There are several platforms and websites that allow legal hacking and penetration testing. These sites provide opportunities for cybersecurity professionals and enthusiasts to test their skills in a controlled environment, without the risk of violating any laws. Below are some popular legal hacking platforms: (This can change in regular intervals please read Privacy / Terms before testing)
https://github.com/webpwnized/mutillidae
https://google-gruyere.appspot.com
https://www.root-me.org/?lang=en
https://overthewire.org/wargames
https://github.com/prateek147/DVIA-v2
https://github.com/WebGoat/WebGoat
Below are some more popular legal hacking platforms:
1. Bug Bounty Programs
- Many companies offer bug bounty programs where ethical hackers can legally test their systems for vulnerabilities. Examples include:
- HackerOne: A platform connecting companies with ethical hackers. You can legally hack participating organizations’ systems in exchange for rewards.
- Bugcrowd: Similar to HackerOne, Bugcrowd allows you to find bugs and earn rewards for participating companies.
2. Vulnerable by Design Websites
These websites are created specifically to be vulnerable and are designed for training and practice purposes:
- DVWA (Damn Vulnerable Web Application): A PHP/MySQL web application vulnerable to common web attacks.
- bWAPP (Buggy Web Application): A free and open-source vulnerable web app for learning security testing techniques.
- WebGoat: A deliberately insecure web application maintained by OWASP for educational purposes.
- Website: https://owasp.org/www-project-webgoat
3. Capture the Flag (CTF) Platforms
- Hack The Box: An online platform that offers CTF challenges and penetration testing environments. Users can legally attempt to hack into virtual machines and solve security-related puzzles.
- TryHackMe: An interactive platform offering hands-on training in cybersecurity. It includes various challenges, CTFs, and practical labs.
- OverTheWire: A collection of war games where users solve hacking challenges and puzzles to enhance their skills.
4. Vulnerable Cloud Platforms
- Google Cloud Platform (GCP) Vulnerability Reward Program: Google offers bug bounty programs for its cloud services where ethical hackers can legally test GCP infrastructure.
- Microsoft Bug Bounty Program: Offers rewards for finding vulnerabilities in Microsoft products and services, including Azure and Office 365.
5. Self-Hosted Vulnerable Environments
- Metasploitable: A vulnerable virtual machine maintained by Rapid7, designed to be used for penetration testing practice with tools like Metasploit.
- Website: https://sourceforge.net/projects/metasploitable
- VulnHub: A platform offering downloadable vulnerable VMs that you can run locally to practice penetration testing.
6. Open Bug Bounty
- A non-profit platform where ethical hackers can report web vulnerabilities to participating websites. It promotes responsible disclosure.
By participating in these platforms, ethical hackers can test their skills, gain experience, and even earn rewards or recognition, all while staying within the boundaries of the law.