training resources

I have come across numerous useful training resources over the years and will continue to list them here as I uncover more.

I. Free training

Web application

Damn Vulnerable Web App (DVWA) – Purposely vulnerable PHP/MySQL web application:,43/

LAMP Security project:

Damn Vulnerable Node Application (DNVA) – purposely vulnerable node.js application:

Hackazon – simulated online store with an AJAX interface using RESTful APIs:

OWASP Broken Web Applications Project 1.2– a variety of vulnerable web applications to test:

OWASP Appsec Tutorial Series:

bWAPP – Buggy PHP app with over 100 issues: – to self-configure in LAMP or WAMP environment

Pre-installed in Linux VM:,53/

Damn Vulnerable Thick Client (DVTA) – purposely vulnerable thick client application developed in C# .NET:

Lessons for DVTA:

OWASP Juice Shop – purposely vulnerable Node.js and Angular application:


Testing environment setup:

Damn Vulnerable iOS App (DVIA):

Lessons for DVIA:

OWASP iGOAT Project:

OWASP GoatDroid Project:

OWASP WebGoat Project:

OWASP Mobile Top Ten:

Damn Vulnerable Android App:

Setup –

Base application –

Building a basic mobile app:


Binary/Reverse Engineering


II. Paid Training

Web Application

eLearn Security Web Application Penetration Testing:

eLearn Security Web Application Penetration Testing eXtreme:

eLearn Security Practice Web Defense:

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws (book):

The Tangled Web: A Guide to Securing Modern Web Applications (book):

OWASP Top 10 Web Application Security Risks for ASP.NET (PluralSight):


eLearn Security Mobile Application Security and Penetration  Testing:

Android Hacker’s Handbook (book):

Android Security Internals: An In-depth Guide to Android’s Security Architecture (book):

iOS Hacker’s Handbook (book):

Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It (book):


Binary/Reverse Engineering