DVWA
DVWA DVWA is the timeless playground for web hacking newbies, a PHP app packed with adjustable security levels to practice SQL injections, XSS, and CSRF without real-world risks. Fire it up via Docker or XAMPP on your local machine, ramp up the difficulty as you master payloads, and watch your skills sharpen through hands-on labs. Open-source and endlessly tweakable, it's the cozy sandbox where aspiring pentesters cut their teeth on classic vulns.
Explore →OWASP Juice Shop
OWASP Juice Shop Juice Shop is the slick, modern e-commerce facade hiding a trove of OWASP Top 10 vulns, from broken auth to server-side injections, all wrapped in a Node.js app that's a joy to deploy and dissect. Spin it locally with npm or Docker, chase challenges via its built-in scoreboard, and learn by breaking—and fixing—realistic scenarios. Open-source from OWASP, it's the engaging lab that turns vuln hunting into an addictive game.
Explore →WebGoat
WebGoat WebGoat is OWASP's Java-based bootcamp, serving up guided lessons on everything from session hijacking to access control flaws through interactive, story-driven challenges. Deploy it as a WAR file in Tomcat for a self-paced curriculum that explains concepts before you exploit them, making it ideal for structured learning. Open-source and evolving, it's the patient teacher that builds confidence one vuln at a time.
Explore →Mutillidae II
OWASP Mutillidae II Mutillidae II is the forgiving PHP lab mirroring OWASP Top 10, with hints and source code views to demystify attacks like command injection and file inclusions for beginners. Run it on LAMP stack or Docker, toggle security levels to match your progress, and track your conquests with its scoring system. Open-source and hint-heavy, it's the supportive tutor that encourages experimentation without frustration.
Explore →bWAPP
bWAPP bWAPP is the bee's knees of buggy web apps, a PHP/MySQL beast with over 100 vulns from A1 to A10, letting you buzz through SQLi, XSS, and more in a single, easy-to-install package. Set it up via XAMPP and dive into categorized exercises, complete with explanations to solidify your takeaways. Open-source and vuln-dense, it's the exhaustive gym for web warriors honing diverse skills.
Explore →SQLi Labs
SQLi Labs SQLi Labs is the laser-focused dojo for mastering SQL injection flavors, from blind to time-based, across 50+ progressively tricky challenges in a clean PHP setup. Clone the repo, spin up with Apache, and work through error-based exploits to union queries at your own pace. Open-source and methodical, it's the drill sergeant that turns SQL noobs into injection ninjas.
Explore →XSS Game
Google XSS Game Google's XSS Game is the interactive arcade of cross-site scripting, with six escalating levels teaching DOM-based and reflected attacks through clever puzzles and code snippets. Play it straight in your browser—no setup needed—and unlock hints or solutions as you go, blending fun with fundamentals. Free and gamified, it's the bite-sized brain-teaser for anyone leveling up client-side exploits.
Explore →VulnHub VMs
VulnHub VulnHub is the treasure trove of downloadable VMs loaded with web vulns, from DVWA-integrated boxes to custom CTFs, challenging you to enumerate and pwn in full-stack sims. Grab a VM, boot in VirtualBox, and hunt for flags across realistic networks at your leisure. Community-curated and free, it's the immersive adventure park for self-taught hackers.
Explore →PortSwigger Web Security Academy
PortSwigger Web Security Academy PortSwigger's Academy is the free, browser-based dojo with 200+ labs on Burp Suite-integrated vulns, from prototype pollution to JWT attacks, complete with walkthroughs. Dive in without installs, solve hands-on challenges, and earn certs to validate your progress. Expert-curated and practical, it's the structured path from novice to pro in web app pentesting.
Explore →TryHackMe Web Rooms