A Dockerized web application security training environment built with PHP and MySQL. This repository contains a collection of intentionally vulnerable labs designed for hands-on practice with common web application flaws such as SQL injection, cross-site scripting (XSS), command injection, file upload bypasses, authentication issues, XXE, IDOR, and a capstone challenge.
This project is intentionally vulnerable and is meant for educational and authorized security testing only.
- Do not expose it to the public internet.
- Use it only in isolated or private environments.
- Destroy the environment when it is no longer needed.
The lab environment is designed to help learners practice and understand:
- SQL Injection
- Cross-Site Scripting (XSS)
- Command Injection
- File Upload Vulnerabilities
- Authentication and Authorization weaknesses
- XXE and IDOR concepts
- A multi-step capstone challenge
- Fully containerized setup using Docker Compose
- PHP-based vulnerable web app
- MySQL database services for the labs and capstone
- Simple onboarding flow for initial database setup
- Instructor-friendly structure for walkthroughs and challenges
Before getting started, ensure you have the following installed:
- Docker Engine 24+
- Docker Compose v2
- At least 4 GB of RAM available
- Clone the repository:
git clone git@github.com:haltacademy/Web-Application-Lab-Docker-.git
cd Web-Application-Lab-Docker-- Build and start the containers:
docker compose up --build -d- Open the application in your browser:
http://localhost/
- Initialize the database if prompted:
http://localhost/init.php
After initialization, refresh the main page and begin the labs.
The Docker environment includes the following services:
| Service | Purpose | Access |
|---|---|---|
| Web App | Main PHP application and labs | http://localhost/ |
| MySQL Lab DB | Database for the training labs | localhost:3306 |
| MySQL Capstone DB | Database for the capstone challenge | localhost:3307 |
The repository includes the following categories of exercises:
- Injection 0x01 / 0x02 / 0x03
- XSS 0x01 / 0x02 / 0x03
- Command Injection 0x01 / 0x02 / 0x03
- File Upload 0x01 / 0x02 / 0x03
- Authentication 0x01 / 0x02 / 0x03
- XXE, IDOR, and Capstone modules
.
├── assets/ # Static assets and styling
├── capstone/ # Capstone challenge application
├── labs/ # Vulnerable lab pages and exercises
├── Dockerfile # PHP + Apache container definition
├── docker-compose.yml # Multi-container environment
├── init.php # Database initialization for labs
├── init_init.php # Additional initialization logic
├── db.php # Database connection configuration
└── checks.php # Basic app health checks
Start the environment:
docker compose up -dStop the environment:
docker compose downStop and remove volumes:
docker compose down -vRebuild after code changes:
docker compose up --build -dIf the application shows a database-related error on first launch, visit the initialization page once and then refresh the main dashboard.
Contributions and improvements are welcome. Please open an issue or submit a pull request with your proposed changes.