Top Vulnerable Websites To Practice Your Skills

With the help of ready-made vulnerable applications, you actually get a good enhancement of your skills because it provides you with an environment where you can break and hack legally allowing you to learn in a safe environment.

Here we are listing the best 4 vulnerable projects/applications to practice your hacking skills.

1) bWAPP – Buggy Web Application

A buggy web application, free and open-source which helps security enthusiasts, developers and students to discover and prevent web vulnerabilities. The most interesting thing about bWAPP is that it has more than 100 vulnerabilities and covers all major web bugs from SQL Injection to Heartbleed openssl etc. It can be hosted on both Linux/Windows OS.

There are two versions of bWAPP are there: Either you can download the project files and install it in under your Apache server and another possibility is to download the bee-box ISO file directly which is based on LINUX virtual machine in which bWAPP is pre-installed.

Website Link – http://www.itsecgames.com/

Some of the vulnerabilities included in bWAPP:

SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
Blind SQL and Blind OS Command injection
Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
Cross-Site Request Forgery (CSRF)
AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
Malicious, unrestricted file uploads and backdoor files
Authentication, authorization and session management issues
Arbitrary file access and directory traversals
Local and remote file inclusions (LFI/RFI)
Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,…
HTTP parameter pollution and HTTP response splitting
Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
Unvalidated redirects and forwards, and cookie poisoning
Cookie poisoning and insecure cryptographic storage
Server-Side Request Forgery (SSRF)
XML External Entity attacks (XXE)
And much much much more…

2) DVWA – Damn Vulnerable Web Application

DVWA is a PHP/MYSQL web application that is damn vulnerable. The main goal is to be an aid for security professionals to enhance their skills in a legal environment. The latest version of DVWA is v1.9 which is more stable than others. You can also download the LIVE CD from Github.

If you want to install DVWA in your Windows OS, then you have to use WAMP or XAMPP tool.
If you want to install DVWA in your Linux OS, then you have to use LAMP.

The Default username of DVWA web application is “admin” and password is “password”.

Website Link – http://www.dvwa.co.uk/

Some of the vulnerabilities included in bWAPP:

SQL Injection (String/Error/Blind)
Bruteforce attack
Captcha Bypass
File Inclusion attacks
File Upload Vulnerability
CSRF – Cross-Site Request Forgery
XSS – Persistent and Non-Persistent

For mobile app testing specially for IOS, you can also use Damn Vulnerable iOS Application (DVIA).

For testing of web services, you can use Damn Vulnerable Web Services.

3) Mutillidae – OWASP

It’s a free and opensource web application which definitely improve your learning skills. It can easily be installed on Linux and Windows machine using LAMP/WAMP and XAMPP. It has over 40 vulnerabilities and challenges. Pre-installed on Rapid7 Metasploitable2, Samurai Web testing framework(SWTF), Owasp Broken Web Apps (OBWA).

You can easily restore the whole application with a single click. Users can easily switch between secure and insecure modes. It also allows SSL to be enforced in order to practice SSL Striping.

Website Link – https://sourceforge.net/projects/mutillidae/

4) WebGoat

Webgoat is one of the most popular OWASP projects as it provides a realistic teaching and learning environment to teach users about complex application security issues and can be easily installed on Windows and Linux machines.