Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Career and Security Last updated: January 30, 2023
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

There’s no better way to improve confidence in ethical hacking skills than to put them to the test.

It can be challenging for ethical hackers and penetration testers to test their capabilities legally, so having websites designed to be insecure and provide a safe environment to test hacking skills is a fantastic way to keep oneself challenged.

Websites and web apps designed to be insecure and provide a secure hacking environment are ideal grounds for learning. New hackers can learn how to find vulnerabilities with them, and security professionals and bug bounty hunters can increase their expertise and find some other new vulnerabilities.

Use of Vulnerable Web Apps

Leveraging these intentionally created vulnerable websites and web apps for testing gives you a safe environment to practice your testing legally while being on the right side of the law. In this manner, you can hack without entering dangerous territory that could lead to your arrest.

These applications are designed to assist security enthusiasts in learning and sharpening their information security and penetration testing abilities.

In this article, I have listed several types of apps that have been purposefully designed insecure, often known as “Damn Vulnerable.”

Buggy Web Application

The Buggy Web Application, often known as BWAPP, is a free and open-source tool. It’s a PHP application that uses a MySQL database as its back-end. This Bwapp has over 100 bugs for you to work on, whether you’re preparing for a task or just want to keep your ethical hacking abilities up to standard. This covers all of the major (and most prevalent) security flaws.


More than 100 online application vulnerabilities and defects are included in this tool, which was derived from the OWASP Top 10 Project. The following are some of the flaws:

  • Cross-site scripting (XSS) and cross-site request forgery (CSRF)
  • DoS (denial-of-service) attacks
  • Man-in-the-middle attacks
  • Server-side request forgery (SSRF)
  • SQL, OS Command, HTML, PHP, and SMTP injections, etc.

This web application will assist you in conducting lawful ethical hacking and pen testing.

You can easily download this bwapp by clicking here.

Damn Vulnerable Web Application

Damn Vulnerable Web Application, often known as DVWA, is developed in PHP and MySQL. It is intentionally left vulnerable so security professionals and ethical hackers can test their skills without legally compromising anyone’s system. To run, DVWA requires the installation of a web server, PHP, and MySQL. If you don’t already have a web server set up, the quickest approach to install DVWA is to download and install ‘XAMPP.’ XAMPP is available for download here.


This damn vulnerable web app provides some vulnerabilities to test on.

  • Brute-force
  • Command Execution
  • CSRF and File Inclusion
  • XSS and SQL injection
  • Insecure file upload

The main advantage of DVWA is that we can set the security levels to practice testing on each vulnerability. Each level of security needs a unique set of talent. Security researchers can examine what is going on at the back-end thanks to the developers’ decision to publish the source code. This is excellent for researchers to learn about these problems and to assist others in learning about them.

Google Gruyere

We don’t often see the words “cheese” and “hacking” used together, but this website is full of holes, just like delicious cheese. Gruyere is an excellent choice for beginners who want to learn how to locate and exploit vulnerabilities and how to fight against them. It also uses “cheesy” coding, and the entire design is based on cheese.

image source: Google gruyere

To make things easier, it’s written in Python and categorized by vulnerability kinds. They’ll provide you with a brief description of the vulnerability you’ll locate, exploit, and identify using black-box or white-box hacking (or a combination of both techniques) for each task. Some of them are :

  • Information disclosure
  • SQL injection
  • Cross-site request forgery
  • Denial-of-service attacks

Although some prior knowledge is required, this is the best option for beginners.


This list includes another OWASP item and one of the most popular. WebGoat is an unsafe program that can be used to learn about common server-side application issues. It’s intended to assist people in learning about application security and practicing pentesting techniques.

Each lesson allows you to learn about a specific security flaw and then attack it in the app.


Some of the vulnerabilities featured in Webgoat are :

  • Buffer overflows
  • Improper error handling
  • Injection flaws
  • Insecure communication and configuration
  • Session management flaws
  • Parameter tampering

Metasploitable 2

Among security researchers, Metasploitable 2 is the most commonly exploited online application. High-end tools like Metasploit and Nmap can be used to test this application by security enthusiasts.

The main purpose of this vulnerable application is network testing. It was modeled after the prominent Metasploit program, which security researchers use to discover security flaws. You might even be able to find a shell for this program. WebDAV, phpMyAdmin, and DVWA are all built-in features in this application.


You may not be able to find the application’s GUI, but you can still use numerous tools via the terminal or command line to exploit it. You can look at its ports, services, and version, among other things. This will assist you in assessing your ability to learn the Metasploit tool.

Damn Vulnerable iOS App

DVIA is an iOS program that allows mobile security enthusiasts, experts, and developers to practice penetration testing. It has recently been re-released and is now freely available on GitHub.


Following the OWASP Top 10 mobile risks, DVIA contains typical iOS app vulnerabilities. It’s developed in Swift, and all vulnerabilities have been tested up to iOS 11. You’ll need Xcode to use it.

Some of the features available in DVIA are:

  • Jail-break detection
  • Phishing
  • Broken cryptography
  • Runtime manipulation
  • Application patching
  • Binary patching

OWASP Mutillidae II

Mutillidae II is an open-source and free program developed by OWASP. Many security enthusiasts have utilized it since it provides an easy-to-use online hacking environment. It features a variety of vulnerabilities as well as recommendations to help the user to exploit them. This web application is for you to brush up on your abilities if penetration testing or hacking is your pastime.

It contains a variety of vulnerabilities to test, including click-jacking, authentication bypass, and more. Its vulnerabilities section, also includes subcategories that provide further alternatives.


You’ll need to install XAMPP on your system. However, Mutillidae includes XAMPP. Even switching between secure and insecure modes is possible. Mutillidae is a complete lab environment that includes everything you need.

Web Security Dojo

WSD is a virtual machine with various tools such as Burp Suite and ratproxy and target machines (such as WebGoat). It’s an open-source training environment based on the Ubuntu 12.04 operating system. For some objectives, it also contains training materials and user guides.

You don’t need to run any other tools to use it; all you need is this VM. You’ll need to install and run VirtualBox 5 (or later) initially, or you can use VMware instead. Then, import the ova file into VirtualBox/VMware, and you’re done. It will have the same feel as any other Ubuntu OS.

YouTube video

This VM is ideal for self-study and learning by beginners, professionals, and teachers who want to teach about vulnerabilities.

Conclusion 😎

You must have hands-on experience with insecure applications before entering the professional realm of information security. It aids in the development of your abilities.

It also assists you in identifying and practicing your weak areas. By practicing ethical hacking on purpose-built applications, you will better understand your hacking abilities and where you stand in the security realm. It is beneficial to share information. You can use these web applications to show others how to spot typical web application flaws.

  • Ashlin Jenifa
    Hey there, my name is Ashlin, and I’m a senior technical writer. I’ve been in the game for a while now, and I specialize in writing about all sorts of cool technology topics like Linux, Networking, Security, Dev Tools, Data Analytics, and Cloud… read more
Thanks to our Sponsors
More great readings on Career
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder