aspect logo aspect Managed IT & Cybersecurity
Burp Suite Learning Hub › Practice Resources

Practice Resources

Free, intentionally vulnerable apps and interactive labs designed for safe, legal web security practice. Never test systems you don't own or have explicit permission to test.

Getting Started Guide All Tutorials →
Authorized use only

All resources on this page are intentionally vulnerable apps and labs designed for safe practice. Do not use Burp Suite or any web security tool against systems you do not own or have explicit written permission to test. Testing systems without authorization is illegal and unethical.

Practice Labs

These platforms are specifically designed for web security training. They are safe, legal, and beginner-friendly.

Recommended
PortSwigger Web Security Academy

Free web security learning from the makers of Burp Suite. Interactive labs, guided learning paths, and community solutions. The gold standard for web security practice.

Open Academy →
Open Source
OWASP Juice Shop

A modern, full-featured intentionally vulnerable web application. Run it locally via Docker or Node.js. Covers OWASP Top 10 vulnerabilities and beyond.

View Project →
Open Source
OWASP WebGoat

A deliberately insecure application from OWASP with structured lessons for each vulnerability type. Great for learning with step-by-step guidance.

View Project →
Platform
HackTheBox

A hands-on cybersecurity training platform with web challenges, vulnerable machines, and guided learning paths. Free tier available.

View Platform →
Platform
TryHackMe

Beginner-friendly cybersecurity training rooms with guided walkthroughs. Many rooms are free and walk you through web security concepts step by step.

View Platform →
Open Source
DVWA

Damn Vulnerable Web Application — a classic intentionally vulnerable PHP/MySQL app. Great for practicing with different difficulty levels in a local environment.

View Project →

Reference Resources

Essential references for understanding the vulnerabilities you encounter while practicing.

OWASP Top 10

The standard awareness document for web application security risks. Essential reading for understanding the most common and impactful vulnerability classes.

View Top 10 →
NVD CVSS Calculator

The official NIST CVSS v3.1 calculator for scoring vulnerabilities by severity. Useful for understanding how severity ratings are determined.

Open Calculator →
PortSwigger Web Vuln Library

In-depth written guides covering nearly every web vulnerability type. Each topic links to interactive labs for hands-on practice.

View Topics →

Always Practice Legally and Ethically

  • Use only the intentionally vulnerable apps and platforms listed above for practice.
  • Never scan, fuzz, exploit, or intercept traffic on systems you don't control or have written authorization to test.
  • Unauthorized access to computer systems is illegal under the Computer Fraud and Abuse Act and similar laws worldwide.
  • When in doubt, stick to local apps (Juice Shop, WebGoat, DVWA) running on your own machine.

Ready to start testing?

Follow the getting started guide to install Burp Suite and intercept your first request against an authorized lab.

Getting Started Guide