![[The AI Show Episode 143]: ChatGPT Revenue Surge, New AGI Timelines, Amazon’s AI Agent, Claude for Education, Model Context Protocol & LLMs Pass the Turing Test](https://www.marketingaiinstitute.com/hubfs/ep%20143%20cover.png)
.png?#)
![[Fixed] Gemini app is failing to generate Audio Overviews](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/03/Gemini-Audio-Overview-cover.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![What’s new in Android’s April 2025 Google System Updates [U: 4/14]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Seeds tvOS 18.5 Beta 2 to Developers [Download]](https://www.iclarified.com/images/news/97011/97011/97011-640.jpg)
![Apple Releases macOS Sequoia 15.5 Beta 2 to Developers [Download]](https://www.iclarified.com/images/news/97014/97014/97014-640.jpg)
Step-by-Step Installation and Usage Guide for Web Security Testing Applications Using Docker
The article that follows is a step-by-step installation and user guide on how to utilize some of the world's most commonly used vulnerable web applications within Docker containers. They are the best to utilize within penetration testing, security tests, and training in web application security. They are designed to emulate real world vulnerabilities so security flaws can be tested for under safe and controlled circumstances. Applications covered in this guide bWAPP WebGoat 7.1 WebGoat 8.0 Damn Vulnerable Web Application (DVWA) Mutillidae II OWASP Juice Shop WPScan Vulnerable WordPress OpenDNS Security Ninjas Prerequisites Before you begin the installation, ensure you have the following: Docker - Install Docker on your system using the instructions on the official Docker website. Docker Compose - In case you need to run more than one container or a complex setup, install Docker Compose from here. 1. bWAPP (Buggy Web Application) Step 1: Pull the bWAPP Docker image docker pull raesene/bwapp Step 2: Run the bWAPP container docker run -d -p 80:80 raesene/bwapp Step 3: Access bWAPP Access http://localhost in your web browser. Use the following default credentials: Username: bee Password: bug Application Workflow User interacts with bWAPP interface via a browser. Docker container maps port 80, sending traffic to the web application. bWAPP backend mimics vulnerabilities in various web application components. 2. WebGoat 7.1 Step 1: Pull the WebGoat 7.1 Docker image docker pull webgoat/webgoat-7.1 Step 2: Run the WebGoat 7.1 container docker run -d -p 8080:8080 webgoat/webgoat-7.1 Step 3: Access WebGoat 7.1 Open http://localhost:8080/WebGoat/ in your browser. Default credentials are: Username: guest Password: guest Application Workflow User accesses WebGoat interface at localhost:8080. Docker container hosts WebGoat's internal services. WebGoat simulates vulnerabilities such as SQL injection, insecure deserialization, and cross-site scripting. 3. WebGoat 8.0 Step 1: Pull the WebGoat 8.0 Docker image docker pull webgoat/webgoat-8.0 Step 2: Run the WebGoat 8.0 container docker run -d -p 8081:8080 webgoat/webgoat-8.0 Step 3: Access WebGoat 8.0 Navigate to http://localhost:8081/WebGoat/ and use the default credentials: Username: guest Password: guest Application Workflow User connects to WebGoat 8.0 on the exposed port 8081. Docker executes containers to provide the application with simulated security weaknesses. WebGoat 8.0 helps discover common vulnerabilities like insecure deserialization and cross-site request forgery. 4. Damn Vulnerable Web Application (DVWA) Step 1: Pull the DVWA Docker image docker pull vulnerables/web-dvwa Step 2: Run the DVWA container docker run -d -p 80:80 vulnerables/web-dvwa Step 3: Access DVWA Open http://localhost in your browser. Default login: Username: admin Password: password Application Workflow User tests vulnerabilities like SQL injection and XSS. Docker container directs traffic from the outside port to the internal DVWA instance. DVWA offers multiple security levels to control vulnerability severity. 5. Mutillidae II Step 1: Pull the Mutillidae II Docker image docker pull r00t-3xp10it/mutillidae Step 2: Run the Mutillidae II container docker run -d -p 80:80 r00t-3xp10it/mutillidae Step 3: Access Mutillidae II In your web browser, navigate to http://localhost. Default login: Username: admin Password: password Application Workflow User exploits vulnerabilities such as session management and privilege escalation. Docker container controls the internal configuration for Mutillidae II, providing an isolated environment to test. Mutillidae II simulates real security vulnerabilities. 6. OWASP Juice Shop Step 1: Pull the OWASP Juice Shop Docker image docker pull bkimminich/juice-shop Step 2: Run the Juice Shop container docker run -d -p 3000:3000 bkimminich/juice-shop Step 3: Access OWASP Juice Shop Visit http://localhost:3000. Juice Shop offers challenges on different vulnerabilities. Application Workflow User interacts with the Juice Shop UI through a browser. Docker container exposes and isolates Juice Shop services, facilitating easier penetration testing. OWASP Juice Shop offers challenges like Cross-Site Scripting (XSS), SQL injection, etc. 7. WPScan Vulnerable WordPress Step 1: Pull the WPScan Docker image docker pull wpscanteam/wpscan Step 2: Run the WPScan container docker run -d -p 80:80 wpscanteam/wpscan Step 3: Access vulnerable WordPress Test WordPress security vulnerabilities such as outdated plugins by visiting http://localhost. Application Workflow User tests WordPress vulnerabilities on plugins and configurations. Docker container hosts the vulner
The article that follows is a step-by-step installation and user guide on how to utilize some of the world's most commonly used vulnerable web applications within Docker containers. They are the best to utilize within penetration testing, security tests, and training in web application security. They are designed to emulate real world vulnerabilities so security flaws can be tested for under safe and controlled circumstances.
Applications covered in this guide
- bWAPP
- WebGoat 7.1
- WebGoat 8.0
- Damn Vulnerable Web Application (DVWA)
- Mutillidae II
- OWASP Juice Shop
- WPScan Vulnerable WordPress
- OpenDNS Security Ninjas
Prerequisites
Before you begin the installation, ensure you have the following:
Docker - Install Docker on your system using the instructions on the official Docker website.
Docker Compose - In case you need to run more than one container or a complex setup, install Docker Compose from here.
1. bWAPP (Buggy Web Application)
Step 1: Pull the bWAPP Docker image
docker pull raesene/bwapp
Step 2: Run the bWAPP container
docker run -d -p 80:80 raesene/bwapp
Step 3: Access bWAPP
Access http://localhost in your web browser. Use the following default credentials:
- Username:
bee - Password:
bug
Application Workflow
- User interacts with bWAPP interface via a browser.
- Docker container maps port 80, sending traffic to the web application.
- bWAPP backend mimics vulnerabilities in various web application components.
2. WebGoat 7.1
Step 1: Pull the WebGoat 7.1 Docker image
docker pull webgoat/webgoat-7.1
Step 2: Run the WebGoat 7.1 container
docker run -d -p 8080:8080 webgoat/webgoat-7.1
Step 3: Access WebGoat 7.1
Open http://localhost:8080/WebGoat/ in your browser. Default credentials are:
- Username:
guest - Password:
guest
Application Workflow
-
User accesses WebGoat interface at
localhost:8080. - Docker container hosts WebGoat's internal services.
- WebGoat simulates vulnerabilities such as SQL injection, insecure deserialization, and cross-site scripting.
3. WebGoat 8.0
Step 1: Pull the WebGoat 8.0 Docker image
docker pull webgoat/webgoat-8.0
Step 2: Run the WebGoat 8.0 container
docker run -d -p 8081:8080 webgoat/webgoat-8.0
Step 3: Access WebGoat 8.0
Navigate to http://localhost:8081/WebGoat/ and use the default credentials:
- Username:
guest - Password:
guest
Application Workflow
-
User connects to WebGoat 8.0 on the exposed port
8081. - Docker executes containers to provide the application with simulated security weaknesses.
- WebGoat 8.0 helps discover common vulnerabilities like insecure deserialization and cross-site request forgery.
4. Damn Vulnerable Web Application (DVWA)
Step 1: Pull the DVWA Docker image
docker pull vulnerables/web-dvwa
Step 2: Run the DVWA container
docker run -d -p 80:80 vulnerables/web-dvwa
Step 3: Access DVWA
Open http://localhost in your browser. Default login:
- Username:
admin - Password:
password
Application Workflow
- User tests vulnerabilities like SQL injection and XSS.
- Docker container directs traffic from the outside port to the internal DVWA instance.
- DVWA offers multiple security levels to control vulnerability severity.
5. Mutillidae II
Step 1: Pull the Mutillidae II Docker image
docker pull r00t-3xp10it/mutillidae
Step 2: Run the Mutillidae II container
docker run -d -p 80:80 r00t-3xp10it/mutillidae
Step 3: Access Mutillidae II
In your web browser, navigate to http://localhost. Default login:
- Username:
admin - Password:
password
Application Workflow
- User exploits vulnerabilities such as session management and privilege escalation.
- Docker container controls the internal configuration for Mutillidae II, providing an isolated environment to test.
- Mutillidae II simulates real security vulnerabilities.
6. OWASP Juice Shop
Step 1: Pull the OWASP Juice Shop Docker image
docker pull bkimminich/juice-shop
Step 2: Run the Juice Shop container
docker run -d -p 3000:3000 bkimminich/juice-shop
Step 3: Access OWASP Juice Shop
Visit http://localhost:3000. Juice Shop offers challenges on different vulnerabilities.
Application Workflow
- User interacts with the Juice Shop UI through a browser.
- Docker container exposes and isolates Juice Shop services, facilitating easier penetration testing.
- OWASP Juice Shop offers challenges like Cross-Site Scripting (XSS), SQL injection, etc.
7. WPScan Vulnerable WordPress
Step 1: Pull the WPScan Docker image
docker pull wpscanteam/wpscan
Step 2: Run the WPScan container
docker run -d -p 80:80 wpscanteam/wpscan
Step 3: Access vulnerable WordPress
Test WordPress security vulnerabilities such as outdated plugins by visiting http://localhost.
Application Workflow
- User tests WordPress vulnerabilities on plugins and configurations.
- Docker container hosts the vulnerable WordPress site and separates it from other environments.
- WPScan runs tests against potential security vulnerabilities in WordPress installations.
8. OpenDNS Security Ninjas
Step 1: Pull the OpenDNS Security Ninjas Docker image
docker pull opendns/securityninjas
Step 2: Run the OpenDNS Security Ninjas container
docker run -d -p 8080:8080 opendns/securityninjas
Step 3: Access OpenDNS Security Ninjas
Access http://localhost:8080 to research DNS security threats.
Application Workflow
User examines DNS vulnerabilities such as cache poisoning and amplification attacks.
Docker container contains OpenDNS services to deliver a secure testing environment.
OpenDNS provides educational content and tools to test DNS security.
Docker Workflow for Web Security Applications
Docker Container Workflow
Pull Docker Image - You pull the vulnerable app image.
Run the Docker Container - Run the container in the background, opening up ports necessary for web traffic.
Access the Application - Access the web application within the container via a browser.
Conduct Penetration Testing - Test against typical vulnerabilities such as SQL injection, XSS, and more.
Analyze Results - Collect information, review the security exposures, and find out gaps to fill.
Docker Workflow Diagram
+----------------------+
| Pull Docker Image |
+----------------------+
|
v
+----------------------+
| Run Docker Container |
+----------------------+
|
v
+----------------------+
| Expose Web Ports |
+----------------------+
|
v
+----------------------+
| Access Application |
+----------------------+
|
v
+----------------------+
| Perform Pen Testing |
+----------------------+
|
v
+----------------------+
| Analyze Results |
+----------------------+
Interface Management Workflow
User Interface - Utilize a browser (UI) to interact with web applications and simulate attack scenarios.
Docker Container - The backend provides a sandbox environment where security testing can be conducted.
Application Services - Docker containers provide services like databases and web servers, which can be tested for security vulnerabilities.
Logging and Reports - Application logs are logged and security alerts are recorded for analysis.
Security Feedback Loop - A review of the vulnerabilities that were found during testing is conducted, and remediation is suggested or done.
This tutorial provides a detailed, step-by-step installation and use of a number of vulnerable web applications within Docker containers. These applications are intended to teach and test web application security, allowing security professionals, developers, and beginners to practice vulnerability identification skills as well as learn the best mitigation techniques.
By isolating each application into a Docker container, you can test and analyze their security vulnerabilities without compromising your local machine or network. Use this guide to hone web security and penetration testing in your own hands.
Author: MR Gh0st (CifSec)
