27

Do you know of any good free platform in which we can practice different attack vectors and vulnerabilities such as XSS, SQL injection, low-level hacking, reverse engineering, etc.?

For example, I liked Smash The Stack back then. (Note: it's not recommended to get into the Tags section, Just SSH to the server and start to play).

0x90
  • 1,402
  • 2
  • 19
  • 27
  • It's still a very valid and useful tool. I myself still recommend it regardless of it not being actively updated. – schroeder Jul 29 '15 at 22:03
  • 3
    https://www.hackthissite.org/ – Petah Jul 29 '15 at 23:26
  • 1
    http://overthewire.org/wargames/ http://security.stackexchange.com/questions/3592/what-hacking-competitions-challenges-exist – YoMismo Jul 30 '15 at 14:08
  • Checkout: https://security.stackexchange.com/questions/64884/replacement-for-dvl-damn-vulnerable-linux – 0x90 May 10 '20 at 00:06

5 Answers5

22

Depending on what you call "online", a simple Google search on "damn vulnerable" will reveal the existence of freely downloadable applications of even full OS, meant for, indeed, learning all the ways software can be horribly vulnerable. One of them is Damn Vulnerable Web App, which is, you guessed it, a damn vulnerable Web app. There also used to be a full OS called Damn Vulnerable Linux; it is apparently discontinued (though of course lack of security patches was the point of it) but this question discusses replacements.

These are not "online machines" for you to hack, but you can download them and install them on a virtual machine on your own computer, which can be done for free (there are good free VM solutions, e.g. VirtualBox) and is a lot more flexible than an online target; it will teach you more since you can modify it and reset it at will.

All these resources are subject to obsolescence, modification and replacement, so the important point of this answer is to give the correct keywords for searching. And these keywords are "damn vulnerable".

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
16

These are all that i recommend.

Web Vulnerability
1. Webgoat(Recommend) - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
2. EnigmaGroup(WarGame) - http://www.enigmagroup.org
3. Mutillidae(Good) http://sourceforge.net/projects/mutillidae/
4. DVWA (not so good) http://www.dvwa.co.uk/

OS Vulnerability
5. Metasploitable(Recommend) - http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
6. Exploit Exercises(Very good) https://exploit-exercises.com/
7. HowToForge (Specific)

PypeRanger
  • 171
  • 6
7

I've been trying to maintain a list of useful resources for Security Enthusiasts on my personal website. Here's a part of it:

Web Application Security

  • Browser Security Handbook - By Michal Zalewski
  • Google Gruyere - Web Application Exploits and Defenses - a small, cheesy web application that allows its users to publish snippets of text and store assorted files.
  • Google's XSS game - In this training program, you will learn to find and exploit XSS bugs
  • Damn Vulnerable Web Application (DVWA) - an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment

Memory Exploits

Books

  • The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws - Amazon Link
Rahil Arora
  • 4,259
  • 2
  • 23
  • 41
3

You can find platforms that provide so-called wargames, such as OverTheWire.

In such games, you have an SSH access to a public machine with custom vulnerable software that you must exploit in order to progress further.

yoann
  • 131
  • 2
1

There is a polish platform: rozwal.to.

The name in english means "destroy.it". There is about 50 tasks which vary with needed skill level and the subject (XSS, Injections, SQLi, Steganogrpahy, bitcoins etc.).

The big advantage is that you don't need to install anything, you just simply open pages and hack them.

It has also a ranking so you can compare your skills with others.

boleslaw.smialy
  • 1,627
  • 2
  • 15
  • 25