They say the best defense is a good offense - and it's no different in the InfoSec world. Here's our updated list of 15 sites to practice your hacking skills so you can be the best defender you can - whether you're a developer, security manager, auditor or pen-tester. And remember - practice makes perfect! Are there any other sites you'd like to add to this list? Let us know below!
bWAPP, which stands for Buggy Web Application, is "a free and open source deliberately insecure web application" created by Malik Messelem, @MME_IT. Vulnerabilities to keep an eye out for include over 100 common issues derived from the OWASP Top 10.
bWAPP is built in PHP and uses MySQL. Download the project here. For more advanced users, bWAPP also offers what Malik calls a bee-box, a custom Linux VM that comes pre-installed with bWAPP.
Recently re-released as a free download by InfoSec Engineer @prateekg147, DVIA was built as an especially insecure mobile app for iOS 7 and above. For mobile app developers the platform is especially helpful, because while there are numerous sites to practice hacking web applications, mobile apps that can be legally hacked are much harder to come by!
Get going with DVIA by watching this YouTube video and reading the 'Getting Started' guide.
Alright, this one isn't exactly a vulnerable web app - but it's another engaging way of learning to spot application security vulnerabilities, so we thought we'd throw it in. Call it shameless self-promotion, but we've received amazing feedback from security pros and developers alike, so we're happy to share it with you, too! The game is designed to test your AppSec skills and each question offers a chunk of code which may or may not have a security vulnerability - it's up to you to figure it out before the clock runs out. A leaderboard makes Game of Hacks just that much more enticing.
This 'cheesy' vulnerable site is full of holes and aimed for those just starting to learn application security. The goal of the labs are threefold:
"'Unfortunately,' Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution," the website states. "The goal of this code lab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general."
Written in Python, Gruyere offers opportunities for both black box and white box testing so "hackers" have the chance to play on both sides of the fence.
Get started here: http://google-gruyere.appspot.com/
HackThis!! was designed to teach how hacks, dumps, and defacement are done, and how you can secure your website against hackers. HackThis!! offers over 50 levels with various difficulty levels, in addition to a lively and active online community making this a great source of hacking and security news and articles.
Get started with HackThis!! here.
Hellbound Hackers, the hands-on approach to computer security, offers a wide array of challenges with the aim to teach how to identify exploits and suggest the code to patch it. And Hellbound Hackers really is the ultimate site for hacking tutorials, covering a large range of topics from encryption and application cracking, to social engineering and rooting. With a community of nearly 100k registered members, it's also one of the biggest hacking communities out there.
Read more and get started here.
Foundstone, a practice within McAfee's Professional Services, launched a series of sites in 2006 aimed for pen testers and security professionals looking to increase their InfoSec chops. Each simulated app offers a "real-world" experience, built with "real-world" vulnerabilities. From mobile bank apps to apps designed to take reservations, these projects cover a wide array of security issues to help any security-minded professional stay ahead of the hackers.
The group of sites include:
Yet another OWASP project on our list, Mutillidae is another deliberately vulnerable web application built for Linux and Windows. This project is actually a set of PHP scripts containing all the OWASP Top Ten vulnerabilities and more and is armed with hints to help users get started.
OverTheWire is great for developers and security professionals of all experience levels to learn and practice security concepts. This pracrice comes in form of fun-filled wargames - beginners should start with "Bandit",. where the basics are taught, and will progress to higher levels and to advanced games all with more complex bugs and exploits to patch as you go.
Jump in the game here
Created by ra.phid.ae and considered one of the oldest challenge sites still around, Try2Hack offers multiple security challenges.
The game features diverse levels which are sorted by difficulty, all created to practice hacking for your entertainment. There is an IRC channel for beginners where you can join the community and ask for help, in addition to a full walkthrough based on GitHub.
Try2Hack is available here.
An OWASP project, Vicnum is a series of basic and obviously web apps based on games "commonly used to kill time." Because of their simple frameworks, the applications can be tailored for different needs, making Vicnum a great choice for security managers looking to help teach developers AppSec in a fun way.
The goal of Vicnum is "to strengthen the security of web applications by educating different groups (students, management, users, developers, auditors) as to what might go wrong in a web app, the site says. "And of course it's OK to have a little fun."
One of the most popular OWASP projects is WebGoat. This insecure app provides a realistic teaching and learning environment with lessons designed to teach users about complex application security issues. WebGoat is aimed for developers looking to learn more about web app security. The name WebGoat is a scapegoat reference: "Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!'"
Installs are available for Windows, OSX Tiger and Linux and has separate downloads for J2EE and .NET environments. There is an "easy-run" version as well as a "source distribution" version that allows users to modify the source code.
For help with the lessons, take a look at this series of videos available for download.