# Lab
1.
2.
3.
4. - OWASP TOP 10
5.
6. CMS
7. -XSS
8.
9.
10.
11.
12. -XSS
13. - GraphQL
### Online Hacking Demonstration Sites
* - Acunetix ASP test and demonstration site
* - Acunetix ASP.Net test and demonstration site
* - Acunetix PHP test and demonstration site
* - Crack Me Bank
* - Zero Bank
* - Altoro Mutual
*
### Practice
* - PentestIT labs (2 free labs per year)
* - Free Basic Excersices (also Premium)
* - Hack The Box is an online platform allowing you to test and advance your skills in cyber security (You need to hack a test resource to get an invitation :))
* - Virtual Machines for Localhost Penetration Testing
* - This web application is a learning platform about common web security flaws
* - Damn Vulnerable Web Application (DVWA)
* - Similar to DVWA, but with some added attacks
* - LAMPSecurity Training
* - SQLI labs to test error based, Blind boolean based, Time based.
* - small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
* - Build, host and share vulnerable web apps in a sandboxed environment for free
* - Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.
* - WackoPicko is a vulnerable web application used to test web application vulnerability scanners.
* - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in todayโs rich client and mobile applications.
* - Hack This Site is a free training ground for users to test and expand their hacking skills.
```
Best websites to test your hacking skills
https://pwnable.kr/
https://hack.me/
https://ctflearn.com/
https://google-gruyere.appspot.com/
https://www.root-me.org/en/
https://www.hackthebox.eu/
https://www.hacking-lab.com/
http://www.gameofhacks.com/
https://overthewire.org/
https://microcorruption.com/
https://xss-game.appspot.com/?utm_source...dium=email
https://www.hackthissite.org/pages/index/index.php
https://crackmes.one/
https://pentest.training/
https://www.hellboundhackers.org/
http://hax.tor.hu/
https://thisislegal.com/
https://tryhackme.com/
```
Perfect โ if you're shifting focus to **web application penetration testing**, thereโs a wide variety of **intentionally vulnerable web apps** you can use for **safe and legal practice**.
Hereโs a curated list of the **most up-to-date and widely used vulnerable web applications** for learning **web app pentesting**, including OWASP Top 10 issues, real-world simulations, and even CTF-style challenges.
***
### ๐งจ Best Vulnerable Web Apps for Learning Web Application Pentesting
#### 1. **OWASP Juice Shop** ๐น
* **What it is:** A modern, full-stack web app with tons of vulnerabilities.
* **Covers:** OWASP Top 10, CSRF, XSS, SQLi, JWT, insecure APIs, etc.
* **Features:** Built-in scoreboard, hints, tutorials.
* **Tech Stack:** Angular + Node.js
* **Run via:** Docker, Heroku, or local Node
* **GitHub:**
***
#### 2. **Damn Vulnerable Web Application (DVWA)** ๐
* **What it is:** A PHP/MySQL-based web app designed for beginners.
* **Covers:** XSS, SQLi, CSRF, command injection, file inclusion.
* **Difficulty levels:** Low, Medium, High, Impossible
* **Setup:** XAMPP, MAMP, Docker
* **GitHub:**
***
#### 3. **bWAPP (Buggy Web App)** ๐
* **What it is:** One of the most comprehensive vulnerable apps (\~100+ bugs).
* **Covers:** OWASP Top 10, honeypots, insecure HTML5, clickjacking, etc.
* **Supports APIs & mobile vulnerabilities too.**
* **Setup:** XAMPP or Docker (bee-box available)
* **GitHub:**
***
#### 4. **WebGoat (OWASP Project)** ๐
* **What it is:** A deliberately insecure app with lesson-based walkthroughs.
* **Covers:** Authentication flaws, insecure deserialization, XXE, logic bugs.
* **Includes:** Secure coding exercises too.
* **Run via:** Docker, JAR
* **GitHub:**
***
#### 5. **Mutillidae II (OWASP)** ๐
* **What it is:** A vulnerable web app built on PHP/MySQL.
* **Covers:** OWASP Top 10, insecure headers, cookie manipulation, browser exploitation.
* **Includes:** Bonus labs and tips.
* **Setup:** Prebuilt VMs (OWASP Broken Web Apps), Docker
* **GitHub:**
***
#### 6. **Hackazon**
* **What it is:** A mock e-commerce site with real-world tech and API endpoints.
* **Built for:** Realistic black-box testing of web and APIs.
* **Still useful, though no longer actively maintained.**
* **GitHub (archive):**
***
#### 7. **DVNA (Damn Vulnerable .NET App)**
* **What it is:** A .NET-based web app for .NET-specific security learning.
* **Great for:** ASP.NET vulnerabilities, SSRF, XXE, CORS misconfigurations.
* **GitHub:**
***
### ๐งฐ Tools to Use While Practicing
| Tool | Purpose |
| ---------------------- | ------------------------------------------------- |
| **Burp Suite** | Intercept & manipulate web traffic |
| **OWASP ZAP** | Free alternative to Burp, with automated scanning |
| **Postman** | API testing |
| **Firefox + DevTools** | Great for manual testing and CSP/XSS checks |
| **SQLMap** | Automated SQL injection tool |
| **wfuzz / ffuf** | Fuzzing directories and parameters |
***
### ๐บ๏ธ Bonus: Online Platforms with Pre-built Labs
#### ๐น **PortSwigger Web Security Academy**
* Browser-based labs, including beginner to advanced XSS, SQLi, SSRF, etc.
* Requires only Burp Suite.
*
#### ๐น **TryHackMe โ โOWASP Top 10โ Room**
* Beginner friendly, guided learning.
* Includes web attack theory + hands-on.
*
#### ๐น **HackTheBox โ Web Challenges**
* Realistic and CTF-style web exploitation.
* [https://hackthebox.com](https://hackthebox.com/)
You got it โ hereโs a **deep dive with more vulnerable web applications and platforms** (beyond the common ones) for **hands-on web application penetration testing**. These include both **self-hosted labs**, **online playgrounds**, and **platforms with guided exercises**.
***
### ๐งจ Additional Vulnerable Web Applications for Pentesting
#### 8. **NodeGoat**
* **What it is:** A vulnerable Node.js application maintained by OWASP.
* **Focuses on:** OWASP Top 10 and secure coding in JavaScript/Node.
* **Educational approach:** Each vulnerability comes with an explanation and fix guide.
* **GitHub:**
***
#### 9. **Vulnerable Docker Containers by CyberRange**
* **What it is:** A curated collection of intentionally vulnerable containers.
* **Includes apps like:** DVWA, Juice Shop, WebGoat, and more in one place.
* **Quick setup:** Ideal if you want multiple apps running in Docker Compose.
* **GitHub:**
***
#### 10. **AltoroMutual**
* **What it is:** A fake banking site from IBM Security with known vulnerabilities.
* **Covers:** SQL injection, XSS, weak session handling, broken auth.
* **Hosted demo:** Can be accessed via IBM AppScan tools.
* **Great for:** Demonstrating secure vs insecure functionality.
***
#### 11. **Gruyere (Google)**
* **What it is:** A Python-based vulnerable app created by Google for training.
* **Focus on:** Client- and server-side issues โ XSS, XSRF, access control, etc.
* **Simple to run:** Lightweight and easy for beginners.
* **Guide:**
***
#### 12. **SecTalks Badstore**
* **What it is:** An old-school vulnerable web app with e-commerce features.
* **Covers:** Input validation, session flaws, XSS, insecure cookies.
* **Good for:** Low-resource environments or older systems.
* **Download:**
***
#### 13. **XVWA (Xtreme Vulnerable Web Application)**
* **What it is:** A modernized vulnerable app with extreme versions of common bugs.
* **Great for:** XSS, CSRF, clickjacking, SQLi, command injection, and more.
* **PHP/MySQL based**
* **GitHub:**
***
#### 14. **OWASP Security Shepherd**
* **What it is:** A gamified web and mobile app security training platform.
* **Focus:** Practical challenges, CTF style, and walkthroughs.
* **Ideal for:** Training individuals or teams.
* **GitHub:**
***
#### 15. **RailsGoat**
* **What it is:** A vulnerable Ruby on Rails application.
* **Focus:** Common Rails-specific flaws like mass assignment, CSRF, unsafe redirects.
* **Great for:** Web devs and pentesters working in Ruby ecosystems.
* **GitHub:**
***
### ๐ฏ Realistic Online Web Hacking Platforms
#### ๐น **PentesterLab**
* **Self-paced lessons and vulnerable apps.**
* Covers real-world CVEs, OWASP Top 10, web auth, APIs.
* Some content is free; full access is paid.
* [https://pentesterlab.com](https://pentesterlab.com/)
***
#### ๐น **Root-Me (Web Challenges Section)**
* Huge collection of web-based CTFs (realistic + exploit dev).
* Multiple difficulty levels.
*
***
#### ๐น **OverTheWire: Natas**
* Series of web-based levels (basic to advanced).
* Good for HTTP basics, directory traversal, insecure logic.
*
***
#### ๐น **HackTheBox Academy**
* Learning platform with interactive web app security labs.
* Includes labs, theory, and guided exploitation.
* [https://academy.hackthebox.com](https://academy.hackthebox.com/)
***
###
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sudoninja.gitbook.io/sudoninjabook/security-area/web-application-penetration-testing/lab.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.