Top 4 Vulnerable Websites to Practice your Skills

With the help of ready made vulnerable applications, you actually get a good enhancement of your skills because it provides you an environment where you can break and hack legally allowing you to learn in a safe environment.

Here we are listing the best 4 vulnerable projects/applications to practice your hacking skills.

1) bWAPP – Buggy Web Application

A buggy web application, free and open source which helps security enthusiasts, developers and students to discover and prevent web vulnerabilities. The most interesting thing about bWAPP is that it has more than 100 vulnerabilities and covers all major web bugs from SQL Injection to Heartbleed openssl etc. It can be hosted on both Linux/Windows OS.

There are two versions of bWAPP are there: Either you can download the project files and install it in under your Apache server and another possibility is to download the bee-box ISO file directly which is based on LINUX virtual machine in which bWAPP is pre-installed.

Website Link –

Some of the vulnerabilities included in bWAPP:

  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
  • Blind SQL and Blind OS Command injection
  • Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
  • Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
  • Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
  • Malicious, unrestricted file uploads and backdoor files
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,…
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
  • Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards, and cookie poisoning
  • Cookie poisoning and insecure cryptographic storage
  • Server Side Request Forgery (SSRF)
  • XML External Entity attacks (XXE)
  • And much much much more…

2) DVWA – Damn Vulnerable Web Application

DVWA is a PHP/MYSQL web application that is damn vulnerable. The main goal are to be an aid for security professionals to enhance their skills in a legal environment. The latest version of DVWA is v1.9 which is more stable than others. You can also download the LIVE CD from Github.

If you want to install DVWA in your Windows OS, then you have to use WAMP or XAMPP tool.
If you want to install DVWA in your Linux OS, then you have to use LAMP.

The Default username of DVWA web application is “admin” and password is “password”.

Website Link –

Some of the vulnerabilities included in bWAPP:

  • SQL Injection (String/Error/Blind)
  • Bruteforce attack
  • Captcha Bypass
  • File Inclusion attacks
  • File Upload Vulnerability
  • CSRF – Cross Site Request Forgery
  • XSS – Persistent and Non-Persistent

For mobile app testing specially for IOS, you can also use Damn Vulnerable iOS Application (DVIA).

For testing of web services, you can use Damn Vulnerable Web Services.

3) Mutillidae – OWASP

Its a free and opensource web application which definitely improve your learning skills. It can easily be installed on Linux and Windows machine using LAMP/WAMP and XAMPP. It has over 40 vulnerabilities and challenges. Pre installed on Rapid7 Metasploitable2, Samurai Web testing framework(SWTF), Owasp Broken Web Apps (OBWA).

You can easily restore the whole application with a single click. Users can easily switch between secure and insecure modes. It also allows SSL to be enforced in order to practice SSL Striping.

Website Link –

4) WebGoat

Webgoat is one of the most popular OWASP projects as it provides a realistic teaching and learning environment to teach users about complex application security issues and can be easily installed on Windows and Linux machines.

Website Link –

And Under Vulnhub you can even find more than 50+ Vulnerable projects.

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts

This Post Has One Comment

  1. Hi, I am Manas Lahon. First of all nice article. It is really a good way to give students a field where they can play hacking tests in the sunlight freely.

    But I’ve met many people on forums and websites comments and they have problems with bWAPP. Some of them luckily go succeed to install bWAPP but some of them still facing the problem.

    I tried all possible way to solve the error but failed. Do you have any solution to overcome this obstacle?

    Again thanks to the author of Yeah Hub.

Comments are closed.