WarGames–platforms to practice and improve hacking skills

Question

Do you know of any good free platform in which we can practice different attack vectors and vulnerabilities such as XSS, SQL injection, low-level hacking, reverse engineering, etc.?

For example, I liked Smash The Stack back then. (Note: it's not recommended to get into the Tags section, Just SSH to the server and start to play).

Answer 1

Depending on what you call "online", a simple Google search on "damn vulnerable" will reveal the existence of freely downloadable applications of even full OS, meant for, indeed, learning all the ways software can be horribly vulnerable. One of them is Damn Vulnerable Web App, which is, you guessed it, a damn vulnerable Web app. There also used to be a full OS called Damn Vulnerable Linux; it is apparently discontinued (though of course lack of security patches was the point of it) but this question discusses replacements.

These are not "online machines" for you to hack, but you can download them and install them on a virtual machine on your own computer, which can be done for free (there are good free VM solutions, e.g. VirtualBox) and is a lot more flexible than an online target; it will teach you more since you can modify it and reset it at will.

All these resources are subject to obsolescence, modification and replacement, so the important point of this answer is to give the correct keywords for searching. And these keywords are "damn vulnerable".

Answer 2

These are all that i recommend.

Web Vulnerability
1. Webgoat(Recommend) - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
2. EnigmaGroup(WarGame) - http://www.enigmagroup.org
3. Mutillidae(Good) http://sourceforge.net/projects/mutillidae/
4. DVWA (not so good) http://www.dvwa.co.uk/

OS Vulnerability
5. Metasploitable(Recommend) - http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
6. Exploit Exercises(Very good) https://exploit-exercises.com/
7. HowToForge (Specific)

Answer 3

I've been trying to maintain a list of useful resources for Security Enthusiasts on my personal website. Here's a part of it:

Web Application Security

• Browser Security Handbook - By Michal Zalewski
• Google Gruyere - Web Application Exploits and Defenses - a small, cheesy web application that allows its users to publish snippets of text and store assorted files.
• Google's XSS game - In this training program, you will learn to find and exploit XSS bugs
• Damn Vulnerable Web Application (DVWA) - an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment

Memory Exploits

• David Brumley's lecture notes on Exploits and Control Flow Hijack Defenses
• University of Maryland's Software Security course on Coursera - explores the foundations of software security and covers important (and common) software vulnerabilities such as buffer overflows, SQL injection, and session hijacking
• Embedded Security CTF - You've been given access to a device that controls a lock. Your job: defeat the lock by exploiting bugs in the device's code.

Books

• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws - Amazon Link

Answer 4

You can find platforms that provide so-called wargames, such as OverTheWire.

In such games, you have an SSH access to a public machine with custom vulnerable software that you must exploit in order to progress further.

Answer 5

There is a polish platform: rozwal.to.

The name in english means "destroy.it". There is about 50 tasks which vary with needed skill level and the subject (XSS, Injections, SQLi, Steganogrpahy, bitcoins etc.).

The big advantage is that you don't need to install anything, you just simply open pages and hack them.

It has also a ranking so you can compare your skills with others.