Safe and Legal Places to Exercise Your Pen-Testing Foo

In our last post we looked at a great way to set up a pen-testing lab.  Fortunately, the quandary over finding a safe place to practice your pen-testing skills has led to the creation of dozens of hacker-friendly learning sites.  Several have been provided by OWASP, and there are other contributors out there with multiple sites.  Here are a bunch of good options.

OWASP – The Open Web Application Security Project exists to help developers create better, more secure, code, applications and web sites.

  • Hackademic – 10 scenarios for known vulnerabilities from the OWASP Top Ten.
  • Juice Shop – Created by Bjorn Kimminich, Juice Shop is an insecure JavaScript web application.  See the slide share for instructions
  • Mutillidae – Vulnerable web app built for Windows and Linux.
  • Vicnum – A game-based vulnerable web app designed for a variety of audiences.
  • WebGoat – Runs on OSx, Windows and Linux.
  • Bricks – The goal is to ‘break the bricks’ and learn different aspects of web application security.
  • Insecure Web App Project – An insecure web application with a bunch of common web app vulnerabilities.  Suitable for automated or manual pen-testing, source code analysis, vulnerability assessments and threat modelling.
  • Site Generator – Another OWASP project that allows the creation of dynamic webs sites with vulnerabilities to test.

Troy Hunt – Internet famous for his breach test website, Troy has created a vulnerability-laden practice site.

Acunetix – The company that created the Acunetix Web Vulnerability Scanner also created these sites to use to test the scanner.

Other top sites

There are many more sites to try, and I have included links to other resources below.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.