Vulnerable Containers
Setting up a full lab to attack
Here is a curated list of vulnerable docker containers to hone your skills.
- Web Application Vulnerable Containers
- DVWA – Damn Vulnerable Web App (PHP/MySQL).
- bWAPP – Buggy Web Application, covers 100+ web vulnerabilities.
- Mutillidae II – OWASP Top 10 training target, lots of exercises.
- OWASP Juice Shop – Modern vulnerable app built on Node.js/Angular; includes gamified challenges.
- WebGoat (OWASP) – Java-based app with lessons for OWASP Top 10.
- Vulnerable Wordpress / WPScan Test Environment – Broken/outdated WordPress installs with plugins/themes to exploit.
- AltoroJ – Insecure banking site demo app.
- API and Microservices Targets
- VAPI (Vulnerable API) – REST API vulnerabilities.
- DVGA (Damn Vulnerable GraphQL Application) – Learn GraphQL exploitation.
- OWASP crAPI – Completely Ridiculous API, simulates a real-world API-driven environment.
- OS / Full Stack Environments
- Vulhub – Pre-built Docker-Compose vulnerable services (Apache Struts, Drupal, Redis, etc.).
- Cloud & Containers
- DVGA + k8s Goat – For container/kubernetes security practice.
- Specialized Labs
- XVWA (Xtreme Vulnerable Web App) – For advanced web attacks.
- Hackazon (this project is archived) – Simulated online store vulnerable to SQLi, XSS, etc.
- Vulnerable Joomla – Old Joomla installs with known CVEs.
This post is licensed under CC BY 4.0 by the author.