-
Notifications
You must be signed in to change notification settings - Fork 3
Labs Overview
CommonHuman-Lab edited this page Jun 13, 2026
·
5 revisions
All labs run as named Docker containers with the octorig- prefix. Each is self-contained — start and stop independently.
Warning: All labs contain intentionally vulnerable software. Run in an isolated environment. Do not expose on a public network.
| ID | Name | Description | IP |
|---|---|---|---|
| 1 | Rewind | Retro gaming and media storefront featuring SQL injection, XSS, IDOR, and insecure legacy functionality | 172.28.1.2 |
| 2 | TradeFloor | Vulnerable trading platform with XXE, CSRF, mass assignment, SQLi, IDOR, and stored XSS | 172.28.2.2 |
| 3 | GoldenAce | Online casino environment containing SQLi, JWT flaws, IDOR, stored XSS, CSRF, and business logic vulnerabilities | 172.28.3.2 |
| 4 | HumanBank | Vulnerable online banking application with authentication flaws, SQLi, XSS, insecure uploads, and business logic abuse | 172.28.4.2 |
| 5 | MediHuman | Healthcare patient portal exposing SQLi, IDOR, XSS, insecure file handling, and weak SSH/FTP configurations | 172.28.5.2 |
| 6 | NetPulse | 90s-inspired ISP management portal vulnerable to SSRF, SSTI, command injection, open redirects, SQLi, IDOR, and XSS | 172.28.6.2 |
| 7 | Limelight | Vulnerable cinema booking platform with SQLi, XSS, IDOR, SSTI, CSRF, business logic abuse, and mass assignment | 172.28.7.2 |
| 8 | SubVerse | Reddit-like community forum with SQLi, XSS, IDOR, CSRF, SSTI, command injection, mass assignment, and file upload | 172.28.18.2 |
| 9 | BreachSQL | Tiered SQL injection challenges (T1-T5) for SQLi practice | 172.28.8.2 |
| 10 | StingXSS | Tiered XSS challenges (T1-T8) for XSS injection practice | 172.28.9.2 |
| 11 | VaultGate | IDOR challenges for benchmarking | 172.28.10.2 |
| 12 | VaultRip | SSH credential-rich target for VaultRip passive and remote harvesting | 172.28.11.2 |
| 13 | Juice Shop | OWASP Juice Shop — OWASP Top 10 web vulnerabilities | 172.28.12.2 |
| 14 | DVWA | Damn Vulnerable Web App — PHP/MySQL classic | 172.28.13.2 |
| 15 | Metasploitable2 | Linux VM with intentionally vulnerable services | 172.28.14.2 |
| 16 | WebGoat | OWASP WebGoat — lesson-based Java security training | 172.28.15.2 |
| 17 | VulnAD | Vulnerable Active Directory — Samba4 AD with AD attack paths | 172.28.17.2 |