# Vulnerable Apps, Servers, and Websites The following is a collection of vulnerable servers (VMs) or websites that you can use to practice your skills (sorted alphabetically). - [bWAPP ](https://sourceforge.net/projects/bwapp/files/bWAPP) - [CloudGoat](https://github.com/RhinoSecurityLabs/cloudgoat) - [Damn Small Vulnerable Web](https://github.com/stamparm/DSVW) - [Damn Vulnerable ARM Router (DVAR)](http://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html) - [Damn Vulnerable iOS Application (DVIA)](http://damnvulnerableiosapp.com) - [Damn Vulnerable Web App (DVWA)](https://github.com/ethicalhack3r/DVWA) - [Damn Vulnerable Web Services](https://github.com/snoopysecurity/dvws-node) - [Damn Vulnerable WordPress](https://github.com/vavkamil/dvwp) - [DOMXSS](http://www.domxss.com/domxss/) - [Extreme Vulnerable Node Application(XVNA)](https://github.com/vegabird/xvna) - [Game of Hacks](http://www.gameofhacks.com) - [Gruyere](https://google-gruyere.appspot.com) - [Hack This Site](https://www.hackthissite.org) - [Hack This](https://www.hackthis.co.uk) - [Hack Yourself first](https://hack-yourself-first.com/) - [Hackazon ](https://github.com/rapid7/hackazon) - [HellBound Hackers](https://www.hellboundhackers.org) - [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat) - [Metasploitable2 ](https://community.rapid7.com/docs/DOC-1875) - [Metasploitable3 ](https://blog.rapid7.com/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3/) - [NodeGoat](https://github.com/owasp/nodegoat) - [Over The Wire Wargames](http://overthewire.org/wargames) - [OWASP Juice Shop ](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project) - [OWASP Mutillidae II](https://sourceforge.net/projects/mutillidae) - [Peruggia](https://sourceforge.net/projects/peruggia) - [PortSwigger Web Security Academy](https://portswigger.net/web-security) - [RailsGoat](https://github.com/OWASP/railsgoat) - [RootMe](https://www.root-me.org) - [Server-Side Request Forgery (SSRF) vulnerable Lab](https://github.com/incredibleindishell/SSRF_Vulnerable_Lab) - [Snyk exploit-workshop](https://github.com/snyk/exploit-workshop) - [Try2Hack](http://www.try2hack.nl) - [VAmPI - vulnerable API](https://github.com/erev0s/VAmPI) - [Vicnum](http://vicnum.ciphertechs.com) - [Vulnerable Single Sign-On (SSO)](https://github.com/dogangcr/vulnerable-sso) - [WebGoat](https://github.com/WebGoat/WebGoat) - [XXE Lab](https://github.com/jbarone/xxelab) - [Pentest-Ground](https://pentest-ground.com) ## WebSploit Labs - [WebSploit Labs (created and maintained by Omar Ωr Santos)](https://websploit.org) - [Mayhem - vulnerable container created by Omar Ωr for Mayhem 2020](https://websploit.org) - [RTOV-Hackme - vulnerable container created by Omar Ωr for DEF CON 27](https://websploit.org) - [RTV-Safemode - vulnerable container created by Omar Ωr for DEF CON Safemode](https://websploit.org) ## Learning Platforms and VMs - [VulnHub](https://www.vulnhub.com) ### Commercial (with free tiers) - [Hack the Box](https://www.hackthebox.eu/) - [TryHackMe](https://tryhackme.com/) - [PentesterLab](https://pentesterlab.com/) ## Commercial Learning Providers (require registration) - [O'Reilly](https://www.oreilly.com/) - access to thousands of books, learning paths, video courses, labs, and live training. - [CyberPython](https://pythoncyber.go.ro/) - [eLearn Security](https://www.elearnsecurity.com/)