In our last post we looked at a great way to set up a pen-testing lab. Fortunately, the quandary over finding a safe place to practice your pen-testing skills has led to the creation of dozens of hacker-friendly learning sites. Several have been provided by OWASP, and there are other contributors out there with multiple sites. Here are a bunch of good options.
OWASP – The Open Web Application Security Project exists to help developers create better, more secure, code, applications and web sites.
- Hackademic – 10 scenarios for known vulnerabilities from the OWASP Top Ten.
- Mutillidae – Vulnerable web app built for Windows and Linux.
- Vicnum – A game-based vulnerable web app designed for a variety of audiences.
- WebGoat – Runs on OSx, Windows and Linux.
- Bricks – The goal is to ‘break the bricks’ and learn different aspects of web application security.
- Insecure Web App Project – An insecure web application with a bunch of common web app vulnerabilities. Suitable for automated or manual pen-testing, source code analysis, vulnerability assessments and threat modelling.
- Site Generator – Another OWASP project that allows the creation of dynamic webs sites with vulnerabilities to test.
Troy Hunt – Internet famous for his breach test website HaveIBeenPwned.com, Troy has created a vulnerability-laden practice site.
- Hack Yourself First – Over 50 exploitable vulnerabilities
- HYF Course on Pluralsite – Maybe you would like some instructions? Troy left them here.
Acunetix – The company that created the Acunetix Web Vulnerability Scanner also created these sites to use to test the scanner.
- Blog,NET – A vulnerable web log.
- Art Shopping PHP – A PHP based shopping site.
- Forum ASP – A vulnerable web forum
Other top sites
- bWAPP – buggy web application
- DVWA – Damn Vulnerable Web Application
- DVWS – Damn Vulnerable Web Services
- DVIA – Damn Vulnerable iOS App
- ExploitMe Mobile Android Labs
- Google Gruyere
There are many more sites to try, and I have included links to other resources below.