They say the best defense is a good offense and it’s no different in the cyber world. You can use these 10 deliberately vulnerable sites to practice your hacking skills so you can be the best defender of your cyberspace, whether you’re a developer, security manager or pen-tester. These sites are for hacking practices, as practice makes perfect. Let’s find out the 10 vulnerable sites for hacking practice legally below.

10 Vulnerable Sites for Hacking Practice Legally

1. bWAPP

bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.
bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.

Well, it has over 100 web vulnerabilities which makes it so unique.
It covers all major known web bugs, including all risks from the OWASP top 10 project.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.


Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try. This application also contains a section where a user can read various articles on iOS application security.  The vulnerabilities and solutions covered in this app are tested up to iOS 10. DVIA is free and open source and can be downloaded from here. You can also download the solutions.

3. Google Gruyere

This codelab is built around Gruyere /ɡruːˈjɛər/ – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

4. Game of Hacks

This game was designed to test your application hacking skills. You will be presented with vulnerable pieces of code and your mission if you choose to accept it is to find which vulnerability exists in that code as quickly as possible. You can find out it here.

5. Hack this Site

Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.

6. Hellbound Hackers

Hellbound Hackers provides the hands-on approach to computer security. Learn how hackers break in, and how to keep them out. Huge resource for computer computer security researchers.

7. Try2Hack

This site provides several security-oriented challenges for your entertainment. It is actually one of the oldest challenge sites still around 🙂

The challenges are diverse and get progressively harder.

8. Hack This

Discover how hacks, dumps and defacements are performed and secure your website against hackers. HackThis was designed to teach how hacks, dumps, and defacement are done, and how you can secure your website against hackers. HackThis!! offers over 50 levels with various difficulty levels, in addition to a lively and active online community making this a great source of hacking and security news and articles.

9. Root Me

It is a great way to challenge and improve your hacking skills and web security knowledge through over 200 hacking challenges and 50 virtual environments. Check out Root Me here.

10. McAfee HackMe Sites

McAfee’s Professional Services, launched a series of sites in 2006 aimed for pen testers and security professionals looking to increase their InfoSec chops. Each simulated app offers a “real-world” experience, built with “real-world” vulnerabilities. From mobile bank apps to apps designed to take reservations, these projects cover a wide array of security issues to help any security-minded professional stay ahead of the hackers.

The group of sites include:

That all top 10 vulnerable sites for hacking practice legally. There may be more but we will include them if we find others that can be a part of this article.


Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.