If you are a developer looking for insight into web security or a security professional looking to practice a bit, deliberately vulnerable web applications is a great way to practice and educate yourself on web application security.
There are quite a few to choose from, and they all have their pros and cons.
Installing them, on the other hand, could be a bit of a time waster. Before docker was widely adopted, making sure all dependencies where met and running all of them along side each other did require some time and effort.
With Docker it’s now really easy. But I like to automate stuff as much as possible, so I put together a quick bash script to make it even simpler (and faster).
Note! All scripts are tested on 64-bit only (not x86). Tested on installed systems running Kali Linux 2020.1b. Seems other distros also work fine.
Currently these applications are supported by the script.
- bWAPP
- WebGoat 7.1
- WebGoat 8.0
- Damn Vulnerable Web App
- Mutillidae II
- OWASP Juice Shop
- WPScan Vulnerable WordPress
- OpenDNS Security Ninjas
- Altoro Mutual
- Vulnerable GraphQL API
So let’s get started. First fetch the script. If you got git installed just clone the repo on github. If you do not have git installed go to https://github.com/eystsen/pentestlab and download the zip file there.
git clone https://github.com/eystsen/pentestlab
If you get a question about username/password then you probably typed something wrong. After cloning is completed (takes a few seconds), enter the new folder that contains the script with the cd command.
cd pentestlab
f you haven’t installed Docker, then you need to do so. Prevously this required some custom steps, but lately you can just install docker using apt.
Just run the following command.
sudo apt install docker.io
The included docker install script (in the git repo) was needed for older kali linux releases. It’t no longer needed.
Now you are ready to run webapps.
You can start bWAPP just by running this command:
./pentestlab.sh start bwapp
The script will download the docker file for bWAPP and run it with localhost network mapping. It will let you know where it is available and list any actions or info you need the first time you use the app, like default username/password.
Most of these applications require you to click a link or a button to kickstart the database initialization. bWapp needs you to do this, but it is as easy as clicking the link.
Next time you start bWAPP it will not be necessary.
# The other apps can be started with one (or all) of these commands
./pentestlab.sh start webgoat7
./pentestlab.sh start webgoat8
./pentestlab.sh start dvwa
./pentestlab.sh start mutillidae
./pentestlab.sh start vulnerablewordpress
./pentestlab.sh start juiceshop
./pentestlab.sh start securityninjas
./pentestlab.sh start altoro
./pentestlab.sh start graphql
You can get the updated list (new application are added from time to time) by running
./pentestlab.sh list
If you would like to expose the application to others on your network you can use the startpublic command.
./pentestlab.sh startpublic bwapp
WARNING! This will allow anyone with network access to hack your machine. Only do this in trusted lab environment.
It will prompt for the detect IP. If you have multiple interfaces and/or IPs you need to specify it together with the port. Also remember that only one application can listen on a given port.
./pentestlab.sh startpublic bwapp 192.168.1.105 8080
The script can also show you status of all local running application.
./pentestlab.sh status
Will show you status like this:
bWaPP running at http://bwapp
WebGoat 7.1 not running
WebGoat 8.0 not running
DVWA running at http://dvwa
Mutillidae II not running
OWASP Juice Shop not running
WPScan Vulnerable WordPress not running
OpenDNS Security Ninjas not running
Altoro Mutual not running
Vulnerable GraphQL API not running
Remember to stop the app when you are done. You can continue any time by just running start command again.
./pentestlab.sh stop bwapp
Just running the script without parameters will give you a help screen.
./pentestlab.sh
Like this one:
Local PentestLab Management Script (Docker based)
Usage: ./pentestlab.sh {list|status|info|start|startpublic|stop} [projectname]
This scripts uses docker and hosts alias to make web apps available on localhost
Ex.
./pentestlab.sh list
List all available projects
./pentestlab.sh status
Show status for all projects
./pentestlab.sh start bwapp
Start project and make it available on localhost
./pentestlab.sh startpublic bwapp
Start project and make it available on localhost
./pentestlab.sh stop bwapp
Stop the docker container
./pentestlab.sh info bwapp
Show information about bwapp proejct
…
…
So, that is it. I created this script for myself, but hopefully it can be useful for others too.
Have fun! And happy hacking! 🙂