Skip to main content
Project HomeLab Intermediate

Deploying Vulnerable Applications

Jason J. Boderebe
3 min tutorial
#homelab #vulnerable-apps #practice

Once your lab is running, you need targets. Intentionally vulnerable applications let you practice real attacks without breaking laws or touching systems you do not own. I keep a handful of these running in my lab at all times.

The ones I actually use

DVWA (Damn Vulnerable Web Application)

DVWA is a PHP/MySQL app with adjustable difficulty levels. I use it to practice SQL injection, XSS, and CSRF. It is old-school, but the fundamentals still matter.

Easiest way to run it:

docker run --rm -it -p 80:80 vulnerables/web-dvwa

Default login: admin / password. Start on Low security and work your way up.

OWASP Juice Shop

This one is more modern — a full e-commerce site built with Node.js and Angular. It has over 100 challenges ranging from trivial to painful. I have spent hours on some of the harder ones.

docker run --rm -p 3000:3000 bkimminich/juice-shop

Browse to http://localhost:3000 and start poking around. The scoreboard is at http://localhost:3000/#/score-board.

Metasploitable 2

This is a full vulnerable Linux VM with a ton of old, broken services. SSH is wide open, there is a vulnerable FTP server, an unpatched Samba instance, and more. Good for practicing Metasploit and understanding how service exploitation works.

Download the VM from SourceForge, import it into your hypervisor, and boot it up on an isolated network. Default credentials: msfadmin / msfadmin.

Do not give this thing internet access. Seriously.

WebGoat (if you want structured lessons)

WebGoat is more of a guided tutorial than a playground. It walks you through specific vulnerabilities with lessons and challenges. I used it when I was starting out, but I find myself going back to DVWA and Juice Shop more often now.

docker run -p 8080:8080 webgoat/webgoat

Deployment strategies

Docker is the fastest way to spin things up and tear them down. One command, and you have a vulnerable app running. When you are done, kill the container and it is gone. No mess.

Full VMs are better if you want persistent storage, need to install additional tools, or want to practice post-exploitation techniques like privilege escalation and lateral movement. I keep a few Ubuntu VMs with DVWA and Juice Shop installed directly.

Snapshots matter. Before you start testing, snapshot your vulnerable VMs. If you break something or want a clean slate, roll back.

Keep your lab isolated

I run my vulnerable apps on an internal-only network with no internet access and no route to my home network. In VirtualBox, that is an “Internal Network.” In VMware, it is a custom virtual network with no NAT or bridging. In Proxmox, I use a dedicated bridge with no gateway.

If you mess up and accidentally expose one of these to the internet, it will get compromised in minutes. Do not ask me how I know.

What I test

  • SQL injection — DVWA and Juice Shop both have good examples
  • XSS (reflected and stored) — DVWA, Juice Shop, WebGoat
  • CSRF — DVWA has clean demos
  • Authentication bypass — Juice Shop has multiple methods
  • File upload exploits — DVWA and custom vulnerable apps I built
  • Command injection — Metasploitable and DVWA

I also use these apps to test new tools. When I pick up a new scanner or fuzzer, I run it against DVWA or Juice Shop first to see how it behaves.

Where to find more

  • VulnHub — downloadable vulnerable VMs
  • HackTheBox — online vulnerable machines (some require VPN)
  • TryHackMe — guided rooms and challenges

Next: Network Security Monitoring with Suricata