\__/ \__/ \__/
(oo) (o-) (@@)
//||\\ //||\\ //||\\
bug bug bug
winking hangover
|
く__,.ヘヽ. / ,ー、 〉
\ ', !-─‐-i / /´
/`ー' L//`ヽ、
/ /, /| , , ',
イ / /-‐/ i L_ ハ ヽ! i
レ ヘ 7イ`ト レ'ァ-ト、!ハ| |
!,/7 '0' ´0iソ| |
|.从" _ ,,,, / |./ |
レ'| i>.、,,__ _,.イ / .i |
レ'| | / k_7_/レ'ヽ, ハ. |
| |/i 〈|/ i ,.ヘ | i |
.|/ / i: ヘ! \ |
kヽ>、ハ _,.ヘ、 /、!
!'〈//`T´', \ `'7'ーr'
レ'ヽL__|___i,___,ンレ|ノ
ト-,/ |___./
'ー' !_,.:
|
A simple bash toolkit to deploy a Web Vulnerability Lab on Ubuntu Server. Perfect for beginners and teachers.
Developed by iMoon (infosec-world.id) · Inspired by Taro Lay
[June 24, 2026] - v1.1 Core Rebuild
- Dynamic Custom Domain: Enter your preferred domain (e.g.,
lab.lokalorowasp.hacking) during installation. The scripts will intelligently bind it to/etc/hostsand Nginx. - Web App Directory: A simple HTML index page at your root domain to easily list and access all installed applications.
- Nginx Reverse Proxy: All traffic routes via port
80&443, securely proxying internal apps (like Tomcat or Node.js) from backend ports (127.0.0.1:8081, etc). - Safe Uninstaller: Safely cleans up the lab without aggressively wiping your existing
/var/www/htmlfolder.
11 vulnerable and management applications built-in, accessible via subdomains (e.g., http://dvwa.your-custom-domain.com).
Important: To access these custom local domains from your Host OS (Attacker Machine) for a realistic feel, you MUST map the domains to your server's IP address in your local hosts file:
- Linux/Mac:
/etc/hosts- Windows:
C:\Windows\System32\drivers\etc\hosts
| Application | Stack Engine | Local Domain Example |
|---|---|---|
| Mutillidae II | PHP 8.3 | mutillidae.owasp.hacking |
| DVWA | PHP 8.3 | dvwa.owasp.hacking |
| bWAPP | PHP 8.3 | bwapp.owasp.hacking |
| XVWA | PHP 8.3 | xvwa.owasp.hacking |
| VWA | PHP 8.3 | vwa.owasp.hacking |
| Adminer | PHP 8.3 | adminer.owasp.hacking |
| phpMyAdmin | PHP 8.3 | phpmyadmin.owasp.hacking |
| Juice Shop | Node.js | juiceshop.owasp.hacking |
| WebGoat | Java 21 | webgoat.owasp.hacking |
| WebWolf | Java 21 | webwolf.owasp.hacking |
| Apache Tomcat | Java 21 | tomcat.owasp.hacking |
(Note: owasp.hacking is the default. If you entered a custom domain like lab.lokal, your URLs will be dvwa.lab.lokal, bwapp.lab.lokal, etc.)
The toolkit automatically provisions the following stacks and helper utilities on your OS:
| Component | Version | Role |
|---|---|---|
| Nginx | latest |
Front-door Router & SSL Proxy (Ports 80/443) |
| Apache2 | latest |
Backend Server for PHP Apps (Port 8081) |
| PHP | 8.3 |
Execution Engine (Ondrej PPA) |
| MySQL / MariaDB | 11.4 |
Primary Database (Official Repo) |
| Node.js | 20.x LTS |
JavaScript Engine (NodeSource) |
| Java | Temurin JDK 21 |
Java Environment (Adoptium) |
- Networking & Fetching:
curl,wget,git - Archives & Compression:
tar,unzip,dpkg-dev - Security & Firewalls:
ufw,iptables,gnupg2,ca-certificates - System Utils:
python3,python3-pip,software-properties-common,apt-transport-https
| Script | Description |
|---|---|
install-owasp-lab.sh |
Full installer — Builds the OS stack & deploys all targets. Prompts for custom domain. |
check-owasp-lab.sh |
Health checker — HTTP check, credentials list, and service monitor. |
uninstall-owasp-lab.sh |
Uninstaller — Safely wipes the lab and restores the OS without touching your other web root files. |
Requires a fresh Ubuntu Server OS (22.04 / 24.04 LTS).
- Clone the repository:
git clone https://github.com/iMoon07/OWASP-Lab-Toolkit.git
cd OWASP-Lab-Toolkit
chmod +x *.sh- Run the core installer and follow the prompts:
sudo ./install-owasp-lab.sh- Verify installation:
sudo ./check-owasp-lab.shOr open the Web App Directory in your browser at the domain you configured.
install-owasp-lab.sh: Installs OS stacks (Nginx, Apache, PHP, MariaDB, Node, Java), sets up a 4GB swap, configures apps natively in/var/www/hack&/opt, and automates DB provisioning and proxy routing.check-owasp-lab.sh: A CLI tool to check HTTP endpoints, print database credentials, display required/etc/hostsconfig, and monitor background services.uninstall-owasp-lab.sh: Safely wipes the lab by purging APT packages, killing daemons, and deleting cloned repos without destroying your existing/var/www/htmlroot.
This toolkit provisions severely vulnerable applications and intentionally lowers system security limits (allow_url_include = On).
- DO NOT deploy this on a public-facing VPS or a production environment.
- It is designed strictly for isolated, local Virtual Machines (VMs) for educational purposes.
