Safeguard
Security

Vulnerable Websites List: Legal Sites to Practice Security Testing

A curated vulnerable websites list of intentionally insecure apps and labs built for legal, hands-on security practice — plus the rules that keep your training from becoming a crime.

Yukti Singhal
Security Analyst
5 min read

A vulnerable websites list is a set of intentionally insecure applications built specifically so you can practice finding and exploiting flaws legally, in an environment you control or that explicitly authorizes testing. The single most important thing to understand up front: you may only test systems you own or have written permission to test. These training targets exist precisely so you never have to point your tools at a real production site. Doing that without authorization is a crime in most jurisdictions, regardless of intent, and no amount of "I was just learning" changes that.

With that boundary stated clearly, here is where to practice — organized by how you run them, because the safest option is almost always the one running on your own machine.

Run-it-yourself deliberately vulnerable apps

These you download and host locally, ideally in an isolated virtual machine or container with no bridge to sensitive networks. Self-hosting is the gold standard: nothing you do can affect anyone else.

  • OWASP Juice Shop — a modern JavaScript single-page app riddled with realistic flaws mapped to the OWASP Top 10. It is actively maintained, has a built-in scoreboard and progressive hints, and is the best starting point for web app practice.
  • Damn Vulnerable Web Application (DVWA) — a PHP/MySQL app with adjustable difficulty for classic categories like SQL injection, XSS, and file inclusion. A long-standing teaching staple.
  • OWASP WebGoat — a Java teaching app organized as guided lessons, strong for understanding why a flaw works rather than just triggering it.
  • bWAPP and Mutillidae II — broad catalogs of vulnerability types, useful for breadth once you have the fundamentals.

Run these behind a host-only network. A deliberately vulnerable app is, by definition, something you do not want reachable from the internet.

Hosted labs and structured platforms

When you would rather not manage infrastructure, several platforms host the targets for you and explicitly authorize your testing within their walls:

  • PortSwigger Web Security Academy — free, browser-based labs from the makers of Burp Suite, with excellent written material. Probably the best free structured web-security curriculum available.
  • Hack The Box and TryHackMe — gamified machines and guided rooms spanning web, network, and privilege-escalation practice, from beginner to advanced.
  • VulnHub — downloadable vulnerable VM images you import and attack locally, closer to full-machine compromise scenarios than single web apps.

The authorization on these platforms extends only to the targets they provide. Their scope rules are part of the terms you agree to, and staying inside them is not optional.

The rules that keep it legal

Practicing safely comes down to a few non-negotiables:

  1. Written authorization or self-ownership, always. If you did not build it and no one gave you explicit permission in writing, it is off-limits. "Publicly reachable" is not permission.
  2. Isolate self-hosted targets. Host-only networking, snapshots you can roll back, no shared credentials. A vulnerable app on your LAN is a foothold for anything else that finds it.
  3. Respect scope precisely. On a bug-bounty program or a hosted lab, the scope document defines exactly what and how you may test. Out-of-scope testing forfeits legal protection.
  4. Keep your tooling isolated too. Run scanners and proxies from a dedicated VM so a misconfiguration cannot reach a network you did not intend.

From breaking to defending

Learning to find flaws is most valuable when it changes how you build. Every category you practice on Juice Shop — injection, broken access control, misconfiguration — maps to a defensive control you can put into a real pipeline. The natural next step after exploiting SQL injection by hand is understanding why parameterized queries close it, which our SQL injection guide walks through. The next step after finding a vulnerable library in a lab app is scanning for those flaws automatically; a tool such as Safeguard surfaces vulnerable dependencies before they ship, and our SCA overview explains that side. The Academy ties offensive practice to the defensive patterns that come out of it.

That loop — break it in a lab, understand the fix, automate the detection — is what turns practice into a security skill instead of a party trick.

FAQ

Is it legal to use these vulnerable websites?

The purpose-built practice apps and hosted labs listed here are legal to use as intended — you self-host them or they explicitly authorize testing within their platform. It is never legal to test a site you do not own or lack written permission for, and these targets exist so you never need to.

Which vulnerable app is best for beginners?

OWASP Juice Shop for hands-on web practice and PortSwigger's Web Security Academy for structured lessons. Juice Shop's scoreboard and hints keep you moving; the Academy explains the underlying mechanics of each flaw class clearly.

Should I run these on my main machine?

No. Run self-hosted vulnerable apps in an isolated VM or container on a host-only network, with snapshots you can restore. They are intentionally insecure, so you never want them reachable from the internet or sharing a network with anything sensitive.

How does practicing on these help me build securely?

Each vulnerability class you exploit maps to a concrete defense — parameterized queries for injection, access-control checks for broken authorization, dependency scanning for vulnerable libraries. Practicing the attack makes the reason for each control obvious, which is the point.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.