If you’re an ethical hacker, it can be hard to put your skills to the test without harming anyone. Fortunately, plenty of websites teach you how to learn to hack legally and give you a sandbox to try your skills in.
Here are some websites that teach you how to hack legally without getting into trouble.
1. Google Gruyere
Google Gruyere is a hackable website developed by the internet giant itself. The website is full of holes and uses “cheesy” code, referenced with the cheese-themed name and website design.
Once you’re ready to start, Google Gruyere will give you a few challenges to perform. Google Gruyere features deliberately weak and vulnerable code for you to exploit.
The problems highlight these weak areas and give you a task to perform. For example, one challenge has you inject HTML alert boxes into the website’s snippets feature, which fires when the user loads the page.
If you get stuck on how to complete a challenge, don’t worry. Each mission comes with some hints to help prod you in the right direction. If these don’t help, you can view the solution and implement it yourself to feel how the exploit works.
2. HackThis
Not many websites actively invite you to hack them in their title, but HackThis is one exception. Of course, you’re not hacking the actual website, but it does give you challenges to try.
HackThis has a wide variety of challenges in different categories, so you’re bound to find something to test you. There are fundamental challenges and difficult challenges to try depending on your skill level. If you want to try busting simple CAPTCHA codes, there’s an entire segment for that.
There’s even a “Real” category that includes fun fictional scenarios where you hack a website for a client.
The best part about HackThis is the hints. Each puzzle has a dedicated hints page where you can talk to members of the forum and discuss where you’re going wrong. The members will never give you the solution so that you can figure it out yourself without spoilers.
3. bWAPP
While hacking websites are useful, there are some bugs and exploits that they can’t cover. For example, these websites can’t host challenges that involve taking down a website; if they did, nobody else would get a turn afterward!
As such, you’re best off performing more devastating attacks on a self-hosted server so you don’t damage other people’s websites. If you’re interested in this area of hacking, try the buggy web app (bWAPP).
The main strength of bWAPP is its sheer number of bugs. It has over 100 of them, ranging from Direct Denial of Service (DDoS) weaknesses to Heartbleed vulnerabilities to HTML5 ClickJacking. If you want to learn about a specific vulnerability, there’s a good chance bWAPP has it implemented.
When you want to give it a shot, download it and run it on your target system. Once running, you can learn how to hack legally without worrying about annoying a webmaster.
Download: bWAPP (Free)
4. OverTheWire
OverTheWire features wargames and warzones for more advanced hacking sessions. Wargames are unique hacking scenarios, usually with a little bit of story to spice things up. Wargames can be a competitive event between hackers, either as a race or by attacking each other’s servers.
While this may sound complicated and scary, don’t worry. The website still features lessons ranging from the basics to more advanced tricks. It does require a Secure Shell (SSH) connection to use, so be sure to learn SSH if you want to try OverTheWire. Thankfully, there are easy ways to set up SSH in Windows, so it shouldn’t be too big a hurdle.
OverTheWire has three primary uses. First, you can play through small games with increasing difficulty to learn how to hack. Once you’ve gained some skill, you can download wargames with unique backstories for a more immersive experience.
There’s also the warzone, an exclusive network designed to work just like an IPV4 internet. People can put vulnerable, hackable devices onto this network, and others can use them to practice their hacking skills.
At the time of writing, an exercise replicates when Kevin Mitnick hacked computer expert Tsutomu Shimomura in 1995. Now you can put yourself in Mitnik’s shoes and see if you can crack the security yourself!
5. Hack This Site
Another website that’s cordially inviting you to hack it, Hack This Site is a fantastic learning resource. It stretches from beginner-oriented lessons to hosting a dedicated phone line for phone phreak attacks.
Some of the missions have a little story to keep you engaged with the lessons. For example, people on the Basic course will go toe-to-toe with Network Security Sam. He’s a forgetful man who’s adamant about storing his password on the website, so he never forgets it. Every time you crack his security and discover his password, he adds more security to his website.
The “realistic” exercises are also enjoyable. These are fake websites set up for you to hack with a specific goal in mind. You may be rigging a voting system to get a band to the top spot or undoing the work of spiteful people who hacked into a peace poem site.
Each puzzle comes with a dedicated thread on the forums where you can get help. The problems and discussions have been around for a long time, and users have posted many helpful resources.
Again, nobody will outright tell you the solution to each challenge, so you don’t have to worry about spoilers. If you’re willing to do some research, however, you’ll find their hints and tips more than enough to solve your puzzle.
Do These Websites Promote Illegal Hacking?
As you browse these websites, you may realize that malicious people can use these same skills for evil. Some of the “realistic” missions have you breaking into a library system or a band rating website, for example. It’s easy to assume these websites are training people to be evil agents.
The truth is, if these websites didn’t exist, nefarious hackers would still get their resources on the dark web. Meanwhile, website developers—the people who need to learn hacking techniques the most—wouldn’t have anywhere legal to learn and test these hacking techniques.
Developers would make the same errors repeatedly, while hackers would take advantage of them using the dark web to spread resources and tutorials.
As such, making this information public gives web developers the practice they need to secure their websites. In an ideal world, all web designers will learn how to protect their websites this way, thus preventing malicious agents from using this knowledge for evil.
Learning How to Hack
If you want to learn how to hack, there’s no better way to do some hacking yourself. Fortunately, you don’t need to target your local hairdresser’s website; give these legal hacking websites a try instead.
If you want to take your skills further, why not try an ethical hacking online class? They can be a great way to learn from a teacher instead of going at it alone.