Threat Intelligence 101

What are Vulnerable Websites? Top 12 Sites for Legal Penetration Testing Training

Posted: 9th April 2024
By: Esteban Borges
What are vulnerable websites? Top 12 Legal Sites for Penetration Testing Training

The infamous cybersecurity skills gap is rising year by year. According to HelpnetSecurity, 71% of organizations report that the cybersecurity skills shortage has impacted them. And more than ever, companies are in need of security professionals to protect their networks and systems. So whether you're just starting out in cybersecurity or you're established as an expert, you constantly need to work on practicing and sharpening your cybersecurity skills.

Just as the gap grows, so does the number of vulnerabilities, attack vectors and attack techniques. Companies need to ensure their computer systems and networks are secured, and devoid of any holes for attackers to leverage for access to, and possession of, sensitive data.

Ethical hackers (or “white hats”) and bug bounty hunters play a tremendously valuable role in safeguarding systems and networks from vulnerability to malicious actors.

They represent some of the most attractive professions in the modern landscape. And because cybercriminals are constantly finding new ways to break into systems and networks and developing new tools and techniques, ethical hackers—whether merely starting out in cybersecurity or established as experts—are in constant need of practicing and sharpening their skills.

Remember that in order to investigate cyber crime, you must learn how they operate. Understanding the mindset and methodologies of cybercriminals allows you to anticipate their moves, strengthen system defenses, and effectively neutralize potential threats

There are many ways to learn ethical hacking and penetration testing, whether it's through online tutorials, YouTube videos, courses, books, podcasts, etc., but we all know that nothing beats a practical approach. Truth is, it can be hard to test their skills legally so having websites that are designed to be vulnerable and provide a safe environment to test cybersecurity skills is a great way to continue challenging yourself.

What are vulnerable websites?

Vulnerable websites are intentionally designed with security flaws to provide a safe and legal environment for cybersecurity training and practice. Websites and web applications that are vulnerable by design and offer a safe hacking space are fertile ground for learning.

By using them, people can get comfortable with finding vulnerabilities, security researchers and bug bounty hunters can expand their knowledge and find new vulnerabilities, and seasoned professionals, developers and pen testers can keep their own skills sharp and current.

List of Top Vulnerable Websites for Legally Testing Your Skills

Today we're exploring a list of the top 12 deliberately vulnerable websites for penetration testing and ethical hacking training. There are fun, game-oriented platforms here, with both web and mobile applications and more, so you can find the one to suit your skills:

1. Hack The Box

Hack the Box

Hack The Box has taken the community by storm. It counts more than 500,000 new hackers, students, security professionals and gamers from all over the world. An online pentesting platform, Hack The Box (HTB) allows you to test your cybersecurity (and pentesting) skills as well as exchange ideas and experiences with this amazing community.

HTB contains vulnerable machines that you are invited to hack—it even goes so far as to require you to hack your way to the invitation code that allows you to begin practicing on it. Several of its challenges are constantly being updated, with some that simulate real-world scenarios and some that lean more towards CTFs.

HTB also organizes CTFs on their platform that are very popular throughout the hacker community, as are the dedicated labs available to rent for your college or business. Over 1,000 organizations are already using this feature.

While HTB is only a few years old, its multitude of options and vast community establish its standing as a go-to for both new and experienced hackers.

2. CTFlearn

Learn Cybersecurity

CTFlearn is another highly popular ethical hacking platform. Offered as “The most beginner-friendly way to get into hacking”, CTF learn boasts a worldwide following of over 70,000 individuals who are there to learn, practice and compete.

The platform’s name derives from Capture The Flag (CTF), which is popular in the hacking community for its contents and reputation as a favorite cybersecurity challenge for beginners as well as professional hackers. CTFlearn also features challenges and competitions that give the users the ability to act as both attacker and defender.

Different labs involve numerous cybersecurity topics that users can create themselves. Challenges are grouped into categories and organized by level of difficulty. These include:

  1. Web
  2. Reverse engineering
  3. Forensics
  4. Programming
  5. Binary
  6. Crypto
  7. Miscellaneous

3. bWAPP


Created by Malik Messelem, bWAPP (short for "buggy web application") is a free and open source application that is, just as the name implies, deliberately vulnerable. It's one of the best—if not the best—buggy websites available for practicing and sharpening your hacking skills.

Whether you're a security enthusiast, hobbyist, student, developer or even a professional merely looking to have some fun, this website will help you conduct ethical hacking and pen testing in a legal environment.

What makes bWAPP unique is that it offers more than 100 web application vulnerabilities and bugs derived from OWASP's Top 10 Project. Some of the vulnerabilities are:

  • Cross-site scripting (XSS), cross-site tracing (XST) and cross-site request forgery (CSRF)
  • Man-in-the-middle attacks
  • Server-side request forgery (SSRF)
  • DoS attacks
  • SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections

But it doesn't end there. Beside the 100 bugs, you can use a so-called "bee-box," a custom pre-installed Linux VM.

bWAPP Is built on PHP and uses a MySQL database. It can be hosted on both Windows and Linux OS: on Windows you can host it on xampp and wamp server; on Linux, Apache, and it's also great to use on Kali Linux.

You can easily download bWAPP here.

4. HackThisSite

Hack This

One of our favorites, HackThisSite, or HTS, is a great hacking website that was founded by Jeremy Hammond but has been maintained by the community. It offers numerous different challenges that contain beginner as well as advanced hacking skills.

The challenges are fun and engaging, with real-life scenarios and different characters. Each challenge has a thread on a forum where you can discuss it with other members of the community and offer resources to solve the puzzle more quickly. You even get a chance to hack a voting system!

Some other challenges on HackThisSite are:

  • Realistic missions
  • Application missions
  • Phone phreaking missions
  • Forensic missions
  • Programming missions

And don't forget their CTFs. They also encourage people to exploit this site literally, and reward those who disclose them by adding them to their hall of fame. HTS is an enjoyable place with a vibrant community and no matter your skill level, you'll find a mission that will both challenge and entertain you.

5. Google Gruyere

Google Gruyere

It's not often we see the pairing of cheese and hacking, but this website is a lot like good cheese—full of holes. It also uses "cheesy" code and the entire design is cheese-based. Gruyere is a great option for beginners who want to dive into finding and exploiting vulnerabilities, but also learn how to play on the other side and defend against exploits.

Gruyere is written in Python, with bugs that aren't specific to Python, and offers a substantial number of security vulnerabilities chosen to suit beginners. Some of the vulnerabilities are:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (XRF)
  • Remote code execution
  • DoS attacks
  • Information disclosure

Gruyere codelab has divided vulnerabilities into different sections, and in each section you will have a task to find that vulnerability. Using both black and white box hacking, you'll need to find and exploit bugs. Some previous knowledge is necessary, but we think this is the best choice for beginners.

6. Damn Vulnerable iOS App - DVIA

DVIA Damn Vulnerable IOS App

DVIA is an iOS mobile application meant to help mobile security hobbyists, professionals and mobile developers practice penetration testing. It was recently re-released and is available for free on GitHub.

DVIA contains common iOS app vulnerabilities following the OWASP Top 10 mobile risks. It's written in Swift, with all vulnerabilities tested up to iOS 11, and you do need to have Xcode installed (the best way to install it is by using Cydia Impactor).

Some of the vulnerabilities you can play with are:

  • Phishing
  • Jailbreak detection
  • Debugging
  • Touch/Face ID bypass
  • Side channel data leakage
  • Broken cryptography
  • Network layer security
  • Application patching

Although DVIA is open source, if you're unable to solve a challenge you can buy the solutions and donate to support the DVIA project, allowing you to contribute to the open source community. It's a great place for beginners as well as anyone else who wants to practice hacking mobile apps. In that sense, it's fairly unique.

7. Hellbound Hackers


Hellbound Hackers is an all-around computer security platform, as it not only offers hands-on challenges, articles, forums and a wide array of hacking tutorials, but also has one of the biggest hacking communities around, with over 100,000 registered members.

On Hellbound Hackers, you'll have the chance to participate in timed challenges requiring you to find a vulnerability and a way to patch it.

Learning how malicious actors break into systems will also teach you how to defend against them. It's great for beginners as it offers some simpler challenges, but it can also be enjoyed by professionals. Note: Before diving into Hellbound Hackers, you should be familiar with HTML, JS and PHP.

The many different challenges in Hellbound Hackers include:

  • Application hacking
  • Basic web hacking
  • Javascript hacking
  • Rooting challenges
  • Pen-testing challenges

8. OWASP Mutillidae II

OWASP Multidae II

Another OWASP project to consider here is the OWASP Mutillidae II, better known simply as Mutillidae.

Written in PHP, this is an open source vulnerable web application that can be used on Linux and Windows using lamp, wamp and xampp servers. It also comes pre-installed on Rapid7 Metasploitable 2, Samurai WTF and OWASP BWA. For easier installation, they offer tutorials for each step.

It features over 40 vulnerabilities and contains a large number of the OWASP Top 10 vulnerabilities. Mutillidae is a safe and legal environment where security enthusiasts, professionals, students and CTFs can practice web hacking.

9. Defend the Web

Defend the web

Defend the Web, originally known as HackThis!!, is an interactive cybersecurity platform designed to offer challenges for all skill levels. It features over 60 hacking levels and articles that cover all areas of security including those specifically contained on the level.

There are different categories, such as some featuring fictional "real world" scenarios that have you working as a security professional who's challenged to secure the website against hackers. It even holds CTF competitions from time to time and engages a lively community of over 600 thousand members where you can exchange knowledge and discuss security news and articles.

10. WebGoat


Yet another OWASP entry on this list, and one of the more beloved. WebGoat is a highly insecure app that provides a learning environment for common server-side application flaws. It's designed to help people learn about application security and practice pen testing skills.

Each lesson gives you a chance to learn about a certain security issue and exploit it in the app. WebGoat is available for Windows, OSX Tiger and Linux and downloads for J2EE and .NET environments.

Some of the vulnerabilities and attacks explored in WebGoat are:

  • Cache poisoning
  • SQL injection
  • Trojan horse attacks
  • Spyware
  • Unicode encoding

11. Root Me


A multilanguage security training platform, Root Me is a great place for testing and advancing your hacking skills. It features over 300 challenges which are updated regularly and more than 50 virtual environments, all to provide a realistic environment. Root Me also has a passionate community of over 200,0000 members, all of whom are encouraged to participate in the development of the project and earn recognitions.

Different subjects covered on Root Me include:

  • Digital investigation
  • Automation
  • Breaking encryption
  • Cracking
  • Network challenges
  • SQL injection

It's a solid platform and a great way to practice your hacking skills, although it's not as beginner-friendly as some of the other entries on this list.

12. OverTheWire

Over The Wire

Another terrific place for fun and learning, OverTheWire offers wargames and warzones for different skill levels, although it does lean toward more advanced hacking concepts. Each level features specific scenarios; you start as a Bandit and work your way up to the more complex exploits.

First you'll be challenged by wargames that cover basic concepts and skills, then continue to different scenarios and more involved stories. OverTheWire also has a competitive side, the warzone, an isolated network simulating the IPv4 Internet. All connected devices are targets to be hacked, placing you in competition with other hackers.

Expand your cybersecurity skills with Recorded Future University

Diving into penetration testing and ethical hacking is a thrilling part of learning cybersecurity, but there’s so much more to the story. It’s important to remember that truly comprehensive cybersecurity expertise goes beyond just understanding web applications. Central to the success of both blue and red teams' success is a deep knowledge of threat intelligence. It’s this foundational insight that often makes the difference in staying a step ahead of cyber adversaries.

Recorded Future University's Threat Intelligence Training can take your defensive capabilities to the next level, by offering specialized insights into the latest cyber threat landscape. This program can significantly enhance your team's skills in detecting, averting, and addressing cybercrime, providing them with an in-depth understanding of the evolving cyber threat environment.


Whether you're a developer, security professional, student, or enthusiast, websites designed to be vulnerable for ethical hacking purposes offer a fantastic way to learn while putting your skills to the test. With a plethora of options available—most of them free—we're confident you'll find something that will provide, at the very least, a fun and engaging experience.

At Recorded Future, we're always on the lookout for talented security professionals. Take a moment to explore our Careers page and apply for any open positions if you're interested in expanding your cybersecurity knowledge with the leading intelligence company.

Esteban Borges Blog Author
Esteban Borges

Esteban is a seasoned security researcher and IT professional with over 20 years of experience, specializing in hardening systems and networks, leading blue team operations, and conducting thorough attack surface analysis to bolster cybersecurity defenses. He's also a skilled marketing expert, specializing in content strategy, technical SEO, and conversion rate optimization. His career includes roles as Security Researcher and Head of Marketing at SecurityTrails, before joining the team at Recorded Future.