Looking to improve your ethical hacking skills? Here’s a curated list of 34 of the best websites and platforms where you can legally practice hacking, penetration testing, and cybersecurity techniques. Whether you’re a beginner or an experienced professional, these resources offer a wide range of challenges, tutorials, and communities to help you learn and grow.
1. bWAPP
bWAPP stands for Buggy Web Application. It’s an open-source project designed to demonstrate what an insecure web application looks like. Created by Malik Messelem, bWAPP features over 100 common vulnerabilities described in the OWASP Top 10. Built with PHP and MySQL, advanced users can also try bee-box, a Linux virtual machine with bWAPP pre-installed.
2. Damn Vulnerable iOS App (DVIA)
DVIA is an intentionally vulnerable mobile app for iOS 7 and above. It’s especially useful for mobile app developers, as there are few platforms for practicing ethical hacking on mobile applications. To get started, check out the YouTube tutorial and the “Getting Started” guide.
3. Google Gruyere
Google Gruyere is a deliberately vulnerable web application for beginners in application security. You’ll learn how hackers find and exploit vulnerabilities, and how to prevent them. The site covers issues like cross-site scripting, CSRF, information disclosure, denial of service, and remote code execution, with the goal of teaching you how to identify and fix these problems.
4. HackThis!!
HackThis!! is designed to teach you how to hack, dump, deface, and protect your site from hackers. It offers over 50 levels of difficulty and has an active online community, making it a great place to practice ethical hacking and stay updated on security news.
5. Hack This Site
Hack This Site is a platform for those who want to practice ethical hacking. It features hacker news, articles, forums, tutorials, and a variety of challenges to help users develop their skills in a legal and ethical way.
6. Hellbound Hackers
Hellbound Hackers takes a hands-on approach to computer security, offering a wide range of challenges to teach you how to identify and fix exploits. Covering topics from encryption and cracking to social engineering, it’s one of the largest hacker communities with over 100,000 registered users.
7. HackMe Sites by McAfee
Foundstone, a division of McAfee, launched a series of HackMe sites in 2006 for pentesters and security professionals. Each simulated application presents real-world tasks based on actual vulnerabilities, covering everything from mobile banking to ticket booking apps. The list includes:
- Hacme Bank
- Hacme Bank for Android
- Hacme Books
- Hacme Casino
- Hacme Shipping
- Hacme Travel
8. Mutillidae
Mutillidae is another OWASP project—a vulnerable web application for Linux and Windows. It’s a set of PHP scripts containing the ten most common OWASP vulnerabilities, with hints to help beginners.
9. OverTheWire
OverTheWire is great for developers and security professionals of all levels. It offers a series of war games, starting with “Bandit” for beginners. As you progress, the challenges become more complex, helping you build your skills step by step.
10. OWASP Juice Shop Project
OWASP Juice Shop is a web application for practicing ethical hacking, written entirely in JavaScript. It covers the entire OWASP Top 10 and other major security flaws.
11. Peruggia
Peruggia is a safe environment for developers and security professionals to study and test common web application attacks. It’s like an archive of projects you can download to learn how to find and mitigate potential threats.
12. Root Me
Root Me offers over 200 challenges to test and improve your ethical hacking and web security skills.
13. Try2Hack
One of the oldest ethical hacking practice sites, Try2Hack offers a variety of levels sorted by difficulty. There’s an IRC channel for beginners and a step-by-step guide on GitHub.
14. Vicnum
Vicnum is a collection of simple, game-based web applications that can be adapted for different needs. It’s a great choice for security professionals looking to teach developers about web application security in a fun way.
15. WebGoat
WebGoat is one of the most popular OWASP projects, providing a realistic learning environment with lessons on complex application security issues. It’s available for Windows, OSX, and Linux, with separate downloads for J2EE and .NET environments.
16. Hackademic
This open-source OWASP project offers ten realistic scenarios full of known vulnerabilities, perfect for those looking to hone their attack skills. It’s also great for educational purposes, and contributions of new scenarios are encouraged.
17. SlaveHack
SlaveHack is a multiplayer hacker simulator where you can play as either attacker or defender. While it doesn’t require real hacking skills, it helps security professionals see their systems from a different perspective. The forum is a place for players to help each other and socialize.
18. Hackxor
Hackxor is a web application hacking game with several online levels and more advanced downloadable levels. Players can even take on the role of a black hat hacker, tracking down another hacker by any means necessary.
19. Moth
Moth is a VMware image with a set of vulnerable web applications and scripts. Originally designed for AppSec testing, it’s now a great place to practice ethical hacking and identify vulnerabilities.
20. Hack.me
Hack.me is an innovative platform that not only contains vulnerable applications but also allows users to add their own. It aims to be the largest archive of active vulnerable web apps, code samples, and CMSs online.
21. CTF365
CTF365 lets users set up and defend their own servers while attacking others. It’s ideal for security professionals wanting to develop offensive skills or sysadmins looking to improve their defense. Beginners can register for a free account and try out pre-configured vulnerable servers.
22. HACKING-LAB
Hacking-Lab provides CTF challenges for the European Cyber Security Challenge and hosts regular competitions open to everyone. Just register, set up a VPN, and choose your challenge.
23. PWNABLE.KR
This platform focuses on CTF-style pwn challenges, where you find, read, and submit flag files. You’ll need programming, reverse engineering, or exploitation skills to solve the tasks, which are divided into four difficulty levels: easy, medium, hard, and hardcore.
24. IO
IO is a war game from the creators of netgarage.org, a community for sharing knowledge about security, AI, VR, and more. There are three versions: IO, IO64, and IOarm, with IO being the most mature. Connect via SSH to get started.
25. SMASHTHESTACK
SmashTheStack consists of seven different war games: Amateria, Apfel (currently offline), Blackbox, Blowfish, CTF (currently offline), Logic, and Tux. Each contains multiple challenges, from standard vulnerabilities to reverse engineering tasks.
26. MICROCORRUPTION
Microcorruption is a CTF where you reverse-engineer fictional Lockitall electronic lock devices. You’ll learn assembly, use a debugger, step through code, set breakpoints, and explore memory as you try to “steal” bonds from a fictional company.
27. REVERSING.KR
This site offers 26 challenges to test your hacking and reverse engineering skills. While it hasn’t been updated since 2012, the existing challenges remain valuable learning resources.
28. W3CHALLS
W3Challs is a training platform with a variety of challenges in hacking, war games, forensics, cryptography, steganography, and programming. You earn points based on the difficulty of the challenges you solve, and there’s a forum for discussion and collaboration.
29. PWN0
Pwn0 is a VPN-based platform where you can battle bots or other users, earning points by taking control of other systems.
30. EXPLOIT EXERCISES
Exploit Exercises offers virtual machines, documentation, and challenges for learning privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and more.
31. RINGZER0 TEAM ONLINE CTF
RingZer0 Team Online CTF offers over 200 challenges covering cryptography, malware analysis, SQL injection, shellcoding, and more. Submit your solutions to earn RingZer0Gold, which can be exchanged for hints.
32. GAME OF HACKS
Game of Hacks presents code snippets in a quiz format, and you must identify the correct vulnerability. It’s a fun way to spot vulnerabilities in code.
33. CTFTIME
While not a hacking site itself, CTFtime is a great resource for staying up to date on CTF competitions worldwide. If you want to join a CTF team or participate in events, this is the place to look.
34. PENTESTERLAB
PentesterLab is a simple and convenient way to learn penetration testing. The platform provides vulnerable systems for testing and learning about vulnerabilities, both online and offline. Online access is available to PentesterLab Pro subscribers ($19.99/month or $199.99/year).