Bootstrap various intentionally vulnerable web applications using Docker Compose.
Useful for building vulnerability environments for trying out pentesting and security tools.
This repository simply curates and compiles various Docker images from the Docker Hub into a Docker Compose file (docker-compose.yml), so that one can easily deploy all of them at once.
- Damn Vulnerable Web App (DVWA) (
irvinlim/owasp-dvwa) - OWASP Juice Shop (
bkimminich/juice-shop) - OWASP Mutillidae 2 (NOWASP) (
citizenstig/nowasp) - OWASP Security Ninjas AppSec Training Program (
irvinlim/owasp-securityninjas) - OWASP WebGoat Project (
danmx/docker-owasp-webgoat) - Xtreme Vulnerable Web Application (XVWA) (
tuxotron/xvwa)
vulnerability-testbeds is meant to be deployed on a single server. They can be served through various methods.
In order to run all of the applications on a single server, you need a frontend proxy to serve each virtual host. This method depends jwilder/nginx-proxy to do just that.
Make sure that you have copied .env-example to .env on the root directory and added the relevant values for the following environment variables:
NGINX_PROXY_HOSTNAME: The domain suffix for each virtual host. For example, if the value isvulns.example.com, DVWA will be served ondvwa.vulns.example.com.NGINX_PROXY_NETWORK_NAME: The Docker network where each application container should be added to.jwilder/nginx-proxyshould also be added to the same network.
To set up the proxy, create a Docker network called nginx-proxy, start the container and add it to the network.
# Run the container.
docker run -d \
--name nginx-proxy \
-p 80:80 \
--restart always \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
jwilder/nginx-proxy
# Create the network to add the container to.
docker network create nginx-proxy
docker network connect nginx-proxy nginx-proxyAll other containers must belong to the same nginx-proxy network as well, which is specified as an additional Compose file in docker-compose.nginx-proxy.yml. To compose multiple Compose files together, do:
docker-compose -f docker-compose.yml -f docker-compose.nginx-proxy.yml up -dThis will apply the settings to set up each application container in the nginx-proxy network.
Note that jwilder/nginx-proxy is not provided in the Compose file because multiple instances of the container running on the same host will conflict with each other. Hence, you will have to set it up separately as a non-Composed service.
An alternative, more typical deployment method is to use separate ports for each application server. This is useful if you don't wish to set up a frontend proxy, or only need to set it up locally quickly.
The default ports are as follows:
| Application | Port |
|---|---|
app-dvwa |
8000 |
app-juiceshop |
8001 |
app-nowasp |
8002 |
app-securityninjas |
8003 |
app-webgoat |
8004 |
app-xvwa |
8005 |
You can override the port number for each of the services that it should listen on via environment variables in .env, named in the format: PORTS_${SERVICE_NAME}, e.g. PORTS_DVWA.
You can then use a frontend NGINX reverse proxy to map them onto port 80 using separate virtual hosts, if you wish.
MIT