This repository contains a collection of precompiled, ready-to-go vulnerable apps. All you need is to run docker compose up and you have a vulnerable environment ready to be exploited.
Just specify the file under apps/ you want to run and execute the following command:
# Syntax:
docker compose -f <docker-compose-file> up -dExamples:
docker compose -f apps/docker-compose-crapi.yml up
docker compose -f apps/docker-compose-crawlmaze.yml up
docker compose -f apps/docker-compose-dvcsharp-api.yml up
docker compose -f apps/docker-compose-dvna.yml up
docker compose -f apps/docker-compose-dvpwa.yml up
docker compose -f apps/docker-compose-dvwa.yml up
docker compose -f apps/docker-compose-dvws-node.yml up
docker compose -f apps/docker-compose-govwa.yml up
docker compose -f apps/docker-compose-javaspringvulny.yml up
docker compose -f apps/docker-compose-juice-shop.yml up
docker compose -f apps/docker-compose-log4shell.yml up
docker compose -f apps/docker-compose-nodejs-goof.yml up
docker compose -f apps/docker-compose-railsgoat.yml up
docker compose -f apps/docker-compose-simple-ssrf.yml up
docker compose -f apps/docker-compose-ssti.yml up
docker compose -f apps/docker-compose-tiredful-api.yml up
docker compose -f apps/docker-compose-vampi.yml up
docker compose -f apps/docker-compose-vuln-django-play.yml up
docker compose -f apps/docker-compose-vuln-node-express.yml up
docker compose -f apps/docker-compose-vulnerable-flask-app.yml up
docker compose -f apps/docker-compose-vulnerableapp.yml up
docker compose -f apps/docker-compose-vulnlab.yml up
docker compose -f apps/docker-compose-webgoat.yml up
docker compose -f apps/docker-compose-xxelab.yml up| Application | Languages/Frameworks | Command | URL | Credentials | Note |
|---|---|---|---|---|---|
| Crawl Maze by Google Security | Python (Flask) | docker compose -f apps/docker-compose-crawl-maze.yml up |
http://localhost:80 | None | Not vulnerable |
| log4shell-vulnerable-app | Java (Spring) | docker compose -f apps/docker-compose-log4shell.yml up |
http://localhost:8080 | None | |
| nodejs-goof | JavaScript (Express) | docker compose -f apps/docker-compose-nodejs-goof.yml |
http://localhost:3001 | None | |
| simple-ssrf | Python (Flask) | docker compose -f apps/docker-compose-simple-ssrf.yml |
http://localhost:8000 | None | |
| SSTI websites | Go (net/http); Java (Spring); JavaScript (Express. Vue); PHP; Python (Flask, Tornado, Django) | docker compose -f apps/docker-compose-ssti.yml up |
http://localhost:4000 | None | |
| Tiredful-API | Python (Django REST Framework) | docker compose -f apps/docker-compose-tiredful-api.yml up |
http://localhost:8000 | None | |
| Vulnerable Polls App | Python (Django) | docker compose -f apps/docker-compose-vuln-django-play.yml up |
http://localhost:8020 | None | |
| vuln_node_express | JavaScript (Express) | docker compose -f apps/docker-compose-vuln-node-express.yml up |
http://localhost:3000 | None | XSS |
| VulnerableCoreApp | C# (.NET) | docker compose -f apps/docker-compose-vulnerable-core-app.yml up |
http://localhost:5000 | None | |
| VulnerableApp | Java (Spring) | docker compose -f apps/docker-compose-vulnerableapp.yml up |
http://localhost:80 | None | |
| VulnLab | PHP | docker compose -f apps/docker-compose-vulnlab.yml up |
http://localhost:1337 | None |
| Application | Languages/Frameworks | Command | URL | Credentials |
|---|---|---|---|---|
| crAPI | Go (net/http); Java (Spring); JavaScript (React); Python (Django REST Framework) | docker compose -f apps/docker-compose-crapi.yml up |
http://localhost:8888 | admin@mail.com: adminA1! |
| DVWA - Damn Vulnerable Web App | PHP | docker compose -f apps/docker-compose-dvwa.yml up |
http://localhost:4280 | superadmin: superadmin |
| DVPWA - Damn Vulnerable Python Web App | Python (aiohttp) | docker compose -f apps/docker-compose-dvpwa.yml up |
http://localhost:8080 | admin: letmein |
| Javaspringvulny | Java (Spring) | docker compose -f apps/docker-compose-javaspringvulny.yml up |
https://localhost:9000 | username: password |
| juice-shop by OWASP | JavaScript (Express, Angular) | docker compose -f apps/docker-compose-juice-shop.yml up |
http://localhost:3000 | admin@juice-sh.op: admin123 |
| Pixi by OWASP DevSlop | JavaScript (Express) | docker compose -f apps/docker-compose-pixi.yml up |
http://localhost:8000 (web); http://localhost:8888 (API) | pixiadmin: adminpixi |
| railsgoat | Ruby (Rails) | docker compose -f apps/docker-compose-railsgoat.yml up |
http://localhost:3000 | admin@metacorp.com: admin1234 |
| Application | Languages/Frameworks | Command | URL | Credentials |
|---|---|---|---|---|
| brokencrystals | JavaScript | docker compose -f apps/docker-compose-brokencrystals.yml up |
http://localhost:3000 | walter100: Heisenberg123 |
| dvcsharp-api | C# (ASP.NET Core) | docker compose -f apps/docker-compose-dvcsharp-api.yml up |
http://localhost:5000 | Requires API registration |
| DVNA - Damn Vulnerable NodeJS | JavaScript (Express) | docker compose -f apps/docker-compose-dvna.yml up |
http://localhost:9090 | Requires registration |
| DVWS Node | JavaScript (Express, GraphQL) | docker compose -f apps/docker-compose-dvws-node.yml up |
http://localhost:80 (web); http://localhost:4000 (GraphQL) | Requires registration |
| GoVWA - Go Vulnerable Web App | Go (gin) | docker compose -f apps/docker-compose-govwa.yml up |
http://localhost:8888 | admin: govwaadmin; user1: govwauser1. Requires DB initialization |
| VAmPI - Vulnerable REST API | Python (Flask) | docker compose -f apps/docker-compose-vampi.yml up |
http://localhost:5002 | Requires API registration |
| Vulnerable-Flask-App | Python (Flask) | docker compose -f apps/docker-compose-vulnerable-flask-app.yml up |
http://localhost:5050 | Requires API registration |
| xxelab | PHP | docker compose -f apps/docker-compose-xxelab.yml up |
http://localhost:5000 | Requires registration |
| WebGoat | Java (Spring) | docker compose -f apps/docker-compose-webgoat.yml up |
http://localhost:8080/WebGoat | Requires registration |
-
Markdown table generated with: https://www.tablesgenerator.com/markdown_tables#