A modular, dockerized vulnerable environment designed for hands-on learning, teaching, and demonstrating web & API security vulnerabilities — including SQL injection, authentication flaws, insecure file handling, and business-logic flaws.
Author: Ajani Taiwo Micheal (AlphaDevelopmental)
Repository: https://github.com/AlphaDevelopmental/security-lab
This repository provides an isolated lab composed of multiple intentionally vulnerable applications. It is intended for educational use, CTF practice, and defensive security training in a controlled environment.
Key goals:
- Safe, local practice environment for offensive & defensive exercises
- Reproducible deployment via Docker Compose
- Clear lab profiles to start specific subsets of services
- Minimal setup for instructors and students
Ports listed assume default
docker-compose.ymlbindings. Confirm in file.
- Juice Shop — Modern, full-featured OWASP Top 10 training app. (Port
3000) - DVWA — Classic PHP-based vulnerable web app for SQLi, XSS, CSRF, file upload. (Port
8082) - Mutillidae (NOWASP) — Web vulnerability suite. (Port
8083) - WebGoat / WebWolf — Guided secure coding lessons. (Ports
8080&9090) - VulnBank — Custom Flask banking app for business-logic and auth testing. (Port
5000) - DVGA / Pixi / DVRA — API / GraphQL & REST vulnerability practice apps
- SSRF Vulnerable App — SSRF training app
- Portainer — Local Docker UI (bound to
localhostfor security)
Refer to docker-compose.yml for the complete list and optional services.
- Docker (Engine) — latest stable release
- Docker Compose (v2 recommended)
- Minimum ~4GB RAM available for the lab (more recommended when running all services)
- Clone:
git clone https://github.com/AlphaDevelopmental/security-lab.git cd security-lab