In our last post we looked at a great way to set up a pen-testing lab. Fortunately, the quandary over finding a safe place to practice your pen-testing skills has led to the creation of dozens of hacker-friendly learning sites. Several have been provided by OWASP, and there are other contributors out there with multiple sites. Here are a bunch of good options.
OWASP – The Open Web Application Security Project exists to help developers create better, more secure, code, applications and web sites.
- Hackademic – 10 scenarios for known vulnerabilities from the OWASP Top Ten.
- Juice Shop – Created by Bjorn Kimminich, Juice Shop is an insecure JavaScript web application. See the slide share for instructions
- Mutillidae – Vulnerable web app built for Windows and Linux.
- Vicnum – A game-based vulnerable web app designed for a variety of audiences.
- WebGoat – Runs on OSx, Windows and Linux.
- Bricks – The goal is to ‘break the bricks’ and learn different aspects of web application security.
- Insecure Web App Project – An insecure web application with a bunch of common web app vulnerabilities. Suitable for automated or manual pen-testing, source code analysis, vulnerability assessments and threat modelling.
- Site Generator – Another OWASP project that allows the creation of dynamic webs sites with vulnerabilities to test.
Troy Hunt – Internet famous for his breach test website HaveIBeenPwned.com, Troy has created a vulnerability-laden practice site.
- Hack Yourself First – Over 50 exploitable vulnerabilities
- HYF Course on Pluralsite – Maybe you would like some instructions? Troy left them here.
Acunetix – The company that created the Acunetix Web Vulnerability Scanner also created these sites to use to test the scanner.
- Blog,NET – A vulnerable web log.
- Art Shopping PHP – A PHP based shopping site.
- Forum ASP – A vulnerable web forum
Other top sites
- bWAPP – buggy web application
- DVWA – Damn Vulnerable Web Application
- DVWS – Damn Vulnerable Web Services
- DVIA – Damn Vulnerable iOS App
- ExploitMe Mobile Android Labs
- Google Gruyere
There are many more sites to try, and I have included links to other resources below.
More information:
Share
AUG
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com