Our penetration test directory contains intentionally vulnerable machines, websites to hack, and boxes to pop for weeks on end…legally of course…
The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment.
Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. It is already installed on Samurai WTF. Simply replace existing version with latest on Samurai. Mutillidae contains dozens of vulnerabilities and hints to help the user exploit them; providing an easy-to-use web hacking environment deliberately designed to be used as a hack-lab for security enthusiast, classroom labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an “assess the assessor” target for vulnerability software.
The Hacking Dojo provides students that want to learn how to become professional penetration testers with a long-term training and support system, with readily-available access to instructors. Students initially learn pentest techniques through many hours of videos; then, students can obtain additional training through on-demand, online meetings with an instructor. When a student demonstrates proficiency in a set of skills, they are tested and moved onto more difficult challenges and instruction.
A deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other ‘goats’ such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.
This codelab is built around Gruyere /ɡruːˈjɛər/ – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.
Dedicated Hacking Sites
Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
This website merely teaches what every Internet user and webmaster should know. In today’s modern environment, computers play a crucial role in the running of everyday business. The Internet also forms a backbone to many hobby related and educational needs. Anyone who runs a important website will confirm how vital online security is. Any online material is under constant threat from identity thieves and malicious criminals. Thanks to hackers who partake in the full disclosure movement, the majority of websites are updated and patched regularly to stop dangerous individuals from accessing or destroying part(s) of the website. This website serves as a learning environment for hackers and webmasters who wish to learn how exploits are designed and how to patch them.
An example article: Exploiting & Patching EternalBlue
Join the 1% of dapper hackers at over the wire. The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. (Highly Recommended)
300+ Challenges and virtual environments to train your hacking skills.
Ultimately the major goal of this project is to strengthen the security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app. And of course it’s OK to have a little fun.
Hack.me is a FREE, community based project powered by eLearnSecurity.
The community can build, host and share vulnerable web application code for educational and research purposes.
It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online.
Bricks is a web application security learning platform built on PHP and MySQL. The project focuses on variations of commonly seen application security issues. Each ‘Brick’ has some sort of security issue which can be leveraged manually or using automated software tools. The mission is to ‘Break the Bricks’ and thus learn the various aspects of web application security.
This is an open source project demonstrating Android mobile hacking. If you’re a developer, you can also gain some great insight on how to securely develop mobile applications and prevent common programming pitfalls in Android applications. (Highly Recommended)
In this training program, you will learn to find and exploit XSS bugs. You’ll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.
There will be cake at the end of the test.
Forum .ASP: This website is a deliberately vulnerable forum built using ASP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.
Blog .NET: This website is a deliberately vulnerable forum built using .NET and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.
Shopping .PHP: This website is a deliberately vulnerable forum built using PHP and was originally conceived with the intention of testing the Acunetix Web Vulnerability Scanner.
Do you see something missing or would you like to have your website featured? Please comment below !