For each new and established hacker it is important to know from he can find the best vulnerable sites, web apps and battlegrounds. Why? Using these which are designed especially for hacking is save way for:
- New thefts to cut their teeth off.
- Research to increase their knowledge or discover new things.
- The experienced security thefts, developers, auditors, webmasters to keep their skills current.
We put together a list that includes vulnerable XSS and SQL sites too. When we say this word we actually mean ethical hacking and using such sites and apps for testing gives a safe environment to practice the craft legally while staying on the right side of the law. Like this, you can hack freely without the fear of being arrested.
Table of Contents
- 1 Why are vulnerable sites valuable to newbie hackers?
- 2 12 Best Vulnerable Sites and Web Applications For Testing (Hacker Special)
- 2.1 CTFlearn – Capture the flag done right
- 2.2 Buggy Web Application (BWAPP v2) – Bug Bounty Hunter Special
- 2.3 Damn vulnerable web application (DVWA v2)
- 2.4 Google Gruyere – Top hacking site
- 2.5 Defend the Web – The real deal
- 2.6 Hack The Box – Training done right
- 2.7 Hack.me – It does what it says
- 2.8 Hellbound Hackers – Top Community
- 2.9 HackThisSite
- 2.10 OverTheWire
- 2.11 ThisisLegal – Are you?
- 2.12 Game of Hacks – Emerging platform
- 2.13 Extra: McAfee HacMe Sites
- 3 Conclusion: Where are you testing your hacking skills?
Why are vulnerable sites valuable to newbie hackers?
By any chance, it is not a secret that such vulnerabilities leave you open to attack by all the bad guys. The thing which makes it worse is that in their web app vulnerability report 2020, web company Acunetix says that around 63% of apps and perimeter network security technologies carry medium severity vulnerabilities and the other 26% have high ones.
Though the data is lower than what has been reported before to be honest it is still too high.
A developer is responsible for creating, designing and testing new sites, apps, OS and other technologies. Doing this successfully requires:
- Integrating best practices and approaches of cybersecurity in the development structure and processes.
- Understanding which development languages or platforms are most vulnerable.
- And what can be done to make them secure?
This means that you need to have the required knowledge and skills to identify and mitigate such vulnerabilities. And to keep such attributes up to date, you need to have awareness of trends in the cyber-crime industry but also real-world approaches that are being used by criminals. This is where using vulnerable sites and apps comes into action.
The question is from where you can find the? Well, don’t worry as you have dropped at the right place. Follow through to have all the answers
12 Best Vulnerable Sites and Web Applications For Testing (Hacker Special)
Keep in mind that there is no certain order to this site list in terms of importance or which resources would be considered as the best.
CTFlearn – Capture the flag done right
This platform is being used by tens of thousands of people around the globe. Name if the website is based on Capture the Flag (CTF) contests which are common to the industry. These are the cybersecurity competitions that are designed particularly for thefts and other IT pros, often by other site users, which provide them with a chance to solve certain issues either as an attacker or a defender.
Like a common CTF challenge may need you to break into a Linux web server and capture the “flag”, which can be a text file stored on the server. Now inside the text file may be a passphrase you can give to prove that you have completed the challenge. Depending upon the mood and how the challenge is set up, this is a platform that allows wearing a white or black hat.
Challenge categories are organized on the basis of difficulty levels or different topics which include the following:
Buggy Web Application (BWAPP v2) – Bug Bounty Hunter Special
This is one of the best for students, dev and security pros alike. It is a freemium and open-source tool. It is a PHP application that depends upon the MySQL database. Whether you are preparing for a project or want to get some practice to keep your skill up to par, this solution with a cute and happy little bee mascot carries more than 100 bugs to practice on. It includes all the major and most common vulnerabilities which are known.
Damn vulnerable web application (DVWA v2)
This is a good tool for all web devs and security pros alike. This is basically a MySQL/PHP application that is designed to be super vulnerable to SQL injection and some other common attacks.
In this users have the option to toggle between low, medium, high, and impossible security levels for every kind of vulnerability offered. It gives them the chance to practice defending against vulnerabilities that may exist within different environments. Moreover, it also enables them to challenge themselves more and drill down on areas that require more focus.
You need to get this tool from the sites. Keep in mind that it is best to install this on a virtual machine where you can spin individual instances as required.
This is an iOS application that is intentionally penetrable. This is open source and allows mobile security pros and enthusiast to flaunt their skills in a series of challenges within a safe environment.
The best thing about this one as compared to others is that it is more focused on mobile applications. While many vulnerable sites are available, there are a few mobile app platforms to practice on. This is equal to the unicorn in a herd of wild horses.
With this, you can experiment with network layer security issues and local data storage vulnerabilities. To use this, download it simply and install DVIA on your iOS device.
Google Gruyere – Top hacking site
It is similar to the French style of Cheeses which shares the same name, it is a popular web application codelab that is full of holes that you can learn to find and exploit. To make life simple it is written down in python and organized by kind of vulnerabilities. For every task, they provide a brief description of vulnerability that you shall either use the black or white box hacking to find, exploit and identify.
Though the website is designed for users who are learning the application security, it is still suitable for one who has an understanding of how the apps work and the types that exist within them.
Now to start a new AppEngine in this, you simply need to go to start the gruyere site and proceed from there.
Must Read: Download njRAT v0.7 for Linux.
Defend the Web – The real deal
This was formerly known as HackThis (hackthis.co.uk). It is a great source that is being used by more than 6 lakh security thefts around the globe. This is an interactive security platform that provides a variety of security-related articles on topics that are related to coding, hacking, network security, privacy and other related issues.
Now, if you are looking for some more goodies or ways to engage then the website also has message boards and some other informational resources to learn and a playground with many challenges which enable users to practice and hone their skills.
Hack The Box – Training done right
This is a 3-year-old UK-based online platform that is the dream of every pentester. It has more than 350000 members from all over the world. It is the go-to place for new thefts, students, cybersecurity pros and gamers. Now, along with getting to play around on the platform and test your skills you can also engage in their 127 challenges and use live any of their 179 live machines. Moreover, they have also hosted CTF events.
If you are looking for something which is a bit more private then there are dedicated labs that you can rent out if you are part of a business, college, or any kind of organization. The best thing about this one is that with this you have got many different options.
Hack.me – It does what it says
Like many other sites listed here, this one comes in free. It is an educational community-based project and platform. It allows you to build, hold and share original vulnerable web app code. This website is designed to be used by:
- Web developers.
- Independent researcher
Must Read: Best and Biggest WPA2 Password List Download.
Hellbound Hackers – Top Community
Though this one sounds like a group of hardcore, leather-clad motorcyclists, it is a self-proclaimed “hands-on approach to system security”. Actually, this is a large online community of security thefts who have their focus on helping fellow criminals on how to break into a site or how to prevent others from doing so.
The websites boast many articles on various topics, a web forum for discussions and a code bank where all the users can share and review the code. Moreover, it also has a series of challenges for users based on their level of skill level, coding languages and certain areas of interest which include the following:
This is quite a popular safe haven for all experienced criminals. It is seemed to be a place where you can practice hacking to develop and hone your skills, but in reality, it is more than that.
This is an online community of security thefts, developers and other cybersecurity pros who wish to learn and practice the real-world security concepts in the form of “wargames” no matter either you prefer playing an attacker or defender in such exercises, as there is something for everyone.
Such activities which depend upon the wargame range from level 0-34 though many of them have fewer levels. For users to connect, they need to use a secure shell (SSH) through a specified port number for every challenge.
This is yet another wargames website for security thefts to practice their craft. This one features different tutorials on various topics so that users can learn from and web forums as well to share the idea. Moreover, this site hosts 43 challenges of varying difficulty levels which are related to the following:
- User passwords and login forms
- Application security.
As this is not as active as some other online communities we have discussed above it is still worth making part of the list.
Game of Hacks – Emerging platform
Though this is not technically a vulnerable site in the traditional sense, we would neglect if we didn’t include it here on the list. It is one of those sites for hacking that comes in the form of a game format. It presents code bits for users to analyze for vulnerabilities and allows them to test their application hacking skills and knowledge.
Users can select to play as a beginner, intermediate or advanced player. Moreover, you can also go at it alone or carry the option of challenging a friend. The best thing is that now you can shake things up by adding your own code to the game.
Extra: McAfee HacMe Sites
These are very old in the game and one of the first to introduce this concept on a bigger scale. It has a wide variety of vulnerable URLs that whitehat hackers can utilize to polish their skillset. Most of the choices they had were based 100% on real-world problems faced by system administrators and people who maintain websites.
Conclusion: Where are you testing your hacking skills?
So these were the most reputable and trusted sites and web applications for testing that are loved by hackers. This includes XSS and SQL vulnerable sites too that allow you to practice your newly learned penetration testing skills. I personally think these are great developments because youngsters or anyone new to the field is able to put their knowledge to the test.