How to Practice Your Hacking Skills

Hacker working on Skills

As with most things in life, practice makes perfect. If you are a hacker looking for practice or are new to hacking and want to know where it is legal to practice hacking, this guide will give you a huge range of sites and apps to practice hacking, without having to worry about the legalities.

So, whether you work in Info Security, you’re a Developer or even a pen-tester; this guide to hacker practice skills testing will help you know exactly where you can find the best sites to help you get some ethical hacking practice under your belt, free from worry, and safe in the knowledge that these are legal sites where you can practice hacking until your hearts content.

What Is White Hat Hacking?

If you have heard the term, ‘White Hat Hacker’ or ‘Ethical Hacker’, then you will understand the importance of this role and the integral duties performed using pen testing techniques in order to fully test organizational security capabilities and expose any potential threats or vulnerabilities.

The techniques used are exceptionally close to those used by illegal hackers who know how to hack a website. The results of the testing performed by an ethical hacker are then used in order to make organizational security more robust and enable them to remediate any identified vulnerabilities.

Certified Ethical Hacker

Ethical Hacking Certification

Regardless of whether you want to perform ethical hacking practice techniques as a hobby or if you are looking to pursue a career in hacking, there are a number of certifications that you can attain which will help to solidify your knowledge. Of course, it goes without saying that there is no real substitute for hands-on practice which is why learning how to practice hacking legally is paramount for those looking to learn to how to hack a site, app or network.

There are lots of security-related IT certifications, along with Ethical Hacking certifications that can really help you to get a handle on the systematic processes and problem-solving techniques that ethical hacker’s practice and use to help them know how to hack.

The Certified Ethical Hacker accreditation is also typically referred to as the CEH certification and is offered by the EC-Council. It is not specific to any particular vendor, and there is a great demand for CEH certified professionals. In terms of salary propositions for those with a CEH certification, the average salary is approximately $75,000 per annum. For many who work as an ethical hacker, their pay is handled on a ‘per-project’ basis, and this is estimated by the EC-Council to be anything between $15,000-$45,000 per project or assignment.

The Intermediate Certified Ethical Hacker accreditation specifically drills down on social engineering, trojans, enumeration, worms, SQL Injections, DoS, viruses, and other forms of common attack techniques. Another requirement that is expected from anyone who practices ethical hacking and wants this advanced certification is to have a demonstrable understanding and know-how about pen testing, cryptography, honeypots, firewalls, and more.

If you have no previous experience working as an ethical hacker, then the EC-Council suggest a week-long training class should be sufficient. To give yourself the best chance of achieving the ethical hacking practice you desire, along with gaining the Ethical Hacker Certification, having a solid grounding in both Linux and Windows administration, along with a working understanding of virtualization platforms and TCP/IP is also beneficial.

If you have experience working in an IT Security role, then you can take the self-study option in order to pass the Certified Ethical Hacker training course.

If you become a certified ethical hacker, this also means that you must only perform legal hacking activities and upon completion of the accreditation, you will be asked to sign and agree to the EC-Councils code of ethics and conduct.

SANS GIAC also presents an interesting offering, and for those who are interested in practicing hacking skills and getting a certification to verify their ability to know how to hack a site, app or network, they offer a range of courses of interest.

The GIAC Pen Tester Certification (GPEN), along with the GIAC Exploit Researcher and Advanced Penetration Tester Certification (GXPN) are two notable qualifications for those looking to enter into the world of employment as an Ethical Hacker.

Finally, Mile2 offer a range of Ethical Hacker Certifications. There is an entire series of Penetration Testing Hacking accreditation. These include the Certified Vulnerability Assessor Certification (CVA), the Certified Professional Ethical Hacker (CPEN), The Certified Penetration Testing Engineer (CPTE), and the advanced level accreditation known as the Certified Penetration Testing Consultant (CPTC).

Learn Ethical Hacking

How Can You Practice Hacking Legally?

There are many ways you can get practice hacking. Lots of people who are getting started with hacking will search for easy websites to DDoS, small websites to hack, SQL injection vulnerable sites, sites to hack, and other routes to help them understand how to hack into websites and what websites are best to test hacking skills.

For the majority of new white hats, practicing hacking skills is top on the list of things to do. After all, practice, practice, and practice some more is one of the best ways to learn how to hack into a website. As many of you who are reading this will know all too well, there is a range of laws and rules that dictate exactly what actions you can do when you try to break a network, website or application.

In the next couple of sections, we will explain what White Hat basics you need to learn, along with giving you a comprehensive list of websites and applications you can use to legally practice your hacking skills. 

Additional Reads:

Which Websites Are Best to Test Hacking Skills in 2018?

This list will outline different sites and apps you can legally use to practice your hacking skills.


As the name suggests, this is an iOS application which has been created as vulnerable. The primary purpose of the app is to provide security specialists, hackers, and students with a place where they can legally practice hacking in an iOS environment.

This particular app has been updated and works up to iOS 11 at the present date. The DAMN Vulnerable iOS application is open-source and completely free of charge and has both Swift and Objective-C versions available. Some of the primary challenges and vulnerabilities include:

  • Excessive Permission
  • Localized Data Storage
  • Anti-Hooking and Debugging
  • Jailbreak Detection
  • Binary Protection
  • Run-time Manipulation
  • Web View Challenges
  • Phishing
  • IPC Issues
  • Face ID Bypass
  • Side-Channel Data Leaks
  • Network Layer Security
  • Disrupted Cryptography
  • Application Patching
  • Third-Party Data Leaks
  • Personal and Sensitive Data in Memory
  • Touch ID Bypass

If you are a mobile application developer or plan to become one, then DVIA is an ideal platform to practice hacking legally as there are not many mobile apps out there which allow you to legally hack them.


This is another free website to practice hacking skills legally. It is a deliberate and open source web application that is insecure and prime for use. There are over one hundred problems that are present within the Buggy Web Application which has all been formed using the top ten OWASP.

The Buggy Web Application has been purposely created to help individuals to practice hacking skills and was created in PHP, utilizing MySQL.


 This site is filled with flaws and makes the perfect playing ground for those looking for places online to practice hacking legally. If you are new to hacking or just beginning to understand the topic of application security, it is a great place to start out!

The labs have three clear objectives.

  1. Understand how hackers can exploit applications on the web
  2. Learn about how hackers locate vulnerabilities
  3. Understand how you can prevent hackers from location and exploiting vulnerabilities and security holes

Google Gruyere has a range of security concerns, some of which make it an ideal XSS vulnerable site for testing. These specific security bugs include cross-site request forgery, cross-site scripting, denial of service (DoS), data disclosure, and remote code execution.

The overall purpose of the ‘code lab’ is to serve as a guide to the discovery of security bugs and to help those looking to practice hacking legally find ways to learn how to fix such issues.

This was written in Python and provides chances for both white and black box testing. It is a legal way to easily practice problem-solving and of course, to practice those hacking skills.


When HackThis!! was originally created, it was done so in order to help people learn how dumps, hacks, and defacement are handled. More importantly, it offers real and practical advice about how to secure a website from the advances of hackers.

This site is viewed as a playground and delivers more than fifty different levels, each offering varying levels of complexity. They also have a very active online community which gives those who are interesting in practicing their hacking skills somewhere to chat, learn, and get lots of useful updates and information along the way.


This is another popular place to practice hacking skills legally. This is a hub that provides a centralized location for hacking news, hacking forums, hacking tutorials and articles. Its primary goals are to help users of the site to learn about ethical hacking and provide a safe place for them to be able to practice hacking a site by completing a range of challenges.


Game of Hacks is a little bit different to some of the sites mentioned above that specifically help you to practice hacking legally. However, the reason it has made the list is that it is a highly engaging way to learn how to be able to detect application security vulnerabilities. It is a great way to test your application security skills; the format is also quite nice too. For each question that is asked, there is a set of code presented, which could or could not have a vulnerability present. There is a timer and it is your task to work out the issue before your time runs out. There is also a leaderboard which adds a little element of competition and fun to the whole of the practicing hacking theme.


If you are looking to find out how to hack online legally, then Vicnum offers a sequence of basic to advanced web applications that are founded on games. Due to the simplicity of the framework, these applications can be customized to cover a range of needs. So, for those looking for websites to hack, Vicnum provides a superb choice for those who are looking to learn about application security in an enjoyable and fun way.

The main objective of the site, and how it can help those looking to find sites to hack legally is that it educates differing levels of users, developers, security managers, students, pen testers, and auditors. It teaches those what can go wrong within a web application, and it provides a fun way to help understand what can be done to rectify such issues.


There are a group of sites that were launched by a division of McAfee’s professional services named Foundstone. It was around ten years ago in 2006 this series was launched in a bid to help security professionals and penetration testers boost their knowledge of IT Security.

Every one of the simulated apps provides real to life experiences by exposing them to real vulnerabilities. Everything from reservations apps to mobile banking is covered. If you want to know how to practice hacking, then there are a range of sites that will help you to do that within the McAfee Hacme Series. A list of the HacMe sites are outlined below:

  • HacMe Casino
  • HacMe Bank
  • HacMe Shipping
  • HacMe Books
  • HacMe Travel
  • HacMe Bank – Android


Try2Hack is probably one of the most long-standing hacking challenger sites that are still operating successfully to date. They provide an entire suite of security challenges that present those looking for sites to hack with a range of vulnerabilities to tackle.

Delivered in a game style, there is a range of layers and levels that can be selected based on their individual difficulty ratings. The purpose of the different levels in the Try2Hack site is to educate and entertain. There is a specific channel for those who are new and looking to learn how to hack. There is also a highly-active user community along with a forum for open discussion between members.


This is another wargame themed way to practice your hacking skills legally. It is perfect for all levels ranging from those who are new to hacking, security professionals, and developers alike. OverTheWire allows users to practice a range of different security concepts. The Bandit level is where beginners should start, which is then followed by higher levels with varying levels of complexities that provide comprehensive exploits and bugs to patch as you progress through the levels in the different challenges.


This is a valid website to hack legally as it was created to be intentionally vulnerable. It is built for both Windows and Linux and is formulated with a range of PHP scripts that contain all of the top OWASP vulnerabilities and many others. It provides hints and tips along the way to help progression.


If you want to test your hacking skills online, Root Me is a comprehensive way to practice hacking legally and offers more than two hundred different hacking challenges in more than fifty separate virtualized environments.


This is a safe place to learn hacking online and provides the ideal place for developers, ethical hackers, and other security professionals to test out common web application attacks. The layout is very intuitive and is set-out as a gallery of images. You can simply select and download your chosen projects to help you learn about hacking and how to identify and limit prospective threats and issues. It is a little more serious than some of the other options on the list as it is not set up like a game.

It provides a comprehensive set of vulnerabilities to solve in a sensible manner and avoids downloading a hacking game.


WebGoat is considered to be one of the best OWASP projects to date. This is an intentionally insecure app that is very realistic. For practicing ethical hacking legally, this is a superb choice. Not only does it have an extremely realistic look and feel, but it also delivers structured lessons that help ethical hackers and security professionals learn about comprehensive application security issues.

You can get installs for Linux, Windows, and OSX Tiger.