Top Vulnerable Websites To Practice Your Skills

Posted by

With the help of ready-made vulnerable applications, you actually get a good enhancement of your skills because it provides you with an environment where you can break and hack legally allowing you to learn in a safe environment.

Here we are listing the best 4 vulnerable projects/applications to practice your hacking skills.

1) bWAPP – Buggy Web Application

A buggy web application, free and open-source which helps security enthusiasts, developers and students to discover and prevent web vulnerabilities. The most interesting thing about bWAPP is that it has more than 100 vulnerabilities and covers all major web bugs from SQL Injection to Heartbleed openssl etc. It can be hosted on both Linux/Windows OS.

There are two versions of bWAPP are there: Either you can download the project files and install it in under your Apache server and another possibility is to download the bee-box ISO file directly which is based on LINUX virtual machine in which bWAPP is pre-installed.

Website Link –

Some of the vulnerabilities included in bWAPP:

  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
  • Blind SQL and Blind OS Command injection
  • Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
  • Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
  • Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
  • Malicious, unrestricted file uploads and backdoor files
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,…
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
  • Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards, and cookie poisoning
  • Cookie poisoning and insecure cryptographic storage
  • Server-Side Request Forgery (SSRF)
  • XML External Entity attacks (XXE)
  • And much much much more…

2) DVWA – Damn Vulnerable Web Application

DVWA is a PHP/MYSQL web application that is damn vulnerable. The main goal is to be an aid for security professionals to enhance their skills in a legal environment. The latest version of DVWA is v1.9 which is more stable than others. You can also download the LIVE CD from Github.

If you want to install DVWA in your Windows OS, then you have to use WAMP or XAMPP tool.
If you want to install DVWA in your Linux OS, then you have to use LAMP.

The Default username of DVWA web application is “admin” and password is “password”.

Website Link –

Some of the vulnerabilities included in bWAPP:

  • SQL Injection (String/Error/Blind)
  • Bruteforce attack
  • Captcha Bypass
  • File Inclusion attacks
  • File Upload Vulnerability
  • CSRF – Cross-Site Request Forgery
  • XSS – Persistent and Non-Persistent

For mobile app testing specially for IOS, you can also use Damn Vulnerable iOS Application (DVIA).

For testing of web services, you can use Damn Vulnerable Web Services.

3) Mutillidae – OWASP

It’s a free and opensource web application which definitely improve your learning skills. It can easily be installed on Linux and Windows machine using LAMP/WAMP and XAMPP. It has over 40 vulnerabilities and challenges. Pre-installed on Rapid7 Metasploitable2, Samurai Web testing framework(SWTF), Owasp Broken Web Apps (OBWA).

You can easily restore the whole application with a single click. Users can easily switch between secure and insecure modes. It also allows SSL to be enforced in order to practice SSL Striping.

Website Link –

4) WebGoat

Webgoat is one of the most popular OWASP projects as it provides a realistic teaching and learning environment to teach users about complex application security issues and can be easily installed on Windows and Linux machines.

Website Link –

And Under Vulnhub you can even find more than 50+ Vulnerable projects.

Feel free to leave a comment below or reach me on Instagram @iamshubhamkumar__.

Posted by Shubham ;)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.