Apps To Test – Hacking Vulnerable Web Applications

Want to go further with your test skills and test for applications vulnerabilities?

Want to know how hackers do?

The best thing is having test applications prepared to do so.

Here’s a list of applications that are happy for anyone to go and hack as much as you can.

Go and test for vulnerability and exploit these web applications.

1. Altoro Mutual

Altoro Mutual|

Altoro Mutual |

IBM Corporation published the Altoro Mutual website for the sole purpose of demonstrating the effectiveness of AppScan in detecting web application vulnerabilities and website defects. IBM offers a free trial of AppScan that you can download and use to scan this website. This site is not an accurate banking site.

Similarities, if any, to third party products and websites are purely coincidental. This site is provided “as is” without warranty of any kind, either express or implied. IBM does not assume any risk concerning your use of this website.

For additional Terms of Use, please go to Terms of Use on

2. Gruyere

Gruyere |

Gruyere |

This code lab is built around Gruyere /ɡruːˈjɛər/ – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. “Unfortunately,” Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery to information disclosure, denial of service, and remote code execution. The goal of this code lab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

3. | | is a FREE, community-based project powered by eLearnSecurity.
The community can build, host and share vulnerable web application code for educational and research purposes.
It aims to be the most extensive collection of “runnable” vulnerable web applications, code samples and CMS’s online.

The platform is available without any restriction to any party interested in Web Application Security:

  • students
  • universities
  • researchers
  • penetration testers
  • web developers





The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:

  • learning about web application security
  • testing manual assessment techniques
  • testing automated tools
  • testing source code analysis tools
  • observing web attacks
  • testing WAFs and similar code technologies

All the while saving people interested in either learning or testing the pain of having to compile, configure, and catalogue all of the things typically involved in doing this process from scratch.


Twitter: @layakk

LAYAKK | ( @layakk

LAYAKK | ( @layakk


Layakk is a company that is dedicated to providing the most advanced security services and products to customers.

Founded in 2013 by Jose Pico and David Perez, the company’s strategy is based on two pillars: research and engineering.

6. DinoSec

Twitter: @dinosec

DinoSec | ( @dinosec

DinoSec | ( @dinosec

DinoSec is an independent information security company established in Spain in 2008, with a worldwide service scope, focused on improving its customer’s information security stance by discovering and eliminating or mitigating the real risks that threaten their information technology infrastructures, applications, devices, systems and networks.

DinoSec’s portfolio includes specialized information security services, requiring in-depth technical knowledge and broad understanding of the information technology market and advanced research and training services focused on providing customers with self-defence skills.

DinoSec remains at the forefront of the security market through continuous research and education activities.

The company core values, the foundation for all its services, are based on the following central tenets: excellence, quality, honesty, knowledge sharing, independence, and innovation.

7. Raúl Siles

Twitter: @raulsiles

Raúl Siles | @raulsiles

Raúl Siles | @raulsiles

Raul Siles is a senior Independent Security Consultant specializing in advanced security solutions and prevention, detection and response services in various industries (government, defence, telecom, manufacturing, financial, healthcare).

Raul’s expertise and service offerings include security architectures design and review, penetration tests, incident handling, forensic and malware analysis, network, system, database and application security assessments and hardening, code security reviews, wireless security, honeynets solutions, intrusion detection/prevention, expert witness, information security management and safety awareness and training (through The SANS Institute).


  • Rogerio da Silva

    Rogerio da Silva is a Brazilian who lives in the UK for a little over two decades. He is the owner of a test consulting and outsources services for software development. He likes to blog, write and create content that teaches others how to live a better life.  He loves reading biographies of successful authors and dream builders because they inspire him to keep creating!
    You can contact Rogerio for anything related to Business & Test Analyst | Microsoft Dynamics 365 CRM | QA | Agile | Manual | Integration & Automation | DevOps | API | Cloud | AI | IoT | CRM | Website Consulting | Email Consulting | Facebook Ads | Social Media Marketing Plan | Sales Funnel | Looking for Scalable Services? InShore, OffShore or Hybrid. Interested? Ask me how we can help. da Silva Rogerio

Leave a reply


Now available on amazon prime

eBook (Amazon)

The Testers Book - An Unconventional Way to Software Testing - Revised Edition

Paperback (