Bug Bounty Practice Labs

✅ Bug Bounty Practice Labs & Platforms

🔹 Web & API Labs (Core Bug Classes)

1. PortSwigger Web Security Academy

   • ✅ Best free, structured web vuln platform

   • https://portswigger.net/web-security

2. Hack The Box – Bug Bounty Path

   • 🧠 Simulates real bounty-style boxes

   • https://academy.hackthebox.com

3. TryHackMe – Bug Bounty Labs Collection

   • 🧪 Includes XSS, SSRF, IDOR, logic flaws

   • https://tryhackme.com

4. OWASP Juice Shop

   • 💥 Full OWASP Top 10, plus bonus hidden bugs

   • https://github.com/juice-shop/juice-shop

5. DVWA (Damn Vulnerable Web App)

   • 🐛 Great for beginners

   • https://github.com/digininja/DVWA

6. bWAPP (Buggy Web App)

   • 🧱 100+ vulnerabilities across categories

   • https://github.com/raffaeleflorio/bwapp-docker

7. WebGoat (OWASP)

   • 🧠 Lesson-based training in Java stack

   • https://github.com/WebGoat/WebGoat

8. NodeGoat

   • 📦 Node.js + MongoDB — common stack in real-world apps

   • https://github.com/OWASP/NodeGoat

9. Vulnerable Flask App

   • 🐍 Python-based app with known flaws

   • https://github.com/rajeshkumarkhadka/Vulnerable-Flask-App

10. OWASP RailsGoat

• 🔴 Ruby on Rails focused

• https://github.com/OWASP/railsgoat

---

🔹 API / GraphQL Labs

1. crAPI (Completely Ridiculous API)

• 🔌 Designed for OWASP API Top 10

• https://github.com/OWASP/crAPI

1. VAmPI (Vulnerable API)

• ⚙️ Insecure endpoints, broken auth, injections

• https://github.com/erev0s/VAmPI

1. GraphQL-GOAT

• 🧬 GraphQL-specific vulnerabilities

• https://github.com/swisskyrepo/GraphQL-GOAT

1. APIsec University Labs

• 🔒 Free guided API hacking labs

• https://www.apisecuniversity.com/labs

1. Postman API Security Labs

• 📬 Learn API testing with built-in walkthroughs

• https://www.postman.com/security-labs

---

🔹 Cloud / Serverless Labs

1. CloudGoat (AWS)

• ☁️ Privilege escalation, S3 misconfig, SSRF

• https://github.com/RhinoSecurityLabs/cloudgoat

1. flaws.cloud

• 🎯 Legendary AWS challenge site

• https://flaws.cloud

1. GOATStack (Multi-cloud)

• 🛠️ Vulnerable AWS, Azure, GCP resources

• https://github.com/ine-labs/GOATStack

---

🔹 Mobile Labs

1. DVIA-v2 (Damn Vulnerable iOS App)

• 🍎 iOS vulnerabilities in Swift/Obj-C

• https://github.com/OWASP/DVIA-v2

1. InsecureBankv2 (Android)

• 📱 Client-side & API flaws

• https://github.com/dineshshetty/Android-InsecureBankv2

1. Mobile Security Testing Guide + Test Apps

• 🧪 MSTG-aligned APKs for hands-on learning

• https://github.com/OWASP/owasp-mstg

---

🔹 Source Code Review & CTF-Style

1. PentesterLab (Pro & Free)

• 🔍 Vulnerabilities shown in source, replayable with curl

• https://pentesterlab.com

1. HackTheBox Machines (Retired)

• 💻 Many include real web + app logic bugs

• https://hackthebox.com

1. XSS Game by Google

• 🔥 Real browser-based XSS puzzles

• https://xss-game.appspot.com

1. Buggy Banking App (OWASP BBA)

• 💸 Simulates banking app with logic bugs

• https://github.com/OWASP/OWASPBrokenBankingApp

---

Name	Stack	Focus
PortSwigger Web Security Academy	Multi	Realistic web bugs with hints
PentesterLab (Pro)	Multi	Web + API + mobile with source code
HackTheBox “Bug Bounty Path”	Multi	CTF-like bounty challenges
TryHackMe “Bug Bounty” Rooms	Multi	Recon, web, SSRF, IDOR, XSS, etc.
OWASP Juice Shop	Node.js	OWASP Top 10 in one app
Hackademic	PHP/MySQL	Educational web bugs
Web Security Dojo	VM with multiple buggy apps + tools preinstalled