVWA

Not to be confused with DVIA, the Damn Vulnerable Web Application (DVWA) is a great tool for web
devs and security pros alike. Basically, it’s a MySQL/PHP web app that’s designed to be super vulnerable
to SQL injections and other common attacks.

In DVWA, you have the option of toggling between low, medium, high, and “impossible” security levels
for every type of vulnerability they offer. This gives you a chance to practice exploiting or defending
against vulnerabilities that may exist within different environments. It also enables you to challenge
yourself more and drill-down on areas you need to focus on more.

Of course, this tool is something that you’d need to download from the website. It’s important to note,
however, that it’s best to install this on a virtual machine where you can spin up individual instances as
needed.

Want to see one of these challenges in action? Here’s a video of someone performing SQL injections in a
low security environment using DVWA:

5. Defend the Web

Screenshot of the Defend the Web vulnerable website dashboard

Image source: Defend the Web

Defend the Web, formerly known as HackThis (hackthis.co.uk), is a great resource that reportedly more
than 600,000 hackers of all experience levels around the world use. This interactive security platform
offers a variety of security-related articles on topics relating to coding, hacking, privacy, network
security, and other related issues.

If you’re looking for more goodies or ways to engage, the site also has message boards and other
informational resources to learn from as well as a playground with dozens of challenges that enable
users to practice and hone their skills.

6. Google Gruyere

Image of Google Gruyere from google-gruyere.appspot.com

Image source: Google Gruyere

Much like the French style of cheese that shares the same name, Google Gruyere is a well-known web
application codelab that’s full of “holes” that you can learn to find and exploit. It’s written in Python and
is organized by vulnerability types to make life simple. For each task, they’ll provide a brief description of
the vulnerability that you’ll either use black-box or white-box hacking (or a mix of both techniques) to
find, exploit, and/or identify.

Although this site is designed for people who are learning application security, it’s still suitable for
someone who has an understanding (or at least a familiarity with) of how web applications work and the
types of vulnerabilities that exist within them.

To start a new AppEngine instance in Google Gruyere, simply go to the Start Gruyere website and
proceed from there.

7. Hack.me

Screenshot from the hack.me vulnerable website

Image source: Hack.me

Like many of the other vulnerable websites on our list, Hack.me is a free, educational community-based
project and platform. It allows users to build, host, and share original vulnerable web application code.
As such, the site is intended to be used by:

Students, universities and other researchers,

Web developers,

Penetration testers (pen testers), and

Anyone else who wants to learn.

8. HackTheBox

Screenshot of the HackTheBox online CTF platform

Image source: HackTheBox

This three-year-old UK-based online platform is a pen tester’s dream. With more than 350,000 members
from around the world, HackTheBox is a place for new hackers, students, cybersecurity pros and gamers
alike. In addition to getting to play around on the platform and test your skills, you can also engage in
their 127 challenges and use live any of their 179 live machines (at the time of this writing). They’ve also
hosted CTF events as well.
But if you’re looking for something a little more private, there are also dedicated labs that you can rent if
you’re part of a college, business, or another type of organization or institution. Needless to say, you’ve
got options with HackTheBox.

9. HackThisSite

Screenshot of the hackthissite vulnerable website

Image source: HackThisSite

HackThisSite is a popular safe haven for budding and experienced hackers alike. It’s a place where you
can practice hacking to develop and hone your skills — but it’s more than that. The description on the
site itself lists it as:

“a living, breathing community with many active projects in development, with a vast selection of
hacking articles and a huge forum where users can discuss hacking, network security, and just about
everything.”

Sounds useful, am I right? In addition, the website also hosts a series of tutorials and challenges or
“missions” that users of all levels can complete safely

10. Hellbound Hackers

Screenshot from the Hellbound Hackers online community

Image source: Hellbound Hackers

Although it sounds like it could be a group of hardcore, leather-clad motorcyclists, Hellbound Hackers is
the self-proclaimed “hands-on approach to computer security.” Basically, it’s a large online community
of hackers whose focus is to help fellow hackers learn how to break into a site or how to prevent other
hackers from doing so.

The site boasts a plethora of articles on different topics, a web forum for discussions, and a code bank
where users can share and review code. Hellbound Hackers also has a series of challenges for people
based on their skill level, coding languages, and specific areas of interest, including:
Javascript

Encryption

Steganography

Tracking

Patching

Rooting

11. OverTheWire

Screenshot from the OverTheWire wargames platform

Image source: OverTheWire

Shall we play a game? Okay, sorry, I couldn’t resist that line from the movie “Wargames.” Anyhow, back
to the topic at hand… OverTheWire is an online community of hackers, developers and other
cybersecurity pros who want to learn and practice real-world security concepts in the form of
“wargames.” No matter whether you prefer playing an attacker or defender in these exercises, there’s
something for everybody.

These activities, depending on the wargame, range from level 0 to 34 (although many of them have
fewer levels). To connect, users must use a secure shell (SSH) via a specified port number for each
challenge.

12. OWASP Mutillidae II

Screenshot of the OWASP Mutillidae II interface from computersecuritystudent.com

Image source: ComputerSecurityStudent

The Open Web Application Security Project (OWASP) offers a lot of different web application security
related projects and platforms. For example, OWASP Mutillidae II is a free, open source web app that
provides new and experienced web security enthusiasts and hackers with a fun and safe environment to
learn and practice their skills. (It’s very similar to the DVWA mentioned earlier.)
Here, you learn not only about web app security and how to exploit certain vulnerabilities, but you also
learn how to address code vulnerabilities. Mutillidae II involves scripts that encompass virtually all of the
OWASP Top 10 web app vulnerabilities, including HTML injections, SQL injections, and cross-site
scripting (XSS). Still a bit new to the game? No worries. Mutillidae II also offers little hints to help you
along the way with using their vulnerable web app. After all, they want to keep you from feeling too
lost!

According to the official page, although it comes pre-installed on some systems, you can also install it on
Linux or Windows AMP stacks because it works with LAMP, WAMP, and XAMPP. Check out
Webpwnized’s playlist for Hacking Mutillidae II on YouTube to see how it works.

Of course, aside from Mutillidae II, OWASP also has a few other tricks up their sleeves. Their additional
educational resources include the renowned OWASP Juice Shop vulnerable web app and OWASP
WebGoat, which allows users to test common vulnerabilities in java-based apps.

13. ThisIsLegal – Are You?

Screenshot of the ThisIsLegal website

Image source: ThisIsLegal

ThisIsLegal is another wargames site for hackers to practice their craft. It features various tutorials on
different topics that you can learn from as well as web forums to share ideas. The site also hosts 43
challenges of varying difficulty levels relating to:

Application security

Encryption

Programming

SQL

User passwords and login forms

While it isn’t nearly as active a site as some of the other online communities we’ve already covered, it’s
at least still worth mentioning and including on this list of vulnerable websites and web apps.
BONUS: Game of Hacks

Screenshot of one of the timed beginner challenges on the Game of Hacks vulnerable website platform.

Image source: A screenshot of one of the timed beginner challenges on the Game of Hacks website.

Even though it’s not technically a vulnerable website in the traditional sense, we’d be remiss if we didn’t
at least include this somehow on the list. Game of Hacks is one of those fun websites for hacking that
comes in a game format. It presents bits of code for you to analyze for vulnerabilities and allows you to
test your application hacking skills and knowledge.

You can choose to play as a beginner, intermediate, or as an advanced player. You can also go at it alone
or have the option of challenging a friend. What makes it even better is that you can shake things up by
adding your own code to the game.

For a much larger list of additional vulnerable apps, vulnerable websites, and a wealth of other
resources, be sure to check out Aman Hardikar’s Penetrating Testing Practice Lab list.

Why You Should Use These Vulnerable Websites & Vulnerable Web Apps

As cybercrime continues to grow at alarming rates, cybersecurity and penetration testing are skillsets
that continue to grow in importance. Governments, businesses and other organizations are hiring white
hat/ethical hackers to try to hack their websites, web apps and mobile apps. This way, they can discover
zero day vulnerabilities and other security gaps in their coding before they are exploited by malicious
users.

One Final Note on Vulnerable Websites and Web Apps: Use a Virtualization Tool

A good rule of thumb when running vulnerable applications, sites, and platforms is to use a virtualization
tool or virtual machine. Why? Running a hypervisor process (typically in the form of software) on your
operating system allows you to run another type of operating system (such as instances of Windows, OS
or Linux) without putting your main system at risk.

If something goes wrong, you can simply shut down the instance. No muss, no fuss. If you tried that on
your main operating system, you might not be able to say the same.
But what’s considered a reputable virtualization tool? Two of the most popular types are VirtualBox and
VMWare, and both are great options. But choosing the best option for you depends on your needs. Ask
yourself whether you’re looking for something that’s free and open source, or one that’s for personal
use or requires commercial licensing.

Do you have any favorite vulnerable websites or vulnerable web apps that you’d like to add to our list?
Please feel free to share them in the comments below.

#ETHICAL HACKING #HACKING #WEB APPLICATION SECURITY #WEBSITE SECURITY

FACEBOOK TWITTER PINTEREST GOOGLE +

About the author

Casey Crane

Casey is a writer and editor with a background in journalism, marketing, PR and communications. She
has written about cyber security and information technology for several industry publications, including
InfoSec Insights, Hashed Out, and Cybercrime Magazine.

You might also like

Get The Latest InfoSec Insights In Your Inbox!

Email Address

First Name

Last Name

How often would you like to receive email updates?

Weekly

Monthly

Search InfoSec Insights

Search for:

Search here
Latest Articles

A Look Under the Hood: The White Hat Hacker (Ethical Hacker)

What Is White Box Testing? 5 Popular White Box Testing Techniques

Open Source Intelligence: What Is OSINT & How Does It Work?

How to Fix the ERR_SSL_PROTOCOL_ERROR in 8 Easy Steps (2020 Edition)

Watch Out for These 8 Different Types of Malware

Comodo is now Sectigo

Recommended Posts

DevSecOps: A Definition, Explanation & Exploration of DevOps Security

© SectigoStore.com, an authorized Sectigo Platinum Partner