Top 10 Open Source and 40+ Vulnerable Website that intentionally allow you to perform attack, practicing your Hacking Skills

Nowadays, People dealing with cyber security can’t learn essential things on infosec because of lack of resource available, if they do not practice the core activity they’re defending against. Since this is illegal to perform, sites have been set up to train people in hacking without putting them in legal danger.

Here is the list of most popular vulnerable website, virtual OS to perform attack legally. Beginners and security learner willing to perform new technique and always looking for various places to test their skills.

So the Hackers Bone are listed some names where you can test your practice its complete safe:

  1. Hack The Box

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

As an individual, you can complete a simple challenge to prove your skills and then create an account, allowing you to connect to our private network (HTB Labs) where several machines await for you to hack them. By hacking machines you get points that help you advance in the Hall of Fame.
  • Vulnhub

Vulnhub provide material that allows anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration.

Over the years people have been creating these resources and a lot of time has been put into them, creating ”hidden gems’ of training material. However, unless you know of them, it’s hard to discover them.

So VulnHub was born to cover as many as possible, creating a catalogue of ‘stuff’ that is (legally) ‘breakable, hackable & exploitable’ – allowing you to learn in a safe environment and practice ‘stuff’ out.
  • bWAPP

bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. It has over 100 web vulnerabilities! It covers all major known web bugs, including all risks from the OWASP Top 10 project.
  • OWASP Mutillidae II

WASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA.

  • Damn Vulnerable Web App (DVWA)

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

  • Damn Vulnerable iOS Application (DVIA)

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. The vulnerabilities and solutions covered in this app are tested up to iOS 11. DVIA is free and open source available in both Swift and Objective-C version.

  • WebGoat

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other ‘goats’ such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications.

WebGoat is a platform independent environment. It utilizes Apache Tomcat and the JAVA development environment. Installers are provided for Microsoft Windows and UN*X environments, together with notes for installation on other platforms.

You can download website localhost machine by click the link below
  • OWASP Juice Shop Project

OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in JavaScript which encompasses the entire OWASP Top Ten and other severe security flaws.

The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!
  • Root Me

Root Me is fast, easy, and affordable way to train your hacking skills. Root Me have 301 challenges, 71 Virtual Environments and 2619 Solutions are available to train yourself in different and not simulated environments, offering you a way to learn a lot of hacking techniques
  1. TRY 2 HACK

This site provides several security-oriented challenges for your entertainment. It is actually one of the oldest challenge sites still around. The challenges are diverse and get progressively harder.      

Here are few more links that give an overview of sites that allow you to practice certain things without breaking any laws.

Shahrukh Rafeeq

I'm an Entrepreneur, Freelance Security Consultant, Bug Hunter having years of experience with a deep interest in InfoSec Industry. I love to speak and write about web and mobile application pen-testing, bug bounty. You can reach me at

Leave a Reply

Your email address will not be published. Required fields are marked *