Skip to main content

Setting up bWAPP with Docker: quick local security testing

infosec
Learn how to set up bWAPP, a deliberately vulnerable web application, using Docker for quick and easy security testing on your local machine.

Introduction

When working with web application security testing, having access to vulnerable applications is essential for practice and skill development. While a dedicated Kali Linux environment offers comprehensive pentesting tools, sometimes we just need a quick environment to practice specific security concepts without the overhead of a full virtual machine.

This guide demonstrates how to deploy bWAPP (buggy web application) using Docker, providing a lightweight alternative that uses fewer system resources than a virtualised environment. This approach is perfect for quick security practice sessions when you have limited time or system resources.

Note

bWAPP is an intentionally vulnerable web application designed for security training. Never expose it to the internet or untrusted networks.

Prerequisites

  • Docker installed on your system
  • Basic familiarity with command-line operations
  • Understanding of web application security concepts

Getting started with bWAPP on Docker

Understanding the Docker image

Before we begin, let's examine what we'll be using:

  • bWAPP: A deliberately vulnerable PHP application designed for security testing
  • Docker image: We'll use the hackersploit/bwapp-docker image, which packages bWAPP with all its dependencies
  • Container ports: The application will run on port 80 inside the container, which we'll map to our local machine

Setting up the environment

The setup process is straightforward and requires just two commands to get a working bWAPP instance.

  1. Pull the Docker image:

    docker pull hackersploit/bwapp-docker

  2. Run the container with port mapping:

    docker run -d -p 80:80 hackersploit/bwapp-docker

    This command:

    • Creates a detached container (-d flag)
    • Maps port 80 from the container to port 80 on your host machine
    • Uses the hackersploit/bwapp-docker image

  3. Access the installation page in your browser:

    http://127.0.0.1/install.php

  4. Complete the installation by clicking the "Install" button on the page

  5. Log in with the default credentials:

    • Username: bee
    • Password: bug

Tip

If port 80 is already in use on your system, you can map to a different port by changing the first number: ```bash docker run -d -p 8080:80 hackersploit/bwapp-docker ``` Then access bWAPP at `http://127.0.0.1:8080/install.php`

Managing your bWAPP container

Viewing running containers

To see your running container:

docker ps

Stopping the container

When you're finished with your testing session, stop the container:

docker stop <container_id>

Replace <container_id> with the ID shown in the docker ps output.

Restarting for future sessions

To restart an existing container:

docker start <container_id>

Common issues and troubleshooting

Database connection errors

If you encounter database connectivity issues, the most common solution is to restart the container:

docker restart <container_id>

Container port conflicts

If you receive an error about port 80 being already in use, choose a different port mapping as shown in the tip above.

Security considerations

Warning

bWAPP is intentionally vulnerable. Always follow these security practices: - Never expose the container to the internet - Use only for educational purposes - Don't use production credentials for testing - Consider running in an isolated network

Alternative vulnerable applications

While bWAPP is an excellent learning tool, you might also consider these alternatives:

  • DVWA (Damn Vulnerable Web Application)
  • OWASP Juice Shop
  • WebGoat

Each offers different vulnerabilities and learning opportunities for security practitioners.

Additional resources

Conclusion

Setting up bWAPP with Docker provides a quick and resource-efficient way to practice web application security testing. This approach allows you to spin up a vulnerable environment in seconds, practice specific techniques, and tear it down when you're doneā€”all without the overhead of a full virtual machine.

Whether you're preparing for a security certification, developing your pentesting skills, or just exploring web vulnerabilities, this containerised approach offers flexibility and convenience for your security testing needs.-- title: Quick access to bWAPP on Docker date: 2022-02-19 22:18 category: code tags: [bwapp,infosec,pentesting] slug: bwapp-docker status: published

Introduction

While we may do most of our tinkering in our dedicated Kali setup, we may just want to access bWAPP on our workstation for a quick refresher when we have a few minutes to kill. For such instances we can just run a quick container that won't demand as many cycles from our CPU as a virtualised Kali environment.

We'll use the image that AlexisAhmed/bWAPP-Docker created for this.

Pulling and running the Docker image

  1. run docker pull hackersploit/bwapp-docker
  2. run docker run -d -p 80:80 hackersploit/bwapp-docker
  3. access browser: http://127.0.0.1/install.php
  4. Happy hacking!

Resources