Lab
https://application.security/free/owasp-top-10 - OWASP TOP 10
Online Hacking Demonstration Sites
http://testasp.vulnweb.com/ - Acunetix ASP test and demonstration site
http://testaspnet.vulnweb.com/ - Acunetix ASP.Net test and demonstration site
http://testphp.vulnweb.com/ - Acunetix PHP test and demonstration site
http://crackme.cenzic.com/kelev/view/home.php - Crack Me Bank
http://zero.webappsecurity.com/ - Zero Bank
http://demo.testfire.net/ - Altoro Mutual
Practice
https://lab.pentestit.ru/ - PentestIT labs (2 free labs per year)
https://pentesterlab.com/exercises/ - Free Basic Excersices (also Premium)
https://www.hackthebox.eu/ - Hack The Box is an online platform allowing you to test and advance your skills in cyber security (You need to hack a test resource to get an invitation :))
https://www.vulnhub.com/ - Virtual Machines for Localhost Penetration Testing
https://github.com/jerryhoff/WebGoat.NET - This web application is a learning platform about common web security flaws
http://www.dvwa.co.uk/ - Damn Vulnerable Web Application (DVWA)
https://github.com/s4n7h0/xvwa - Similar to DVWA, but with some added attacks
http://sourceforge.net/projects/lampsecurity/ - LAMPSecurity Training
https://github.com/Audi-1/sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.
https://github.com/paralax/lfi-labs - small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
https://hack.me/ - Build, host and share vulnerable web apps in a sandboxed environment for free
http://azcwr.org/az-cyber-warfare-ranges - Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
https://github.com/adamdoupe/WackoPicko - WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
https://github.com/rapid7/hackazon - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.
https://www.hackthissite.org/ - Hack This Site is a free training ground for users to test and expand their hacking skills.
Perfect — if you're shifting focus to web application penetration testing, there’s a wide variety of intentionally vulnerable web apps you can use for safe and legal practice.
Here’s a curated list of the most up-to-date and widely used vulnerable web applications for learning web app pentesting, including OWASP Top 10 issues, real-world simulations, and even CTF-style challenges.
🧨 Best Vulnerable Web Apps for Learning Web Application Pentesting
1. OWASP Juice Shop 🍹
What it is: A modern, full-stack web app with tons of vulnerabilities.
Covers: OWASP Top 10, CSRF, XSS, SQLi, JWT, insecure APIs, etc.
Features: Built-in scoreboard, hints, tutorials.
Tech Stack: Angular + Node.js
Run via: Docker, Heroku, or local Node
2. Damn Vulnerable Web Application (DVWA) 🐛
What it is: A PHP/MySQL-based web app designed for beginners.
Covers: XSS, SQLi, CSRF, command injection, file inclusion.
Difficulty levels: Low, Medium, High, Impossible
Setup: XAMPP, MAMP, Docker
3. bWAPP (Buggy Web App) 🐝
What it is: One of the most comprehensive vulnerable apps (~100+ bugs).
Covers: OWASP Top 10, honeypots, insecure HTML5, clickjacking, etc.
Supports APIs & mobile vulnerabilities too.
Setup: XAMPP or Docker (bee-box available)
4. WebGoat (OWASP Project) 🐐
What it is: A deliberately insecure app with lesson-based walkthroughs.
Covers: Authentication flaws, insecure deserialization, XXE, logic bugs.
Includes: Secure coding exercises too.
Run via: Docker, JAR
5. Mutillidae II (OWASP) 🐞
What it is: A vulnerable web app built on PHP/MySQL.
Covers: OWASP Top 10, insecure headers, cookie manipulation, browser exploitation.
Includes: Bonus labs and tips.
Setup: Prebuilt VMs (OWASP Broken Web Apps), Docker
6. Hackazon
What it is: A mock e-commerce site with real-world tech and API endpoints.
Built for: Realistic black-box testing of web and APIs.
Still useful, though no longer actively maintained.
GitHub (archive): https://github.com/rapid7/hackazon
7. DVNA (Damn Vulnerable .NET App)
What it is: A .NET-based web app for .NET-specific security learning.
Great for: ASP.NET vulnerabilities, SSRF, XXE, CORS misconfigurations.
GitHub: https://github.com/appsecco/dvna
🧰 Tools to Use While Practicing
Burp Suite
Intercept & manipulate web traffic
OWASP ZAP
Free alternative to Burp, with automated scanning
Postman
API testing
Firefox + DevTools
Great for manual testing and CSP/XSS checks
SQLMap
Automated SQL injection tool
wfuzz / ffuf
Fuzzing directories and parameters
🗺️ Bonus: Online Platforms with Pre-built Labs
🔹 PortSwigger Web Security Academy
Browser-based labs, including beginner to advanced XSS, SQLi, SSRF, etc.
Requires only Burp Suite.
🔹 TryHackMe — “OWASP Top 10” Room
Beginner friendly, guided learning.
Includes web attack theory + hands-on.
🔹 HackTheBox — Web Challenges
Realistic and CTF-style web exploitation.
You got it — here’s a deep dive with more vulnerable web applications and platforms (beyond the common ones) for hands-on web application penetration testing. These include both self-hosted labs, online playgrounds, and platforms with guided exercises.
🧨 Additional Vulnerable Web Applications for Pentesting
8. NodeGoat
What it is: A vulnerable Node.js application maintained by OWASP.
Focuses on: OWASP Top 10 and secure coding in JavaScript/Node.
Educational approach: Each vulnerability comes with an explanation and fix guide.
9. Vulnerable Docker Containers by CyberRange
What it is: A curated collection of intentionally vulnerable containers.
Includes apps like: DVWA, Juice Shop, WebGoat, and more in one place.
Quick setup: Ideal if you want multiple apps running in Docker Compose.
10. AltoroMutual
What it is: A fake banking site from IBM Security with known vulnerabilities.
Covers: SQL injection, XSS, weak session handling, broken auth.
Hosted demo: Can be accessed via IBM AppScan tools.
Great for: Demonstrating secure vs insecure functionality.
11. Gruyere (Google)
What it is: A Python-based vulnerable app created by Google for training.
Focus on: Client- and server-side issues — XSS, XSRF, access control, etc.
Simple to run: Lightweight and easy for beginners.
12. SecTalks Badstore
What it is: An old-school vulnerable web app with e-commerce features.
Covers: Input validation, session flaws, XSS, insecure cookies.
Good for: Low-resource environments or older systems.
Download: http://badstore.net/
13. XVWA (Xtreme Vulnerable Web Application)
What it is: A modernized vulnerable app with extreme versions of common bugs.
Great for: XSS, CSRF, clickjacking, SQLi, command injection, and more.
PHP/MySQL based
GitHub: https://github.com/s4n7h0/xvwa
14. OWASP Security Shepherd
What it is: A gamified web and mobile app security training platform.
Focus: Practical challenges, CTF style, and walkthroughs.
Ideal for: Training individuals or teams.
15. RailsGoat
What it is: A vulnerable Ruby on Rails application.
Focus: Common Rails-specific flaws like mass assignment, CSRF, unsafe redirects.
Great for: Web devs and pentesters working in Ruby ecosystems.
🎯 Realistic Online Web Hacking Platforms
🔹 PentesterLab
Self-paced lessons and vulnerable apps.
Covers real-world CVEs, OWASP Top 10, web auth, APIs.
Some content is free; full access is paid.
🔹 Root-Me (Web Challenges Section)
Huge collection of web-based CTFs (realistic + exploit dev).
Multiple difficulty levels.
🔹 OverTheWire: Natas
Series of web-based levels (basic to advanced).
Good for HTTP basics, directory traversal, insecure logic.
🔹 HackTheBox Academy
Learning platform with interactive web app security labs.
Includes labs, theory, and guided exploitation.
Last updated