WebVuln-Runner

Docker-based launcher for 15+ vulnerable web app labs (Juice Shop, DVWA, WebGoat, more) with instant start.

Get Started View on GitHub

Key Features

Why use WebVuln-Runner?

TUI Interface

Easy to use Text User Interface (Whiptail) for managing containers directly from your terminal.

Docker Powered

Leverages Docker to spin up isolated vulnerable environments instantly without messing up your host system.

Security Training

Perfect for CTF preparation, security training, and learning about OWASP Top 10 vulnerabilities.

Supported Applications

One-click installation for these vulnerable environments

OWASP Juice Shop
bkimminich/juice-shop

The most modern and sophisticated insecure web application! Covers the entire OWASP Top 10.

Node.js Top 10
DVWA
vulnerables/web-dvwa

Damn Vulnerable Web Application. A PHP/MySQL web application that is damn vulnerable.

PHP Classic
OWASP WebGoat
webgoat/webgoat

A deliberately insecure application that allows interested developers just to test vulnerabilities.

Java Education
bWAPP
raesene/bwapp

A buggy web application. Free and open source. It helps security enthusiasts, researchers and students.

PHP 100+ Vulns
OWASP Mutillidae II
citizenstig/nowasp

A free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

PHP
VulnLab
yavuzlar/vulnlab

A web vulnerability lab project developed by Yavuzlar. Great for local practice.

Local
XVWA
s4n7h0/xvwa

Xtreme Vulnerable Web Application. A badly coded web application written in PHP/MySQL.

PHP
VAmPI
erev0s/vampi

Vulnerable API. An API with vulnerabilities to learn about API security (OWASP API Top 10).

Python/Flask API
DVNA
appsecco/dvna

Damn Vulnerable NodeJS Application. A simple NodeJS application to demonstrate vulnerabilities.

Node.js
DVGA
dolevf/dvga

Damn Vulnerable GraphQL Application. Learn GraphQL security with this vulnerable app.

Python GraphQL
Hackazon
rapid7/hackazon

A modern vulnerable e-commerce application. Rich with features and vulnerabilities.

PHP E-commerce
Security Shepherd
owasp/security-shepherd

A web and mobile application security training platform by OWASP.

Java Training
OWASP Benchmark
owasp/benchmark

A test suite designed to verify the speed and accuracy of vulnerability detection tools.

Java Tooling
DVWS
snoopysecurity/dvws

Damn Vulnerable Web Services. Practice exploiting web services and APIs.

PHP API
DSVPWA
sgabe/dsvpwa

Damn Simple Vulnerable Python Web Application. Simple and educational.

Python

Installation & Usage

Get up and running in seconds on any Linux system with Docker installed.

Note: You must run these commands as root.
Debian / Ubuntu / Kali
sudo su
wget -O - https://raw.githubusercontent.com/yusufarbc/webvuln-runner/main/installers/debian/install.sh | bash;
WebVuln-Runner
RedHat / Fedora
sudo su
wget -O - https://raw.githubusercontent.com/yusufarbc/webvuln-runner/main/installers/redhat/install.sh | bash;
WebVuln-Runner
Arch Linux
sudo su
wget -O - https://raw.githubusercontent.com/yusufarbc/webvuln-runner/main/installers/arch/install.sh | bash;
WebVuln-Runner
WebVuln-Runner Interface