One can practice Vulnerability Assessment using these Free Labs:
Platform: HackXpert
Description: Free labs and training
Source: https://hackxpert.com/labs.php
Platform: TryHackMe
Description: Hands-on exercises and labs
Source: https://tryhackme.com/
Platform: CyberSecLabs
Description: High quality training labs
Source: https://www.cyberseclabs.co.uk
Platform: Cybrary
Description: Videos, labs, and practice exams
Source: https://www.cybrary.it/
Platform: Root Me
Description: Over 400 cybersecurity challenges
Source: https://www.root-me.org/
Platform: Vuln Machines
Description: Real world scenarios to practice
Source: https://vulnmachines.com
Platform: OverTheWire
Description: Learn security concepts through challenges
Source: https://overthewire.org
Platform: Try2Hack
Description: Play a game based on the real attacks
Source: https://try2hack.me/
Platform: Hack The Box
Description: Online cybersecurity training platform
Source: https://www.hackthebox.com/
Platform: VulnHub
Description: Material for practical hands-on experience
Source: https://www.vulnhub.com
Platform: PortSwigger Web Security Academy
Description: Extensive learning material with online labs
Platform: hacksplaining
Description: Security Training for Developers
Source: https://www.hacksplaining.com/
Open Source Tools:
Tool: Burp Suite Framework
Description: For Performing Security Testing Of Web Applications
Source: https://portswigger.net/burp
Tool: ZAP Proxy Framework
Description: Integrated Penetration Testing Tool
Tool: Dirsearch
Description: Find Hidden Web Directories
Tool: NMAP
Description: Discover Hosts And Services On A Network
Source: https://nmap.org/
Tool: Sublist3r
Description: Enumerate subdomains of websites
Tool: Amass
Description: Performs network mapping of attack surfaces and external asset discovery
Source: https://github.com/OWASP/Amass
Tool: SQLMap
Description: Automated detect and exploit SQL Injection flaws
Source: https://sqlmap.org/
Tool: Metasploit Framework
Description: Modular penetration testing platform that enables you to write, test, and execute exploit code
Source: https://www.metasploit.com/
Tool: WPscan
Description: Test the security of WordPress websites
Tool: Nikto
Description: Web server and CGI scanner written in Perl
Source: https://cirt.net/Nikto2
Tool: HTTPX
Description: Fast web application reconnaissance tool coded in go
Tool: Nuclei
Description: Send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts
Tool: FFUF
Description: Fastest open-source fuzzing tool written in the Go
Source: https://github.com/ffuf/ffuf
Tool: Subfinder
Description: Subdomain discovery tool that returns valid subdomains for websites, using passive online sources
Tool: Masscan
Description: TCP port scanner which transmits SYN packets asynchronously and produces results similar to nmap
Tool: Lazy Recon
Description: Automate some tedious tasks of reconnaissance and information gathering, written in Bash
Tool: XSS Hunter
Description: Find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS
Source: https://xsshunter.com/
Tool: Aquatone
Description: Visual inspection of websites across a large amount of hosts
Tool: LinkFinder
Description: Python script written to discover endpoints and their parameters in JavaScript files
Tool: JS-Scan
Description: A tool designed to scrape a list of .js files and extract urls, as well as juicy information
Tool: GAU
Description: Fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain
Source: https://github.com/lc/gau
Tool: Parameth
Description: Brute discover GET and POST parameters
Source: https://github.com/maK-/parameth
Tool: truffleHog-
Description: Open source project tool for discovering keys leaked via JavaScript or too-permissive CORS settings in APIs
Tool: Katana
Description: Framework written in python for making penetration testing, based on a simple and comprehensive structure