If you’re an ethical hacker, it can be hard to put your skills to the test without harming anyone. Fortunately, there are resources that give you a sandbox to hack in, giving you a place to learn while also keeping it legal.
Here are some websites to test your mettle against without getting into trouble.
Google Gruyere is the web giant’s entry into the hacking world. The website is full of holes and uses “cheesy” code, hence its cheese-related name. Even the website is cheese-themed!
Once you’re ready to start, Google Gruyere will give you a few challenges to perform. Google Gruyere features deliberately weak and vulnerable code for you to exploit. The problems highlight these weak areas and give you a task to perform. For example, one challenge has you inject HTML alert boxes into the website’s snippets feature, which fire when the user loads the page.
If you get stuck on how to complete a challenge, don’t worry. Each mission comes with some hints to help prod you in the right direction. If these don’t help, you can view the solution and implement it yourself to get a feel of how the exploit works.
Not many websites actively invite you to hack them in their title, but HackThis is one exception. Of course, you’re not hacking the actual website, but it does give you challenges to try.
HackThis has a wide variety of challenges in different categories, so you’re bound to find something to test you. There are fundamental challenges and difficult challenges to try depending on your skill level. If you want to try busting simple CAPTCHA codes, there’s an entire segment for that.
There’s even a “Real” category which includes fun fictional scenarios where you hack a website for a client.
The best part about HackThis are the hints. Each puzzle has a dedicated hints page where you can talk to members of the forum and discuss where you’re going wrong. The members will never give you the solution so that you can figure it out yourself without spoilers.
While hacking websites are useful, there are some bugs and exploits that they can’t cover. For example, these websites can’t host challenges that involve taking down a website; if they did, nobody else would get a turn afterward!
As such, you’re best off performing more devastating attacks on a self-hosted server, so you don’t damage other people’s websites. If you’re interested in this area of hacking, try the buggy web app (bWAPP).
The main strength of bWAPP is its sheer number of bugs. It has over 100 of them, ranging from Direct Denial of Service (DDoS) weaknesses to Heartbleed vulnerabilities to HTML5 ClickJacking. If you want to learn about a specific vulnerability, there’s a good chance bWAPP has it implemented.
When you want to give it a shot, download it and run it on your target system. Once it’s running, you can launch attacks at it without worrying about annoying a webmaster.
Download: bWAPP (Free)
OverTheWire features wargames and warzones for more advanced hacking sessions. Wargames are unique hacking scenarios, usually with a little bit of story to spice things up. Wargames can be a competitive event between hackers, either as a race or by attacking each other’s servers.
While this may sound complicated and scary, don’t worry. The website still features lessons ranging from the basics to more advanced tricks. It does require a Secure Shell (SSH) connection to use, so be sure to learn SSH if you want to try OverTheWire. Thankfully, there are easy ways to set up SSH in Windows, so it shouldn’t be too big a hurdle.
OverTheWire has three primary uses. First, you can play through small games with increasing difficulty to learn how to hack. Once you’ve gained some skill, you can download wargames with unique backstories for a more immersive experience.
There’s also the warzone, which is an exclusive network designed to work just like an IPV4 internet. People can put vulnerable, hackable devices onto this network, and others can use them to practice their hacking skills.
At the time of writing, there is an exercise that replicates when Kevin Mitnick hacked computer expert Tsutomu Shimomura in 1995. Now you can put yourself in Mitnik’s shoes and see if you can crack the security yourself!
Another website that’s cordially inviting you to hack it, Hack This Site is a fantastic learning resource. It stretches from beginner-oriented lessons to hosting a dedicated phone line for phone phreak attacks.
Some of the missions have a little story to keep you engaged with the lessons. For example, people on the Basic course will go toe-to-toe with Network Security Sam. Sam is a forgetful man who’s adamant on storing his password on the website, so he never forgets it. Every time you crack his security and discover his password, he adds more security to his website.
The “realistic” exercises are also enjoyable. These are fake websites set up for you to hack with a specific goal in mind. You may be rigging a voting system to get a band to the top spot, or undoing the work of spiteful people who hacked into a peace poem site.
Each puzzle comes with a dedicated thread on the forums where you can get help. The problems and discussions have been around for a long time, and users have posted lots of helpful resources. Again, nobody will outright tell you the solution to each challenge, so you don’t have to worry about spoilers. If you’re willing to do some research, however, you’ll find their hints and tips more than enough to solve your puzzle.
Do These Websites Promote Illegal Hacking?
As you browse these websites, you may realize that malicious people can use these same skills for evil. Some of the “realistic” missions have you breaking into a library system or a band rating website, for example. It’s easy to assume these websites are training people to be evil agents.
The truth is, if these websites didn’t exist, nefarious hackers would still get their resources on the dark web. Meanwhile, website developers—the people who need to learn hacking techniques the most—wouldn’t have anywhere legal to learn and test these hacking techniques.
Developers would make the same errors over and over, while hackers would take advantage of them using the dark web to spread resources and tutorials.
As such, by making this information public, it gives web developers the practice they need to secure their websites. In an ideal world, all web designers will learn how to protect their websites this way, thus preventing malicious agents from using this knowledge for evil.
Learning How to Hack
If you want to learn how to hack, there’s no better way than to do some hacking yourself. Fortunately, you don’t need to target your local hairdresser’s website; give these legal hacking websites a try instead.
If you want to take your skills further, why not try an ethical hacking online class?