Where can you actually practice hacking without getting arrested? The complete answer — your own lab, browser-based platforms, bug bounty programmes, and CTF competitions.
The number one question beginners have — and often don't ask out loud because it seems obvious — is: where can I actually practice this? You can't hack random websites. You need somewhere to practise that won't get you arrested, banned, or causing collateral damage.
Here's the complete answer.
The law in most jurisdictions (US Computer Fraud and Abuse Act, UK Computer Misuse Act, and equivalents everywhere else) prohibits accessing computer systems without authorisation. That's it. Authorisation is the line.
Authorisation can come from:
If one of those four doesn't apply, don't test it. Not even "just to see." Not even if you find nothing. Not even if the company is a criminal organisation. Unauthorised access is unauthorised access regardless of your intent or the target's behaviour.
Setting up your own vulnerable machines gives you total freedom and zero legal risk. You can be as aggressive as you want, break things completely, and learn from the wreckage.
The easiest approach is Docker. Several deliberately vulnerable applications are available as Docker images you can run locally in minutes:
# DVWA — classic PHP vulnerable app docker run -p 80:80 vulnerables/web-dvwa # Juice Shop — OWASP's modern Node.js vulnerable app docker run -p 3000:3000 bkimminich/juice-shop # WebGoat — Java-based, OWASP maintained docker run -p 8080:8080 webgoat/webgoat # VulnHub — downloadable VM images, hundreds available # https://www.vulnhub.com
Run these on a machine isolated from your main network, or in a VM with network access limited to host-only. Some intentionally vulnerable applications have features that could be used as a pivot if left exposed.
If you don't want to manage a local lab environment (and you shouldn't have to), browser-based platforms spin up isolated machines for you:
Bug bounty is where you hack real production systems legally, because the company has published a policy inviting researchers to test within a defined scope.
The key rules that keep you legal:
CTF (Capture the Flag) competitions are organised events where all infrastructure is deliberately built to be compromised. There is no "real" data, no real victims, and participation is explicitly invited. Everything is in scope. This makes CTFs the most legally clean practice environment that exists.
CTFtime.org lists hundreds of competitions per year. PicoCTF runs year-round and is specifically designed for beginners. HackTheBox has CTF-style challenges alongside its machines.
You can test vulnerabilities against your own accounts on a site — for example, checking if your own user ID is accessible by changing it in a URL. What you can't do is attempt to access other users' data, even if you find a way to do so.
Many bug bounty hunters create two test accounts on target platforms — Account A and Account B — and test whether actions by Account A can access or affect Account B's data. This is the safest way to demonstrate IDOR and access control bugs without touching real user data.
This is not a narrow restriction. Between your own lab, available platforms, and the thousands of public bug bounty programmes, there is more legal hacking practice available right now than any individual could exhaust in a decade. There is no reason to cross the line.
Put this into practice on hackr.gg. Real vulnerable machines, real attack tools, right in your browser. No setup, no VPN — get your first flag in under 10 minutes.
Start hacking free →