Skip to content presents a 3-tier web app with security mistakes for training, evaluation, and testing.
Branch: master
Clone or download
jvhoof Merge pull request #6 from flogruber/upload-fix
SuppliersOnly: File upload fix
Latest commit 74580ae Apr 13, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.

Badstore docker presents a 3-tier web app with security mistakes for training, evaluation, and testing.

Introduction presents a typical three-tier web storefront application. This self-contained application was built from the ground up with typical security mistakes to serve as a platform for demonstration, security training, evaluation, and testing purposes.

Docker image

The application is delivered as a docker image. The image runs the Debian latest operating system, Apache web server, a CGI (Common Gateway Interface) application, and full MySQL interaction with multiple database tables. This architecture is commonly known as LAMP (Linux, Apache, MySQL, Perl), and presents a real application environment that uses real coding methods. Rather than being a simulation, operates in the same way as many commercial websites, albeit with a high concentration of application security vulnerabilities.

More details about the environment are found in subsequent sections. After boot, acts as a network-accessible server that clients may interact with using a Web browser. This educational playground exists for you to break. And, best of all, when you reboot, everything is back to where you started! There's no need to rebuild after successful "hacks" screw everything up. So get out your browser and start enjoying the world of web application security.



To run the application, simply pull or build the image into a docker host.

docker pull jvhoof/badstore-docker
docker run -d -p 80:80 jvhoof/badstore-docker

License is currently available in English and Japanese language versions and was released under the terms of the GNU General Public License.

You can’t perform that action at this time.