Paid Advertising
web application security lab

Hacking Without All the Jailtime

There’s been more and more legislation put in place to try to discourage hacking in general, and even tool development. Not that I think it’ll lead to many prosecutions anywhere, but nevertheless, it’s always nice to have a place to test. I got an email from one of my readers asking about the hackme series:

Hello and thank you for an awesome blog, and a daily read.

I while back you mentioned some “ready-made” websites that were used in the web app sec sphere to test scanners and specific tools. More specifically you mentioned 2, one of which that was somewhat depreciated, but still had some educational value. I’ve been looking though your posts, but I have had no success finding this entry.

I’ll do one better - here’s a short list I compiled that includes a lot of the more popular tools for ethical testing, without all the muss and fuss of prison time. If you want to hone your skills or just have some fun at work, try these out (in no particular order):

If there are others that should be added to this list, please drop me a line and I’ll add them. I hope everyone had a good April 1st and that insurance covers whatever was damaged. ;)

25 Responses to “Hacking Without All the Jailtime”

  1. Ensey Says:


  2. Just Someone Says:

  3. Andre Gironda Says:

    I thought it was more fun to load WebGoat into the Fortify SCA 4 demo that came with the book, “Secure Programming with Static Analysis”. I didn’t call it hacking though. YMMV.

  4. ha.ckers.phan Says:

    1. kinda like hackthissite dot org has some leet missions…
    2. these are like teh sexiest wargames I’ve ever played :)
    3. check it out yourself ;)
    4. Since you mentioned OWASP’s WEBGOAT, add they have these own-the-box-running-a-vunlerable-live-cd livecds

  5. mubix Says:

    IronGeek has also developed one based on OWASPs Top 10 vulns called Mutillidae:

  6. ChosenOne Says:

    thanks, that’ll keep me busy during the semester break ;)

  7. Kyo Says:

    Not quite the same, but my XSS sandbox ( ) is supposed to help you recreate conditions on a site and test injections without actually injecting the site. I guess that’s semi-relevant

  8. Kyo Says:

    Argh, wrong url, I meant to write

  9. Eric Says:

    Watchfire created a live site to test AppScan that you can use.

  10. RSnake Says:

    Thanks everyone, I added all your recommendations in. And if you have any others, just let me know and I’ll throw them in over time.

  11. Brian Says:

    They help get people started, teaching the basics and whatnot.

  12. Jordan Says:

    Only has a few web-appsec specific ones (mostly PHP), but lots of random challenges. Fairly fun.

  13. Stacy Says:

    How about badstore?
    It’s a 10MB bootable ISO image so you can study in an isolated environment.

    Registration required to download

  14. Milen Rangelov Says:

  15. thornmaker Says: is it ‘later’ yet? :)

  16. Rhonda Says:

    All courtesy of IronGeek!


  17. Spyware Says:

    Note to all people who might visit Hellboundhackers (HBH): When posting an introduction thread, it might be a wise idea to tell HBH you were referenced there by this blog. Otherwise someone, or more likely, I, might end up putting two bullets in your end before I come to the conclusion you aren’t ‘just a noob’. HBH has some… audience issues.

  18. rki Says: - RootContest has been reborn from the ashes and is back with a new team, a new set of challenges, a new philosophy and a goal to provide the best hacker war games the interwebs has ever seen. RootContest is a free, legal, hacker war-game web site. The challenges hosted here involve exploiting security vulnerabilities on *nix based servers. Hackers may work individually or as a team in order to capture and control remote servers. The RootContest application is a distributed, multi-user challenge driven web application. Technology and security challenges are made available to web clients and progress is tracked through a point system. Challenges include network based attacks, operating system attacks, application attacks, logic challenges, and other security focused scenarios. RootContest is unique in the respect that participants have the opportunity to completely take over and root a remote system, retain control of the system, and defend the system against external threats.

  19. Toaster Says:
    It’s a Linux Distribution developed to be “damn vulnerable”

  20. Jabra Says:


    provided the following additional resources:

    Cenzic (live) -
    Acunetix (live) -
    Updated HackmeBank -
    Stanford SecuriBench -
    SecuriBench Micro -
    OWASP SiteGenerator -

  21. anonymous Says:

    here is another one:

  22. anonymous Says:

  23. mattjay Says:

    Thanks for this list! it’s proving helpful for me. I’m working my way through WebGoat.

  24. Jeremiah Blatz Says:

    I cut my teeth on back in the day.

  25. Anonymous Coward Says:

    I’m a little surprised to see has not been mentioned.