Lab

1. https://www.vulnhub.com/

2. https://pentesterlab.com/exercises/web_for_pentester/course

3. https://portswigger.net/users?returnurl=%2fusers%2fyouraccount

4. https://application.security/free/owasp-top-10 - OWASP TOP 10

5. https://thexssrat.podia.com/ratatatata

6. https://github.com/Ignitetechnologies/Web-Application-Cheatsheet?s=08#nano CMS

7. https://brutelogic.com.br/blog/xss101/ -XSS

8. https://pentesterlab.com/exercises

9. https://hacklido.com/d/8-web-app-pentesting/4

10. https://xss.pwnfunction.com/

11. https://www.deepfryd.com/burp-academy-apprentice/

12. https://domgo.at/cxss/intro -XSS

13. https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application - GraphQL

Online Hacking Demonstration Sites

• http://testasp.vulnweb.com/ - Acunetix ASP test and demonstration site
• http://testaspnet.vulnweb.com/ - Acunetix ASP.Net test and demonstration site
• http://testphp.vulnweb.com/ - Acunetix PHP test and demonstration site
• http://crackme.cenzic.com/kelev/view/home.php - Crack Me Bank
• http://zero.webappsecurity.com/ - Zero Bank
• http://demo.testfire.net/ - Altoro Mutual
• https://github.com/Kajmer/Pentest-Resources

Practice

• https://lab.pentestit.ru/ - PentestIT labs (2 free labs per year)
• https://pentesterlab.com/exercises/ - Free Basic Excersices (also Premium)
• https://www.hackthebox.eu/ - Hack The Box is an online platform allowing you to test and advance your skills in cyber security (You need to hack a test resource to get an invitation :))
• https://www.vulnhub.com/ - Virtual Machines for Localhost Penetration Testing
• https://github.com/jerryhoff/WebGoat.NET - This web application is a learning platform about common web security flaws
• http://www.dvwa.co.uk/ - Damn Vulnerable Web Application (DVWA)
• https://github.com/s4n7h0/xvwa - Similar to DVWA, but with some added attacks
• http://sourceforge.net/projects/lampsecurity/ - LAMPSecurity Training
• https://github.com/Audi-1/sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.
• https://github.com/paralax/lfi-labs - small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
• https://hack.me/ - Build, host and share vulnerable web apps in a sandboxed environment for free
• http://azcwr.org/az-cyber-warfare-ranges - Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
• https://github.com/adamdoupe/WackoPicko - WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
• https://github.com/rapid7/hackazon - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.
• https://www.hackthissite.org/ - Hack This Site is a free training ground for users to test and expand their hacking skills.

Best websites to test your hacking skills

https://pwnable.kr/
https://hack.me/
https://ctflearn.com/
https://google-gruyere.appspot.com/ 
https://www.root-me.org/en/
https://www.hackthebox.eu/
https://www.hacking-lab.com/
http://www.gameofhacks.com/
https://overthewire.org/
https://microcorruption.com/
https://xss-game.appspot.com/?utm_source...dium=email
https://www.hackthissite.org/pages/index/index.php
https://crackmes.one/
https://pentest.training/
https://www.hellboundhackers.org/
http://hax.tor.hu/
https://thisislegal.com/
https://tryhackme.com/