Best Free Web CTF Labs (2026): Learn XSS, SQLi, Auth and Sessions

If you want job-relevant cybersecurity skills, web security is one of the best places to invest your time. Nearly every company relies on web apps, APIs, dashboards, portals, and login systems meaning web vulnerabilities remain a top risk year after year.

But beginners often learn web security the wrong way: they watch random videos, memorize tool names, and then freeze when they see a real lab. Web CTF labs fix that by giving you structured practice in a safe environment.

This guide covers the best free web CTF labs in 2026, organized from beginner to advanced. You’ll also get a simple roadmap, a clean workflow to solve labs without guessing, and practical tips to build skill fast—without turning your browser into a mess of tabs and confusion.

What “Web CTF labs” actually teach

Web CTF labs are not about “hacking websites.” They are controlled training exercises designed to teach:

how web requests work (URLs, parameters, headers)
how logins and sessions behave (cookies, tokens)
how web apps fail (bad input validation, broken access control)
how attackers think (but within legal practice platforms)

The goal is learning. Your best outcome is not “solving fast”—it’s understanding why the vulnerability exists and what proof confirms it.

f you’re completely new to CTF, start with this free CTF starter kit to set up your tools, safety rules, and beginner workflow before you begin web labs.

The best free Web CTF labs in 2026

Below are the top free options that beginners can actually use. Each one has a different strength, so choose based on your goal.

1) PortSwigger Web Security Academy (Free)

This is one of the most structured and beginner-friendly web security platforms. It teaches web vulnerabilities with guided explanations and hands-on labs, so you’re not guessing in the dark.

Best for learning:

Authentication & session handling
SQL injection (SQLi)
XSS (reflected/stored/DOM)
Access control & IDOR
CSRF and modern web risks

Why it’s great:
You learn concept → try lab → verify result. That loop builds real understanding.

2) OWASP Juice Shop (Free, intentionally vulnerable)

OWASP Juice Shop is a famous intentionally vulnerable web app. It’s like a “web security playground” where you practice common issues.

Best for practicing:

Injection patterns
Broken access control
Sensitive data exposure concepts
Basic web logic flaws

Why it’s great:
It feels closer to a real web app than puzzle-style CTFs, and it encourages structured exploration.

3) DVWA (Damn Vulnerable Web Application) (Free)

DVWA is a classic beginner lab environment that teaches common web vulnerabilities in a simplified interface.

Best for practicing:

SQL injection
XSS
Command injection (in controlled form)
File inclusion basics

Why it’s great:
It’s “slow and simple” perfect for beginners who need repetition.

4) bWAPP (Free)

bWAPP provides a wide range of web vulnerabilities and is useful once you’ve done the basics.

Best for practicing:

Many vulnerability types in one place
Gradually increasing complexity

Why it’s great:
It expands your exposure beyond the “top 3” vulnerabilities.

5) picoCTF Web Challenges (Free)

picoCTF is beginner-friendly and includes many web puzzles that teach inspection skills and common patterns.

Best for beginners practicing:

View source and hidden fields
Cookie logic puzzles
Intro web exploitation concepts (safe)

Why it’s great:
Fast wins + confidence, without heavy setup.

6) OverTheWire (Free)

Not purely web, but excellent for foundational skills that support web security (Linux, logic, reading files).

Best for:

command line comfort (helps with many web tasks later)
investigation discipline

which platform should you start with?

If you’re a total beginner and want the fastest improvement:

Start with PortSwigger Web Security Academy (structured learning)
Add picoCTF web challenges for quick wins and confidence
Use Juice Shop / DVWA once you want a “real app feel”

This combo covers both education and hands-on practice.

A beginner-friendly Web CTF roadmap

Web security gets easy when you learn in the right order. Here is the sequence that reduces confusion.

Phase 1: Web basics (Days 1–3)

Before vulnerabilities, learn how a web app behaves.

Focus on:

requests and responses (what your browser sends/receives)
query parameters (what changes in a URL)
cookies (how “logged in” state is stored)

Practice tasks:

inspect page source
find hidden fields
observe cookie changes after login/logout

Phase 2: Authentication + sessions (Days 4–7)

This is one of the most important real-world topics. Many web breaches happen because auth logic and sessions are broken.

Focus on:

authentication vs authorization (not the same)
session cookies and tokens
common mistakes (weak access control, predictable IDs)

Practice tasks:

lab exercises on login flow weaknesses
session behavior testing in safe labs
access control checks (can user A see user B’s data?)

Phase 3: SQL injection + input handling (Week 2)

SQL injection is still a common training topic because it teaches critical thinking about input and backend behavior.

Focus on:

input reflection and backend queries (concept)
error-based vs blind SQLi (intro)
safe proof methods (in lab only)

Practice tasks:

simple SQLi labs
understanding what “parameter is injectable” means
extracting a flag in a controlled environment

Phase 4: XSS + modern web behavior (Week 3)

XSS is essential because it teaches client-side execution and the consequences of unsafe input in HTML/JS contexts.

Focus on:

reflected vs stored vs DOM-based XSS
context matters (HTML, attribute, JS)
basic prevention concepts (escaping, sanitization, CSP)

Practice tasks:

easy XSS labs
verifying execution safely
learning “why this input runs as code”

If you want a simple explanation of XSS (types, impact, and prevention), this beginner-friendly guide breaks it down clearly.

Phase 5: Access control (IDOR) + CSRF + “real app thinking” (Week 4)

This is where web security starts to feel like real work.

Focus on:

IDOR and broken access control
CSRF concepts
business logic mistakes (beginner-friendly examples)

Practice tasks:

IDOR labs
CSRF labs
multi-step challenges where the bug is “logic,” not “tools”

Want a daily schedule instead of a learning order? Use this 30-day CTF roadmap to practice consistently across web, Linux, crypto, and forensics.

The Web CTF workflow

When beginners get stuck, it’s usually because they don’t have a repeatable process. Use this workflow:

Step 1: Understand the goal

Write in one line:

“I need to access ____ / trigger ____ / extract ____ as proof.”

Step 2: Map inputs and outputs

Look for:

URL parameters
form fields
cookies
headers (if the lab shows them)

Step 3: Start with safe inspection

Before “attacking,” check:

page source
hidden fields
obvious endpoints
session state changes

Step 4: Test one variable at a time

Beginners change 10 things at once and learn nothing. Change one input and observe the effect.

Step 5: Capture proof

For every solved lab:

what changed
what confirmed the vulnerability
what the lesson is

This turns practice into skill.

Common beginner mistakes

Many web CTF learners lose months to predictable mistakes. Avoid these early:

Tool-first learning: installing tools before understanding the request/response model
No notes: solving a lab and forgetting it next week
Skipping auth fundamentals: jumping to SQLi/XSS without understanding sessions
Platform hopping: switching labs every day instead of building depth
Copying payloads blindly: using payloads without understanding context

A clean method beats “more tools.”

To improve faster, write a short writeup after each lab. Use this free CTF writeup template to document your goal, steps, proof, and lessons learned.

FAQs

What are the best free web CTF labs for beginners?

PortSwigger Web Security Academy is one of the best starting points because it explains the concept and gives guided labs. picoCTF web challenges are also great for beginner-friendly puzzles.

Do I need Kali Linux for web CTF labs?

No. A browser, a notes app, and basic inspection skills are enough to start. Advanced setups can come later.

What should I learn first: XSS or SQL injection?

Learn authentication and sessions first, then SQL injection, then XSS. That order reduces confusion because you understand how web apps store state.