Vulnerable Online Web Applications to Practice Security Testing

In a previous post we had a variety of offline webapps for you to practice your skills, in this post we have a collection of online web applications written in various programming languages.


Google Gruyere

This webapp has several deliberate flaws to help you find security vulnerabilities,

Learn how hackers find security vulnerabilities
Learn how hackers exploit web applications
Learn how to stop them

Gruyere has many security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this webapp is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.


Hackthis is a site that shows you how hacks, dumps and defacements are performed and also shows how to secure your website. There are 50+ hacking levels which have a varying level of difficulty. On top of this there is a very active forum with thousands of members. there is a section with a large amount of interesting articles


Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. There are a variety of missions for you to try out which are split into a variety of categories. There is news and articles for you to read. You need to create an account to gain access to the resources


Another website which offers a wide array of challenges to get you to learn how to identify potential vulnerabilities and it also suggests ways to patch them. Hellbound Hackers has a large collection of tutorials and a bustling community of registered members.


The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.


A tremendous site which currently has 338 Challenges and 76 Virtual Environments and a total of 3277 Solutions for the challenges when I wrote this article. The site has over 240000 members and is used by many companies. you need to create an account but this is free. As mentioned there are 338 challenges available to train yourself in different and not simulated environments, offering you a way to learn a variety of hacking techniques

Definitely one to add to your list of bookmarks.


A very retro looking site which provides several security-oriented challenges for your entertainment. It is actually one of the oldest challenge sites still around.
The challenges are diverse and get progressively harder.


an OWASP project consisting of vulnerable web applications based on games commonly used to kill time. The ultimate goal of the project is to strengthen the security of web applications by educating different groups as to what might go wrong in a web app. Each webapp has common security problems such as cross site scripting, SQL injections and session management issues. is a FREE, community based project powered by eLearnSecurity. It has a slightly different approach in that the community can build, host and share vulnerable web application code for educational and research purposes. This means there are a large amount of fairly unique examples for research purposes.


Enigma Group is a legal and safe security resource where you can develop your pen-testing skills on various challenges. It has over 300 challenges and many pdf documents and articles


This web site will teach you to learn to find and exploit XSS bugs.Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications.


W3Challs is a penetration testing training platform, which offers various computer challenges, in categories related to security: Hacking, Cracking, Wargame, Forensic, Cryptography, Steganography and Programming. The purpose of this site is to offer realistic challenges, without simulation, and without guessing. You have to register to access the challenges.

Acunetix (Forum ASP)

This forum is deliberately vulnerable to SQL Injections, directory traversal, and other web-based attacks. It is built using ASP and it is here to help you test Acunetix. The entire content of the forum is erased daily. All the posts are real-life examples of how attackers are trying to break into insecure web applications.

Acunetix (Blog .NET)

This is a test site for Acunetix. It is vulnerable to SQL Injections, Cross-site Scripting (XSS), and more. It was built using ASP.NET and it shows how bad programming leads to vulnerabilities.

Acunetix (PHP)

This is an example PHP application, which is intentionally vulnerable to web attacks. It is intended to help you test Acunetix. It also helps you understand how developer errors and bad configuration may let someone break into your website. You can use it to test other tools and your manual hacking skills as well. Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

Free Online Bank Web site

The Free Online Bank Web site is published by Micro Focus Fortify for the sole purpose of demonstrating the functionality and effectiveness of Micro Focus Fortify’s WebInspect products in detecting and reporting Web application vulnerabilities. This site is not a real banking site and any similarities to third party products and/or Web sites are purely coincidental.


The AltoroJ website is published by IBM Corporation for the sole purpose of demonstrating the effectiveness of IBM products in detecting web application vulnerabilities and website defects.