Top 10 Vulnerable websites for penetration testers

By | August 6, 2021

Hacker has to good knowledge of how Web applications work before he going to find the vulnerabilities in them, He has to be a good knowledge on Linux Operation Systems. 

To Practise Web application Penetration testing, Here are some Vulnerable Websites, where we can pentest the website rather than doing on live websites.


BWAPP (“buggy web application”) is created by Malik Messelem, is an open-source Web application intended to enhance the aptitudes of understudies, designers or individuals intrigued by IT security to find and anticipate web vulnerabilities.

The Application has more than 70 vulnerabilities, for example, SQL infusion, Cross-Site Scripting (XSS) or Denial of Service (DoS).

bWAPP is a PHP application that uses a MySQL database. It can be facilitated on Linux, Windows, and Mac with Apache/IIS and MySQL. It can likewise be introduced with Lamp, WAMP or XAMPP.




Damn Vulnerable Web Application is written in PHP/MySql, its main goal are to be in aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the process of securing web application security in a classroom environment.

There are four difficulty levels in DVWA

1.impossible 2.High 3.Medium 4.Low


BruteForce, Command Inject, CSRF, File Upload, Insecure Captcha, SQL Injection, Weak Session ID’s, XSS.



3.Hack  This  Site:

Hack This Site founded by Jeremy Hammond, commonly referred to as HTS, is an online hacking and security website. It aims to provide users with a way to learn and practice basic and advanced “hacking” skills through a series of challenges in a safe and legal environment.

Hack The Site also has an IRC Network that serves as a social gathering of like-minded people to discuss anything.

Challenges on Hack This Site is:

  • Basic and Realistic Challenges
  • Programming Missions
  • Application Missions
  • Steganography Missions
  • Forensic Missions

view Hack This Site


4.Google Gruyere:

Gruyere written in Python, it is a great option for beginners to learn web application penetration testing

Gruyere had divided the vulnerabilities into different sections and in each section, you will have a task to find  the Vulnerability

some Vulnerabilities are :

  • Cross-site Scripting
  • Cross-site request forgery
  • Remote code execution
  • Information disclosure
  • Dos attack


5.Mutillidae II

Mutillidae is a free open-source web application, it is written in PHP, it can be used in both  Windows and Linux operation systems, it has more than 40 Vulnerabilities including OWASP Top 10 Vulnerabilities.

View Mutillidae


6.Defend The Web:

Defend The Web is also Know as Hack This. It has 60+  hacking levels, articles that cover all areas of security including those specifically contained on the level. They have a community of hackers, developers and security experts share their Knowledge there

view: Defend The Web.


7.Over The Wire:

Over The wire offers wargames and warzones for different skill levels, The having an IRC Network channel they communicate about the security issues

The warzone is an isolated network simulating the entire IPv4 Internet, on which all connected devices are targets to be hacked. the warzone allows players to connect their own hackable servers or devices with any software they like, as long as it speaks IP.

View Over The Wire.


8.Web Goat:

WebGoat is an insecure web application created by OWASP as a guide for secure programming practices. Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities to teach them how to write code securely.

View WebGoat.



Try2Hack provides several Security Oriented Challenges, it is one of the oldest challenge sites still around.

They also have an IRC channel for communication.

View Try2Hack.


10.Root Me:

Root Me has 371 challenges and 134 Virtual Environments


  • Cracking
  • Cryptanalysis
  • Forensic
  • Programmation
  • Steganography
  • Web-client

View RootMe.

Leave a Reply

Your email address will not be published. Required fields are marked *