WarGames–platforms to practice and improve hacking skills
Depending on what you call "online", a simple Google search on "damn vulnerable" will reveal the existence of freely downloadable applications of even full OS, meant for, indeed, learning all the ways software can be horribly vulnerable. One of them is Damn Vulnerable Web App, which is, you guessed it, a damn vulnerable Web app. There also used to be a full OS called Damn Vulnerable Linux; it is apparently discontinued (though of course lack of security patches was the point of it) but this question discusses replacements.
These are not "online machines" for you to hack, but you can download them and install them on a virtual machine on your own computer, which can be done for free (there are good free VM solutions, e.g. VirtualBox) and is a lot more flexible than an online target; it will teach you more since you can modify it and reset it at will.
All these resources are subject to obsolescence, modification and replacement, so the important point of this answer is to give the correct keywords for searching. And these keywords are "damn vulnerable".
These are all that i recommend.
Web Vulnerability
1. Webgoat(Recommend) - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
2. EnigmaGroup(WarGame) - http://www.enigmagroup.org
3. Mutillidae(Good) http://sourceforge.net/projects/mutillidae/
4. DVWA (not so good) http://www.dvwa.co.uk/
OS Vulnerability
5. Metasploitable(Recommend) - http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
6. Exploit Exercises(Very good) https://exploit-exercises.com/
7. HowToForge (Specific)
I've been trying to maintain a list of useful resources for Security Enthusiasts on my personal website. Here's a part of it:
Web Application Security
- Browser Security Handbook - By Michal Zalewski
- Google Gruyere - Web Application Exploits and Defenses - a small, cheesy web application that allows its users to publish snippets of text and store assorted files.
- Google's XSS game - In this training program, you will learn to find and exploit XSS bugs
- Damn Vulnerable Web Application (DVWA) - an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment
Memory Exploits
- David Brumley's lecture notes on Exploits and Control Flow Hijack Defenses
- University of Maryland's Software Security course on Coursera - explores the foundations of software security and covers important (and common) software vulnerabilities such as buffer overflows, SQL injection, and session hijacking
- Embedded Security CTF - You've been given access to a device that controls a lock. Your job: defeat the lock by exploiting bugs in the device's code.
Books
- The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws - Amazon Link