Lab

1. https://www.vulnhub.com/

2. https://pentesterlab.com/exercises/web_for_pentester/course

3. https://portswigger.net/users?returnurl=%2fusers%2fyouraccount

4. https://application.security/free/owasp-top-10 - OWASP TOP 10

5. https://thexssrat.podia.com/ratatatata

6. https://github.com/Ignitetechnologies/Web-Application-Cheatsheet?s=08#nano CMS

7. https://brutelogic.com.br/blog/xss101/ -XSS

8. https://pentesterlab.com/exercises

9. https://hacklido.com/d/8-web-app-pentesting/4

10. https://xss.pwnfunction.com/

11. https://www.deepfryd.com/burp-academy-apprentice/

12. https://domgo.at/cxss/intro -XSS

13. https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application - GraphQL

Online Hacking Demonstration Sites

• http://testasp.vulnweb.com/ - Acunetix ASP test and demonstration site

• http://testaspnet.vulnweb.com/ - Acunetix ASP.Net test and demonstration site

• http://testphp.vulnweb.com/ - Acunetix PHP test and demonstration site

• http://crackme.cenzic.com/kelev/view/home.php - Crack Me Bank

• http://zero.webappsecurity.com/ - Zero Bank

• http://demo.testfire.net/ - Altoro Mutual

• https://github.com/Kajmer/Pentest-Resources

Practice

• https://lab.pentestit.ru/ - PentestIT labs (2 free labs per year)

• https://pentesterlab.com/exercises/ - Free Basic Excersices (also Premium)

• https://www.hackthebox.eu/ - Hack The Box is an online platform allowing you to test and advance your skills in cyber security (You need to hack a test resource to get an invitation :))

• https://www.vulnhub.com/ - Virtual Machines for Localhost Penetration Testing

• https://github.com/jerryhoff/WebGoat.NET - This web application is a learning platform about common web security flaws

• http://www.dvwa.co.uk/ - Damn Vulnerable Web Application (DVWA)

• https://github.com/s4n7h0/xvwa - Similar to DVWA, but with some added attacks

• http://sourceforge.net/projects/lampsecurity/ - LAMPSecurity Training

• https://github.com/Audi-1/sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.

• https://github.com/paralax/lfi-labs - small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns

• https://hack.me/ - Build, host and share vulnerable web apps in a sandboxed environment for free

• http://azcwr.org/az-cyber-warfare-ranges - Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range.

• https://github.com/adamdoupe/WackoPicko - WackoPicko is a vulnerable web application used to test web application vulnerability scanners.

• https://github.com/rapid7/hackazon - Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications.

• https://www.hackthissite.org/ - Hack This Site is a free training ground for users to test and expand their hacking skills.

Best websites to test your hacking skills

https://pwnable.kr/
https://hack.me/
https://ctflearn.com/
https://google-gruyere.appspot.com/ 
https://www.root-me.org/en/
https://www.hackthebox.eu/
https://www.hacking-lab.com/
http://www.gameofhacks.com/
https://overthewire.org/
https://microcorruption.com/
https://xss-game.appspot.com/?utm_source...dium=email
https://www.hackthissite.org/pages/index/index.php
https://crackmes.one/
https://pentest.training/
https://www.hellboundhackers.org/
http://hax.tor.hu/
https://thisislegal.com/
https://tryhackme.com/

Perfect — if you're shifting focus to web application penetration testing, there’s a wide variety of intentionally vulnerable web apps you can use for safe and legal practice.

Here’s a curated list of the most up-to-date and widely used vulnerable web applications for learning web app pentesting, including OWASP Top 10 issues, real-world simulations, and even CTF-style challenges.

---

🧨 Best Vulnerable Web Apps for Learning Web Application Pentesting

1. OWASP Juice Shop 🍹

• What it is: A modern, full-stack web app with tons of vulnerabilities.

• Covers: OWASP Top 10, CSRF, XSS, SQLi, JWT, insecure APIs, etc.

• Features: Built-in scoreboard, hints, tutorials.

• Tech Stack: Angular + Node.js

• Run via: Docker, Heroku, or local Node

• GitHub: https://github.com/juice-shop/juice-shop

---

2. Damn Vulnerable Web Application (DVWA) 🐛

• What it is: A PHP/MySQL-based web app designed for beginners.

• Covers: XSS, SQLi, CSRF, command injection, file inclusion.

• Difficulty levels: Low, Medium, High, Impossible

• Setup: XAMPP, MAMP, Docker

• GitHub: https://github.com/digininja/DVWA

---

3. bWAPP (Buggy Web App) 🐝

• What it is: One of the most comprehensive vulnerable apps (~100+ bugs).

• Covers: OWASP Top 10, honeypots, insecure HTML5, clickjacking, etc.

• Supports APIs & mobile vulnerabilities too.

• Setup: XAMPP or Docker (bee-box available)

• GitHub: https://github.com/raffaeleflorio/bwapp-docker

---

4. WebGoat (OWASP Project) 🐐

• What it is: A deliberately insecure app with lesson-based walkthroughs.

• Covers: Authentication flaws, insecure deserialization, XXE, logic bugs.

• Includes: Secure coding exercises too.

• Run via: Docker, JAR

• GitHub: https://github.com/WebGoat/WebGoat

---

5. Mutillidae II (OWASP) 🐞

• What it is: A vulnerable web app built on PHP/MySQL.

• Covers: OWASP Top 10, insecure headers, cookie manipulation, browser exploitation.

• Includes: Bonus labs and tips.

• Setup: Prebuilt VMs (OWASP Broken Web Apps), Docker

• GitHub: https://github.com/webpwnized/mutillidae

---

6. Hackazon

• What it is: A mock e-commerce site with real-world tech and API endpoints.

• Built for: Realistic black-box testing of web and APIs.

• Still useful, though no longer actively maintained.

• GitHub (archive): https://github.com/rapid7/hackazon

---

7. DVNA (Damn Vulnerable .NET App)

• What it is: A .NET-based web app for .NET-specific security learning.

• Great for: ASP.NET vulnerabilities, SSRF, XXE, CORS misconfigurations.

• GitHub: https://github.com/appsecco/dvna

---

🧰 Tools to Use While Practicing

Tool	Purpose
Burp Suite	Intercept & manipulate web traffic
OWASP ZAP	Free alternative to Burp, with automated scanning
Postman	API testing
Firefox + DevTools	Great for manual testing and CSP/XSS checks
SQLMap	Automated SQL injection tool
wfuzz / ffuf	Fuzzing directories and parameters

---

🗺️ Bonus: Online Platforms with Pre-built Labs

🔹 PortSwigger Web Security Academy

• Browser-based labs, including beginner to advanced XSS, SQLi, SSRF, etc.

• Requires only Burp Suite.

• https://portswigger.net/web-security

🔹 TryHackMe — “OWASP Top 10” Room

• Beginner friendly, guided learning.

• Includes web attack theory + hands-on.

• https://tryhackme.com/room/owasptop10

🔹 HackTheBox — Web Challenges

• Realistic and CTF-style web exploitation.

• https://hackthebox.com

You got it — here’s a deep dive with more vulnerable web applications and platforms (beyond the common ones) for hands-on web application penetration testing. These include both self-hosted labs, online playgrounds, and platforms with guided exercises.

---

🧨 Additional Vulnerable Web Applications for Pentesting

8. NodeGoat

• What it is: A vulnerable Node.js application maintained by OWASP.

• Focuses on: OWASP Top 10 and secure coding in JavaScript/Node.

• Educational approach: Each vulnerability comes with an explanation and fix guide.

• GitHub: https://github.com/OWASP/NodeGoat

---

9. Vulnerable Docker Containers by CyberRange

• What it is: A curated collection of intentionally vulnerable containers.

• Includes apps like: DVWA, Juice Shop, WebGoat, and more in one place.

• Quick setup: Ideal if you want multiple apps running in Docker Compose.

• GitHub: https://github.com/Brave-Cybersecurity/Vulnerable-Apps

---

10. AltoroMutual

• What it is: A fake banking site from IBM Security with known vulnerabilities.

• Covers: SQL injection, XSS, weak session handling, broken auth.

• Hosted demo: Can be accessed via IBM AppScan tools.

• Great for: Demonstrating secure vs insecure functionality.

---

11. Gruyere (Google)

• What it is: A Python-based vulnerable app created by Google for training.

• Focus on: Client- and server-side issues — XSS, XSRF, access control, etc.

• Simple to run: Lightweight and easy for beginners.

• Guide: https://google-gruyere.appspot.com/

---

12. SecTalks Badstore

• What it is: An old-school vulnerable web app with e-commerce features.

• Covers: Input validation, session flaws, XSS, insecure cookies.

• Good for: Low-resource environments or older systems.

• Download: http://badstore.net/

---

13. XVWA (Xtreme Vulnerable Web Application)

• What it is: A modernized vulnerable app with extreme versions of common bugs.

• Great for: XSS, CSRF, clickjacking, SQLi, command injection, and more.

• PHP/MySQL based

• GitHub: https://github.com/s4n7h0/xvwa

---

14. OWASP Security Shepherd

• What it is: A gamified web and mobile app security training platform.

• Focus: Practical challenges, CTF style, and walkthroughs.

• Ideal for: Training individuals or teams.

• GitHub: https://github.com/OWASP/SecurityShepherd

---

15. RailsGoat

• What it is: A vulnerable Ruby on Rails application.

• Focus: Common Rails-specific flaws like mass assignment, CSRF, unsafe redirects.

• Great for: Web devs and pentesters working in Ruby ecosystems.

• GitHub: https://github.com/OWASP/railsgoat

---

🎯 Realistic Online Web Hacking Platforms

🔹 PentesterLab

• Self-paced lessons and vulnerable apps.

• Covers real-world CVEs, OWASP Top 10, web auth, APIs.

• Some content is free; full access is paid.

• https://pentesterlab.com

---

🔹 Root-Me (Web Challenges Section)

• Huge collection of web-based CTFs (realistic + exploit dev).

• Multiple difficulty levels.

• https://www.root-me.org/en/Challenges/Web-Server

---

🔹 OverTheWire: Natas

• Series of web-based levels (basic to advanced).

• Good for HTTP basics, directory traversal, insecure logic.

• https://overthewire.org/wargames/natas/

---

🔹 HackTheBox Academy

• Learning platform with interactive web app security labs.

• Includes labs, theory, and guided exploitation.

• https://academy.hackthebox.com

---