Docker-based runner providing a TUI and a static web dashboard to launch 15+ vulnerable web app labs (OWASP Juice Shop, DVWA, WebGoat, etc.) in seconds.
It offers both a fast terminal TUI and a modern static web dashboard for managing labs.
- Features
- Educational Concepts
- Quick Start
- Web Interface
- TUI Interface
- Prerequisites
- Installation
- Supported Applications
- Roadmap
- Contributing
- Disclaimer
- License
- Issues
- One-Click Labs: Spin up 15+ vulnerable environments instantly.
- Dual Interface: Whiptail-based TUI plus a static HTML5 dashboard.
- Host Isolation: Keeps your host clean while testing vulnerabilities.
- Extensible Index: Add new labs by editing
src/indexApp.lst. - Minimal Footprint: Only Docker and Whiptail (newt) are required.
- Multi-Distro Support: Debian/Ubuntu/Kali, RedHat/Fedora, Arch.
Use WebVuln-Runner to explore common web security weaknesses (OWASP Top 10, injections, auth flaws, insecure deserialization, API risks) with contained, disposable targets for safe practice.
# Become root (required for installer scripts)
sudo su
# Debian / Ubuntu / Kali
wget -O - https://raw.githubusercontent.com/yusufarbc/webvuln-runner/main/installers/debian/install.sh | bash;
# Run after install
WebVuln-RunnerOpen index.html locally or visit GitHub Pages for the static dashboard.
Launching WebVuln-Runner presents a menu where you can install & start labs, remove containers, or exit. Use arrow keys to navigate; Tab switches buttons.
To exit, choose the Cancel button.
In the Add Container menu each indexed lab appears with a short description. Select any entry to pull and start its container.
The Remove Container menu lists installed labs; select one to stop and delete its container.
After a container starts a confirmation screen is shown. Open http://localhost in your browser to access the lab.
Press Enter and confirm "Yes" to stop the running container.
Requires a running docker daemon and whiptail (newt). Installer scripts detect and install missing dependencies on supported distributions.
Example (run as root):
sudo su
wget -O - https://raw.githubusercontent.com/yusufarbc/webvuln-runner/main/installers/debian/install.sh | bash;
WebVuln-RunnerRun as root:
sudo su
wget -O - https://raw.githubusercontent.com/yusufarbc/webvuln-runner/main/installers/redhat/install.sh | bash;
WebVuln-RunnerRun as root:
sudo su
wget -O - https://raw.githubusercontent.com/yusufarbc/webvuln-runner/main/installers/arch/install.sh | bash;
WebVuln-RunnerCurrently indexed (partial list):
- OWASP Juice Shop
- DVWA (Damn Vulnerable Web Application)
- OWASP WebGoat
- bWAPP
- OWASP Mutillidae II
- VulnLab
- XVWA
- VAmPI
- DVNA
- DVGA
- Hackazon
- Security Shepherd
- OWASP Benchmark
- DVWS
- DSVPWA
Add additional labs by editing src/indexApp.lst and submitting a PR.
- Container health/status indicators in the dashboard
- Optional docker-compose stack launcher
- Automated update checks for lab images
- Multi-port exposure configuration per lab
- Basic usage metrics (start count, last run timestamp)
Contributions are welcome:
- Create a branch:
git checkout -b feature/my-lab - Add a lab entry to
src/indexApp.lstfollowing the existing format - Test locally (installer or direct run)
- Open a Pull Request describing the change
These applications are intentionally vulnerable. Do not expose them to the public internet or run on production infrastructure. Use isolated networks / lab environments.
Released under the GNU General Public License v3.0 (GPL-3.0). See LICENSE for details. Third-party Docker images referenced by this tool maintain their own licenses.
Report bugs or request new labs here: https://github.com/yusufarbc/webvuln-runner/issues
Enjoy learning and practicing web application security!