If you don't have explicit written authorization from the owner of such assets, scanning, testing, or exploiting vulnerabilities in servers and applications on the internet is illegal in most countries. Therefore, you need to have a laboratory that you own and control, where you can practice and develop your testing skills.
In this section, we will review some of the options that you have when learning about web application penetration testing.
The Broken Web Applications (BWA) Project from OWASP is a collection of vulnerable web applications, which are distributed as a virtual machine with the purpose of providing students, security enthusiasts, and penetration testing professionals a platform for learning and developing web application testing skills, testing automated tools, and testing Web Application Firewalls (WAFs) and other defensive measures:
The latest version of BWA at the time of this writing is 1.2...