Listen to this Post

Introduction:
Docker revolutionizes web application penetration testing by enabling security professionals to spin up isolated, vulnerable environments in seconds without cluttering their host systems. This guide walks you through deploying a comprehensive pentesting laboratory featuring 15+ deliberately flawed applications—from SQLi-Labs to OWASP Juice Shop—all containerized for safe, repeatable exploitation practice.
Learning Objectives:
- Set up Docker and Docker-Compose on Linux/Windows to host multiple vulnerable web apps
- Deploy and interact with DVWA, bWAPP, Mutillidae II, and GraphQL/REST API targets
- Practice attack techniques including SQL injection, SSRF, broken authentication, and cryptographic flaws
1. Installing Docker & Docker-Compose: The Foundation
Begin by installing the container runtime that will isolate your attack lab from your production environment.
Linux (Ubuntu/Debian):
sudo apt update sudo apt install docker.io docker-compose -y sudo systemctl enable docker --now sudo usermod -aG docker $USER Log out and back in to apply
Windows (PowerShell as Admin):
Install Chocolatey first, then: choco install docker-desktop -y Or download from https://docker.com/products/docker-desktop
Verify installation:
docker --version docker-compose --version
Step-by-step explanation:
Docker runs each vulnerable app in its own lightweight container, preventing cross-contamination and system compromise. The `docker-compose` tool lets you define and run multi-container setups using a single YAML file—ideal for spinning up entire lab environments with one command.
- Deploying DVWA and SQLi-Labs – Classic Attack Surfaces
DVWA (Damn Vulnerable Web Application) teaches brute-force, command injection, and file inclusion. SQLi-Labs provides 75+ SQL injection challenges.
Pull and run DVWA:
docker pull vulnerables/web-dvwa docker run -d -p 8080:80 vulnerables/web-dvwa Access http://localhost:8080 (login: admin/password)
Run SQLi-Labs (MySQL + PHP):
docker pull acgpiano/sqli-labs docker run -d -p 8081:80 acgpiano/sqli-labs Navigate to http://localhost:8081 and click "Setup/reset Database"
Practice SQL injection manually:
Target: `http://localhost:8081/Less-1/?id=1’`
Test for error-based injection: `1′ AND 1=1 — -`
Extract database version: `1′ UNION SELECT 1,version(),3 — -`
Windows alternative: Use same Docker commands; Docker Desktop manages port bindings.
- Setting Up OWASP Juice Shop & WebGoat – Modern Web & API Testing
Juice Shop mimics an e-commerce site with 100+ challenges (JWT tampering, XSS, NoSQL injection). WebGoat teaches server-side attacks.
Juice Shop:
docker pull bkimminich/juice-shop docker run -d -p 3000:3000 bkimminich/juice-shop Browse http://localhost:3000
WebGoat (includes WebWolf for file uploads):
docker pull webgoat/goatandwolf docker run -d -p 8080:8080 -p 9090:9090 webgoat/goatandwolf WebGoat: http://localhost:8080/WebGoat (guest/guest)
Hands-on: Broken JWT attack
Use `https://jwt.io` or `hashcat` to crack weak secrets. Extract token from Juice Shop’s login response, then modify payload to escalate privilege to admin.
- API Security: Damn Vulnerable GraphQL & REST API
Modern apps rely heavily on APIs; misconfigurations can leak sensitive data. Damn Vulnerable GraphQL App (DVGA) exposes introspection queries; Damn Vulnerable REST API (DVRA) covers rate limiting, IDOR, and mass assignment.
Run DVGA:
docker pull dolevf/damn-vulnerable-graphql-application docker run -d -p 5013:5013 dolevf/damn-vulnerable-graphql-application GraphQL playground at http://localhost:5013/graphql
Exploit introspection:
Send query:
{ __schema { types { name fields { name } } } }
This dumps all available queries and mutations, including a hidden `debug` field that returns database credentials.
Run DVRA:
git clone https://github.com/OWASP/DVR-API cd DVR-API docker build -t dvra . docker run -d -p 8082:80 dvra
API security hardening tip: Disable introspection in production, implement strict rate limiting, and validate content-type headers to prevent CSRF-like API attacks.
5. SSRF Lab and Cloud Hardening Concepts
Server-Side Request Forgery (SSRF) allows attackers to make the vulnerable server request internal resources. The SSRF Lab container simulates AWS metadata endpoints.
Deploy SSRF Lab:
docker pull inmyshow/ssrf-lab docker run -d -p 8083:80 inmyshow/ssrf-lab Access http://localhost:8083
Exploit sequence:
The lab has a “fetch URL” feature. Enter `http://169.254.169.254/latest/meta-data/` to retrieve cloud instance metadata (IAM roles, user-data).
Mitigation: Block metadata endpoints via network policies, validate URL schemas, and use allowlists for external domains.
Linux command to test for open redirect (often paired with SSRF):
curl -v "http://localhost:8083/fetch?url=http://169.254.169.254/latest/meta-data/"
Windows (PowerShell):
Invoke-WebRequest -Uri "http://localhost:8083/fetch?url=http://169.254.169.254/latest/meta-data/"
6. Docker-Compose Orchestration – Run 10+ Apps Simultaneously
Create a `docker-compose.yml` to launch multiple targets at once. Save this file:
version: '3.8' services: dvwa: image: vulnerables/web-dvwa ports: ["8080:80"] sqli-labs: image: acgpiano/sqli-labs ports: ["8081:80"] juice-shop: image: bkimminich/juice-shop ports: ["3000:3000"] webgoat: image: webgoat/goatandwolf ports: ["8082:8080", "9090:9090"] bWAPP: image: raesene/bwapp ports: ["8084:80"] mutillidae: image: citizenstig/nowasp ports: ["8085:80"] wrongsecrets: image: owasp/wrongsecrets ports: ["8086:8080"]
Start the entire lab:
docker-compose up -d docker-compose ps Check running containers docker-compose logs -f Stream logs
Stop and clean:
docker-compose down docker system prune -a Remove unused images
7. Security Considerations & Mitigation Playbook
While practicing, also learn how to defend. Here are critical hardening commands and checks for real-world Docker deployments.
Docker security audit (Linux):
Check for privileged containers
docker ps --quiet | xargs docker inspect --format '{{.Name}}: Privileged={{.HostConfig.Privileged}}'
List exposed ports
docker ps --format "table {{.Names}}\t{{.Ports}}"
Run a vulnerability scanner on your host (Clair, Trivy)
trivy image bkimminich/juice-shop
Windows PowerShell equivalent:
docker ps -q | ForEach-Object { docker inspect $_ --format '{{.Name}}: Privileged={{.HostConfig.Privileged}}' }
Mitigation checklist:
- Use `–cap-drop=ALL` and `–cap-add=NET_ADMIN` only when needed
- Never run containers as root (use `–user` flag)
- Set resource limits: `–memory=”512m” –cpus=”0.5″`
– Scan images before deployment with `docker scan` (Snyk integration)
Example of a secure run command:
docker run -d --cap-drop=ALL --read-only --tmpfs /tmp:rw,noexec,nosuid -p 3000:3000 bkimminich/juice-shop
What Undercode Say:
- Docker eliminates environment drift – what you break in a container won’t touch your host OS, making post-engagement cleanup trivial.
- Modern pentesting demands API coverage – GraphQL and REST containers expose risks like introspection leaks and mass assignment that traditional web scanners miss.
- SSRF is the cloud’s blind spot – practicing on metadata endpoints (like the 169.254.169.254 lab) reveals how a single misconfigured fetch can compromise entire AWS accounts.
- Orchestration saves time – a single `docker-compose up` replaces hours of manual VM setup, letting red teams focus on exploitation rather than installation.
- Defenders must think in containers too – the same commands that launch labs can audit production environments for privilege escalation and exposed secrets.
Analysis: The shift to containerized labs mirrors real-world DevOps. Attackers now target misconfigured Docker sockets, exposed APIs, and SSRF vectors. By building this lab, you’re not just learning web app flaws—you’re rehearsing cloud-native attack paths. Every command shown here (from `docker inspect` to GraphQL introspection) is a valid red-team technique. Conversely, the mitigation steps (cap-drop, read-only filesystems) are blue-team essentials. This bidirectional knowledge is what separates junior testers from senior security engineers.
Prediction:
By 2028, over 70% of web application pentesting will be performed inside ephemeral containers, with AI-assisted attack orchestration running on top of Docker-based labs. API-specific vulnerabilities (GraphQL introspection, REST mass assignment) will overtake traditional SQL injection as the top finding in bug bounties. Red teams that fail to containerize their toolchains will lag behind as cloud-native architectures make legacy VM-based testing obsolete. Expect automated pipelines that spin up a vulnerable app, launch an LLM-driven exploit sequence, and tear down everything—all within minutes.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Web Application – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


