The following is a collection of vulnerable servers (VMs) or websites that you can use to practice your skills (sorted alphabetically).
- bWAPP
- CloudGoat
- Damn Small Vulnerable Web
- Damn Vulnerable ARM Router (DVAR)
- Damn Vulnerable iOS Application (DVIA)
- Damn Vulnerable Web App (DVWA)
- Damn Vulnerable Web Services
- Damn Vulnerable WordPress
- DOMXSS
- Extreme Vulnerable Node Application(XVNA)
- Game of Hacks
- Gruyere
- Hack This Site
- Hack This
- Hack Yourself first
- Hackazon
- HellBound Hackers
- Kubernetes Goat
- Metasploitable2
- Metasploitable3
- NodeGoat
- Over The Wire Wargames
- OWASP Juice Shop
- OWASP Mutillidae II
- Peruggia
- PortSwigger Web Security Academy
- RailsGoat
- RootMe
- Samurai Web Testing Framework
- Server-Side Request Forgery (SSRF) vulnerable Lab
- Snyk exploit-workshop
- Try2Hack
- Vicnum
- Vulnerable Single Sign-On (SSO)
- Web Security Dojo
- WebGoat
- XXE Lab
WebSploit Labs
- WebSploit Labs (created and maintained by Omar Ωr Santos)
- Mayhem – vulnerable container created by Omar Ωr for Mayhem 2020
- RTOV-Hackme – vulnerable container created by Omar Ωr for DEF CON 27
- RTV-Safemode – vulnerable container created by Omar Ωr for DEF CON Safemode
