Apps To Test – Hacking Vulnerable Web Applications

Want to go further with your test skills and test for applications vulnerabilities?

Want to know how hackers do?

The best thing is have a test applications prepared to do so.

Here’s a list of applications that are happy for anyone to go and hack as much as you can.

Go and test for vulnerability and exploit these web applications.

1. Gruyere

Gruyere |
Gruyere |

This codelab is built around Gruyere /ɡruːˈjɛər/ – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

2. | | is a FREE, community based project powered by eLearnSecurity.
The community can build, host and share vulnerable web application code for educational and research purposes.
It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online.

The platform is available without any restriction to any party interested in Web Application Security:

  • students
  • universities
  • researchers
  • penetration testers
  • web developers

3. Altoro

Altoro Mutual|
Altoro Mutual|

The Altoro Mutual website is published by IBM Corporation for the sole purpose of demonstrating the effectiveness of AppScan in detecting web application vulnerabilities and website defects. IBM offers a free trial of AppScan that you can download and use to scan this website. This site is not a real banking site.

Similarities, if any, to third party products and/or websites are purely coincidental. This site is provided “as is” without warranty of any kind, either express or implied. IBM does not assume any risk in relation to your use of this website.

For additional Terms of Use, please go to Terms of Use on

4. OWASP – |


The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:

  • learning about web application security
  • testing manual assessment techniques
  • testing automated tools
  • testing source code analysis tools
  • observing web attacks
  • testing WAFs and similar code technologies

All the while saving people interested in doing either learning or testing the pain of having to compile, configure, and catalog all of the things normally involved in doing this process from scratch.

5. ( @layakk

LAYAKK | ( @layakk
LAYAKK | ( @layakk


Layakk is a company that is dedicated to providing the most advanced security services and products to customers.

Founded in 2013 by Jose Pico and David Perez, the company’s strategy is based on two pillars : research and engineering.

6. DinoSec | ( @dinosec

DinoSec | ( @dinosec
DinoSec | ( @dinosec

DinoSec is an independent information security company established in Spain in 2008, with a worldwide service scope, focused on improving its customers information security stance, by discovering and eliminating or mitigating the real risks that threaten their information technology infrastructures, applications, devices, systems and networks.

To achieve this goal, DinoSec’s portfolio includes specialized information security services, requiring an in-depth technical knowledge and broad understanding of the information technology market, as well as advanced research services and training services, focused on providing customers with self-defence skills.

DinoSec remains at the forefront of the security market through continuous research and education activities.

The company core values, foundation for all its services, are based on the following main tenets: excellence, quality, honesty, knowledge sharing, independence, and innovation.

7. Raúl @raulsiles

Raúl Siles | @raulsiles
Raúl Siles | @raulsiles

Raul Siles is a senior Independent Security Consultant specializing in advanced security solutions and prevention, detection and response services in various industries (government, defense, telecom, manufacturing, financial, healthcare…).

Raul’s expertise and service offerings includes security architectures design and review, penetration tests, incident handling, forensic and malware analysis, network, system, database and application security assessments and hardening, code security reviews, wireless security, honeynets solutions, intrusion detection/prevention, expert witness, information security management and security awareness and training (through The SANS Institute).

Rogerio da Silva

Test Analyst (ISTQB-ISEB Certified Tester) | Test Lead | Business Test Analyst | Entrepreneur | Investor Share, Stocks, Forex and Cryptocurrency | Social Media Marketing | Social Media Management | Website Consulting & Revision | Email Consulting (Funnel Setup) Rogerio da Silva is a Consultant as a day job and big fan of personal development and entrepreneurship. Feel free to follow him on LinkedIn, Twitter, Facebook Page, Tumblr, Google+ to talk about ideas, investments, business opportunities in UK and Brazil.

Leave a Reply

%d bloggers like this: