Easy script to install and run WebGoat, DVWA, Mutillidae II, bWAPP and more in Kali Linux (x64)

If you are a developer looking for insight into web security or a security professional looking to practice a bit, deliberately vulnerable web applications is a great way to practice and educate yourself on web application security.

There are quite a few to choose from, and they all have their pros and cons.

Installing them, on the other hand, could be a bit of a time waster. Before docker was widely adopted, making sure all dependencies where met and running all of them along side each other  would require some time and effort.

With Docker it’s now really easy. But I like to automate stuff as much as possible, so I put together a quick bash script to make it even simpler (and faster).

Note! All scripts are tested on x64 only (not x86). Tested on both live and installed systems running Kali Linux 2018.4 amd64.

Currently these applications are supported by the script.

  • bWAPP
  • WebGoat 7.1
  • WebGoat 8.0
  • Damn Vulnerable Web App
  • Mutillidae II
  • OWASP Juice Shop
  • WPScan Vulnerable WordPress
  • OpenDNS Security Ninjas

So let’s get started. First fetch the script. If you got git installed just clone the repo on github. If you do not have git installed go to https://github.com/eystsen/pentestlab and download the files there.

git clone https://github.com/eystsen/pentestlab

If you get a question about username/password then you probably typed something wrong. After cloning is completed (takes a few seconds), enter the new folder that contains the script with the cd command.

cd pentestlab

If you haven’t installed Docker, then you can do so by running the docker install script, or take a look at Docker documentation for the up to date steps to install Docker.
The docker installation script in this git repo is made for Kali 2018.4 x64 but should probably work for other x64 versions, and possible also other distros (at least debian based ones). Just run the following command.


Press enter to accept (Y)es after apt-get shows you everything that will be updated. It runs an update first, so there might be quite a few packages. Then you are ready to start up the different webapps.
If you want to get started right away just run:

./pentestlab.sh start bwapp

The script will download the docker file for bWAPP and run it with localhost network mapping. It will let you know where it is available and list any actions or info you need the first time you use the app, like default username/password.

# The other apps can be started with one (or all) of these commands
./pentestlab.sh start webgoat7
./pentestlab.sh start webgoat8
./pentestlab.sh start dvwa
./pentestlab.sh start mutillidae
./pentestlab.sh start vulnerablewordpress
./pentestlab.sh start juiceshop
./pentestlab.sh start securityninjas

Most of these applications require you to click a link or a button to kickstart the database initialization. bWapp needs you to do this, but it is as easy as clicking the link.
For bWapp the script will output something like this:


Docker mapped to http://bwapp or

Remember to run install.php before using bwapp the first time.
at http://bwapp/install.php
Default username/password: bee/bug
bWAPP will then be available at http://bwapp

So go to http://bwapp/install.php and click on the “install database” link. This will only be required the first time you start bWAPP. Next time you start bWAPP it will not be necessary.

Similar output will be given for WebGoat 7.1, WebGoat 8.0, Damn Vulnerable Web App (DVWA) and Mutillidae II.

The script can also show you status of all local running application.

./pentestlab.sh status

Will show you status like this:

bWaPP                                             running at http://bwapp
WebGoat 7.1                                    not running
WebGoat 8.0                                    not running
DVWA                                               running at http://dvwa
Mutillidae II                                     not running
OWASP Juice Shop                          not running
WPScan Vulnerable WordPress   not running
OpenDNS Security Ninjas              not running

Remember to stop the app when you are done. You can continue any time by just running start command again.

./pentestlab.sh stop bwapp

Just running the script without parameters will give you a help screen.


Like this one:

Local PentestLab Management Script (Docker based)

Usage: ./pentestlab.sh {list|status|info|start|stop} [projectname]

This scripts uses docker and hosts alias to make web apps available on localhost

./pentestlab.sh list
List all available projects
./pentestlab.sh status
Show status for all projects
./pentestlab.sh start bwapp
Start project and make it available on localhost
./pentestlab.sh stop bwapp
Stop the docker container
./pentestlab.sh info bwapp
Show information about bwapp proejct

Dockerfiles from:
dvwa – Ryan Dewhurst (vulnerables/web-dvwa)
mutillidae – Nikolay Golub (citizenstig/nowasp)
bwapp – Rory McCune (raesene/bwapp)
webgoat(s) – OWASP Project
Juice Shop – Bjoern Kimminich (bkimminich/juice-shop)
Vulnerable WordPress – WPScan Team (wpscanteam/vulnerablewordpress)
Security Ninjas – OpenDNS Security Ninjas AppSec Training

So, that is it. I created this script for myself, but hopefully it can be useful for others too.

Have fun! And happy hacking! 🙂



    1. Hi,

      I’ll see if I can add this feature to the script, but in the meantime you can use docker directly.
      Like this:
      docker run -d -p 80:80 –name dvwapublic vulnerables/web-dvwa

      That command will bind DVWA to port 80 on your machine and give the container a name (dvwapublic).
      After this command you can then start or stop dvwa using:
      docker start dvwapublic
      docker stop dvwapublic

      You can list running dockers like this:
      docker ps

      DVWA will be available on your IP address. (just an example, your machines IP address will be different)

      If port 80 already is in use already you can bind using a different port.
      Like this example for port 8888
      docker run -d -p 8888:80 –name dvwapublic vulnerables/web-dvwa

      If you use a different port than 80 you need to add the port number in the URL, like this:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s