Skip to content

iMoon07/OWASP-Lab-Toolkit

Repository files navigation

  \__/         \__/         \__/
  (oo)         (o-)         (@@)
 //||\\       //||\\       //||\\
  bug          bug          bug
             winking      hangover

_/ _/ __/ (xx) (--) (OO) //||\ //||\ //||\ dead bug bug bug sleep female

     く__,.ヘヽ.        /  ,ー、 〉
          \ ', !-─‐-i  /  /´
          /`ー'     L//`ヽ、
        /   /,  /|  ,  ,       ',
       イ   / /-‐/  i  L_ ハ ヽ!   i
        レ ヘ 7イ`ト  レ'ァ-ト、!ハ|    |
         !,/7 '0'    ´0iソ|         |
         |.从"    _    ,,,, / |./    |
         レ'| i>.、,,__  _,.イ /   .i   |
          レ'| | / k_7_/レ'ヽ,  ハ.  |
            | |/i 〈|/  i  ,.ヘ |  i  |
           .|/ /  i:   ヘ!    \  |
          kヽ>、ハ   _,.ヘ、   /、!
           !'〈//`T´', \ `'7'ーr'
           レ'ヽL__|___i,___,ンレ|ノ
              ト-,/  |___./
              'ー'    !_,.:

OWASP LAB TOOLKIT v1.1

A simple bash toolkit to deploy a Web Vulnerability Lab on Ubuntu Server. Perfect for beginners and teachers.

OWASP Lab Toolkit Cover

Platform Targets

Developed by iMoon (infosec-world.id) · Inspired by Taro Lay


Changelog & Recent Updates

[June 24, 2026] - v1.1 Core Rebuild

  • Dynamic Custom Domain: Enter your preferred domain (e.g., lab.lokal or owasp.hacking) during installation. The scripts will intelligently bind it to /etc/hosts and Nginx.
  • Web App Directory: A simple HTML index page at your root domain to easily list and access all installed applications.
  • Nginx Reverse Proxy: All traffic routes via port 80 & 443, securely proxying internal apps (like Tomcat or Node.js) from backend ports (127.0.0.1:8081, etc).
  • Safe Uninstaller: Safely cleans up the lab without aggressively wiping your existing /var/www/html folder.

Included Applications

11 vulnerable and management applications built-in, accessible via subdomains (e.g., http://dvwa.your-custom-domain.com).

Important: To access these custom local domains from your Host OS (Attacker Machine) for a realistic feel, you MUST map the domains to your server's IP address in your local hosts file:

  • Linux/Mac: /etc/hosts
  • Windows: C:\Windows\System32\drivers\etc\hosts
Application Stack Engine Local Domain Example
Mutillidae II PHP 8.3 mutillidae.owasp.hacking
DVWA PHP 8.3 dvwa.owasp.hacking
bWAPP PHP 8.3 bwapp.owasp.hacking
XVWA PHP 8.3 xvwa.owasp.hacking
VWA PHP 8.3 vwa.owasp.hacking
Adminer PHP 8.3 adminer.owasp.hacking
phpMyAdmin PHP 8.3 phpmyadmin.owasp.hacking
Juice Shop Node.js juiceshop.owasp.hacking
WebGoat Java 21 webgoat.owasp.hacking
WebWolf Java 21 webwolf.owasp.hacking
Apache Tomcat Java 21 tomcat.owasp.hacking

(Note: owasp.hacking is the default. If you entered a custom domain like lab.lokal, your URLs will be dvwa.lab.lokal, bwapp.lab.lokal, etc.)


Core Infrastructure & Tools Stack

The toolkit automatically provisions the following stacks and helper utilities on your OS:

Main Server Engines

Component Version Role
Nginx latest Front-door Router & SSL Proxy (Ports 80/443)
Apache2 latest Backend Server for PHP Apps (Port 8081)
PHP 8.3 Execution Engine (Ondrej PPA)
MySQL / MariaDB 11.4 Primary Database (Official Repo)
Node.js 20.x LTS JavaScript Engine (NodeSource)
Java Temurin JDK 21 Java Environment (Adoptium)

Essential Ubuntu Packages & Helpers Used

  • Networking & Fetching: curl, wget, git
  • Archives & Compression: tar, unzip, dpkg-dev
  • Security & Firewalls: ufw, iptables, gnupg2, ca-certificates
  • System Utils: python3, python3-pip, software-properties-common, apt-transport-https

Scripts Overview

Script Description
install-owasp-lab.sh Full installer — Builds the OS stack & deploys all targets. Prompts for custom domain.
check-owasp-lab.sh Health checker — HTTP check, credentials list, and service monitor.
uninstall-owasp-lab.sh Uninstaller — Safely wipes the lab and restores the OS without touching your other web root files.

Installation

Requires a fresh Ubuntu Server OS (22.04 / 24.04 LTS).

  1. Clone the repository:
git clone https://github.com/iMoon07/OWASP-Lab-Toolkit.git
cd OWASP-Lab-Toolkit
chmod +x *.sh
  1. Run the core installer and follow the prompts:
sudo ./install-owasp-lab.sh
  1. Verify installation:
sudo ./check-owasp-lab.sh

Or open the Web App Directory in your browser at the domain you configured.


Script Details

  • install-owasp-lab.sh: Installs OS stacks (Nginx, Apache, PHP, MariaDB, Node, Java), sets up a 4GB swap, configures apps natively in /var/www/hack & /opt, and automates DB provisioning and proxy routing.
  • check-owasp-lab.sh: A CLI tool to check HTTP endpoints, print database credentials, display required /etc/hosts config, and monitor background services.
  • uninstall-owasp-lab.sh: Safely wipes the lab by purging APT packages, killing daemons, and deleting cloned repos without destroying your existing /var/www/html root.

WARNING

This toolkit provisions severely vulnerable applications and intentionally lowers system security limits (allow_url_include = On).

  • DO NOT deploy this on a public-facing VPS or a production environment.
  • It is designed strictly for isolated, local Virtual Machines (VMs) for educational purposes.

About

A simple bash toolkit to deploy a Web Vulnerability Lab on Ubuntu Server. Automatically installs 9 vulnerable apps (OWASP Juice Shop, WebGoat, DVWA, bWAPP, Mutillidae II, XVWA, VWA, WebWolf, Tomcat) containing exactly 401 vulnerabilities for safe hacking practice.

Topics

Resources

License

Stars

8 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages