Skip to main content

Vulnerable Lab Setup Guide

This guide explains how to deploy commonly used intentionally vulnerable applications for security testing and training. These applications can be used to practice vulnerability scanning, penetration testing, and security analysis.

The following labs are covered:

  • DVWA (Damn Vulnerable Web Application)
  • OWASP Juice Shop
  • VAmPI (Vulnerable API)
  • OWASP crAPI (Completely Ridiculous API)

Prerequisites

Before running the labs, ensure the following are installed:

  • Docker
  • Docker Compose

Verify installation:

docker --version
docker compose version

DVWA (Damn Vulnerable Web Application)

DVWA is a PHP/MySQL web application designed to be vulnerable. It is commonly used to practice web application security testing techniques.

Setup

Clone the repository:

git clone https://github.com/digininja/DVWA.git
cd DVWA

Start the application using Docker:

docker compose up -d

Access the Application

Open the application in your browser:

http://localhost:4280/login.php

Default credentials may vary depending on the deployment configuration.

OWASP Juice Shop

OWASP Juice Shop is a modern vulnerable web application built using Node.js. It contains a wide variety of security flaws and is widely used in security training and CTF challenges.

Run with Docker

Start the Juice Shop container:

docker run -d -p 3000:3000 bkimminich/juice-shop

Alternatively:

docker run -d -p 3002:3000 bkimminich/juice-shop

Access the Application

http://localhost:3000

Default Credentials

Username: admin@juice-sh.op
Password: admin123

VAmPI (Vulnerable API)

VAmPI is an intentionally vulnerable API designed for practicing API security testing. It includes common API vulnerabilities such as authentication issues and improper access controls.

Option 1 – Run with Docker Image

Pull the Docker image:

sudo docker pull erev0s/vampi

Run the container:

sudo docker run -p 5000:5000 erev0s/vampi:latest

Option 2 – Run from Source

Clone the repository:

git clone https://github.com/erev0s/VAmPI

Navigate to the directory:

cd VAmPI

Start the application:

sudo docker compose up -d

Access the API

http://localhost:5000

OWASP crAPI (Completely Ridiculous API)

crAPI is a purposely vulnerable API platform designed to teach modern API security vulnerabilities such as broken object level authorization and improper authentication.

Setup

Download the project archive:

curl -L -o /tmp/crapi.zip https://github.com/OWASP/crAPI/archive/refs/heads/main.zip

Extract the archive:

unzip /tmp/crapi.zip

Navigate to the deployment directory:

cd crAPI-main/deploy/docker

Pull required Docker images:

docker compose pull

Start the environment:

docker compose -f docker-compose.yml --compatibility up -d

Access the Application

After startup, the application will be accessible through the ports configured in the Docker deployment. The main web interface is typically available at:

http://localhost

Stopping the Lab Environments

To stop running containers:

docker ps
docker stop <container_id>

Or stop Docker Compose services:

docker compose down