The 13 Best Vulnerable Web Applications & Vulnerable Websites for Testing
This list contains a variety of vulnerable websites, vulnerable web apps, battlegrounds and wargames communities.
And before you ask, no, there isn’t a particular order to this vulnerable website list in terms of importance or which resources would be considered the “best.” Frankly, I’m not a hacker myself, so I’m just going to list them in alphabetical order for the sake of making things easy and to avoid starting any online arguments about how X is better than Y. Try these resources out for yourself to see how you might rank each different website.
These suggestions came from my colleagues or are among the most popular choices that are frequently recommended within hacker online communities.
1. Buggy Web Application (BWAPP)
The Buggy Web Application, or BWAPP, is a great free and open source tool for students, devs, and security pros alike. It’s a PHP app that relies on a MySQL database. Whether you’re preparing for a project or just want to get some practice in to keep your ethical hacking skills up to par, this solution with the cute and happy little bee mascot contains more than 100 bugs for you to practice on. This includes all of the major (and most common) known vulnerabilities.
CTFlearn is a popular ethical hacking platform that tens of thousands of people use worldwide. The name of the site is based on capture the flag (CTF) contests that are common to the industry. These are usually cybersecurity competitions that are designed for hackers and other IT pros — often by other users of the site — that provide users with a chance to solve specific issues as either an attacker or defender.
For example, a common CTF challenge might require you to break into a Linux web server and capture the “flag,” which could be a text file stored on the server. Inside the text file might be a pass phrase you can provide to prove that you completed the challenge. Depending on your mood and how the challenge is setup, this is a platform that allows you to wear your white hat or black hat.
The challenge categories are organized by difficulty levels or a variety of topics, which include:
3. Damn Vulnerable IOS App (DVIA)
Okay, I’d be genuinely surprised if you’ve never heard of this one. Damn Vulnerable iOS App (DVIA), much like the name would imply, is an iOS application that’s intentionally penetrable. This open source resource allows mobile security pros and enthusiasts to flex their skills in a series of challenges within a safe (and legal) environment.
What’s particularly great about this one compared to the rest of this list of vulnerable websites and vulnerable web apps is that it’s focused specifically on mobile apps. While there are lots of vulnerable web apps available, there are fewer intentionally vulnerable mobile app platforms to practice on. It’s the equivalent of a unicorn in a herd of wild horses.
Want to experiment with some network layer security issues? Got it. What about local data storage vulnerabilities? It covers that, too. To use the tool, simply download and install DVIA on your iOS device.
4. Damn Vulnerable Web Application (DVWA)
Not to be confused with DVIA, the Damn Vulnerable Web Application (DVWA) is a great tool for web devs and security pros alike. Basically, it’s a MySQL/PHP web app that’s designed to be super vulnerable to SQL injections and other common attacks.
In DVWA, you have the option of toggling between low, medium, high, and “impossible” security levels for every type of vulnerability they offer. This gives you a chance to practice exploiting or defending against vulnerabilities that may exist within different environments. It also enables you to challenge yourself more and drill-down on areas you need to focus on more.
Of course, this tool is something that you’d need to download from the website. It’s important to note, however, that it’s best to install this on a virtual machine where you can spin up individual instances as needed.
Want to see one of these challenges in action? Here’s a video of someone performing SQL injections in a low security environment using DVWA:
5. Defend the Web
Defend the Web, formerly known as HackThis (hackthis.co.uk), is a great resource that reportedly more than 600,000 hackers of all experience levels around the world use. This interactive security platform offers a variety of security-related articles on topics relating to coding, hacking, privacy, network security, and other related issues.
If you’re looking for more goodies or ways to engage, the site also has message boards and other informational resources to learn from as well as a playground with dozens of challenges that enable users to practice and hone their skills.
6. Google Gruyere
Much like the French style of cheese that shares the same name, Google Gruyere is a well-known web application codelab that’s full of “holes” that you can learn to find and exploit. It’s written in Python and is organized by vulnerability types to make life simple. For each task, they’ll provide a brief description of the vulnerability that you’ll either use black-box or white-box hacking (or a mix of both techniques) to find, exploit, and/or identify.
Although this site is designed for people who are learning application security, it’s still suitable for someone who has an understanding (or at least a familiarity with) of how web applications work and the types of vulnerabilities that exist within them.
To start a new AppEngine instance in Google Gruyere, simply go to the Start Gruyere website and proceed from there.
Like many of the other vulnerable websites on our list, Hack.me is a free, educational community-based project and platform. It allows users to build, host, and share original vulnerable web application code. As such, the site is intended to be used by:
- Students, universities and other researchers,
- Web developers,
- Penetration testers (pen testers), and
- Anyone else who wants to learn.
This three-year-old UK-based online platform is a pen tester’s dream. With more than 350,000 members from around the world, HackTheBox is a place for new hackers, students, cybersecurity pros and gamers alike. In addition to getting to play around on the platform and test your skills, you can also engage in their 127 challenges and use live any of their 179 live machines (at the time of this writing). They’ve also hosted CTF events as well.
But if you’re looking for something a little more private, there are also dedicated labs that you can rent if you’re part of a college, business, or another type of organization or institution. Needless to say, you’ve got options with HackTheBox.
HackThisSite is a popular safe haven for budding and experienced hackers alike. It’s a place where you can practice hacking to develop and hone your skills — but it’s more than that. The description on the site itself lists it as:
“a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything.”
Sounds useful, am I right? In addition, the website also hosts a series of tutorials and challenges or “missions” that users of all levels can complete safely
10. Hellbound Hackers
Although it sounds like it could be a group of hardcore, leather-clad motorcyclists, Hellbound Hackers is the self-proclaimed “hands-on approach to computer security.” Basically, it’s a large online community of hackers whose focus is to help fellow hackers learn how to break into a site or how to prevent other hackers from doing so.
The site boasts a plethora of articles on different topics, a web forum for discussions, and a code bank where users can share and review code. Hellbound Hackers also has a series of challenges for people based on their skill level, coding languages, and specific areas of interest, including:
Shall we play a game? Okay, sorry, I couldn’t resist that line from the movie “Wargames.” Anyhow, back to the topic at hand… OverTheWire is an online community of hackers, developers and other cybersecurity pros who want to learn and practice real-world security concepts in the form of “wargames.” No matter whether you prefer playing an attacker or defender in these exercises, there’s something for everybody.
These activities, depending on the wargame, range from level 0 to 34 (although many of them have fewer levels). To connect, users must use a secure shell (SSH) via a specified port number for each challenge.
12. OWASP Mutillidae II
The Open Web Application Security Project (OWASP) offers a lot of different web application security related projects and platforms. For example, OWASP Mutillidae II is a free, open source web app that provides new and experienced web security enthusiasts and hackers with a fun and safe environment to learn and practice their skills. (It’s very similar to the DVWA mentioned earlier.)
Here, you learn not only about web app security and how to exploit certain vulnerabilities, but you also learn how to address code vulnerabilities. Mutillidae II involves scripts that encompass virtually all of the OWASP Top 10 web app vulnerabilities, including HTML injections, SQL injections, and cross-site scripting (XSS). Still a bit new to the game? No worries. Mutillidae II also offers little hints to help you along the way with using their vulnerable web app. After all, they want to keep you from feeling too lost!
According to the official page, although it comes pre-installed on some systems, you can also install it on Linux or Windows AMP stacks because it works with LAMP, WAMP, and XAMPP. Check out Webpwnized’s playlist for Hacking Mutillidae II on YouTube to see how it works.
Of course, aside from Mutillidae II, OWASP also has a few other tricks up their sleeves. Their additional educational resources include the renowned OWASP Juice Shop vulnerable web app and OWASP WebGoat, which allows users to test common vulnerabilities in java-based apps.
13. ThisIsLegal — Are You?
ThisIsLegal is another wargames site for hackers to practice their craft. It features various tutorials on different topics that you can learn from as well as web forums to share ideas. The site also hosts 43 challenges of varying difficulty levels relating to:
- Application security
- User passwords and login forms
While it isn’t nearly as active a site as some of the other online communities we’ve already covered, it’s at least still worth mentioning and including on this list of vulnerable websites and web apps.