In the previous lesson, we explored how the web works at a fundamental level. Now it is time to get hands-on. You will set up an isolated security lab where you can safely practice attacking and defending web applications without risking real systems or breaking any laws.
β οΈ Never test security techniques against systems you do not own or have explicit written permission to test. Unauthorized access to computer systems is a criminal offense in virtually every jurisdiction. Always work within your own lab environment or authorized bug bounty programs.
A security lab provides a controlled environment where you can intentionally vulnerable applications, intercept and modify traffic, and experiment with attack techniques. The key word is isolated β your lab should be completely separated from production systems and the public internet.
We will use Docker to containerize everything, making your lab portable, reproducible, and easy to reset. Docker ensures that even if something goes wrong, your host machine remains unaffected.
Docker is the foundation of our lab. It allows us to run vulnerable web applications in isolated containers. Install Docker Engine for your operating system before proceeding.
π‘ On macOS and Windows, install Docker Desktop from docker.com. It includes Docker Engine, Docker Compose, and a graphical management interface.
DVWA is a deliberately vulnerable web application designed for learning. It covers all the major vulnerability categories we will study in this course, with adjustable difficulty levels so you can progress at your own pace.
Once the container is running, open your browser and navigate to http://localhost. Log in with the default credentials (admin / password), then click 'Create / Reset Database' to initialize the application.
Burp Suite is the industry-standard tool for web application security testing. It acts as an intercepting proxy between your browser and the target application, allowing you to inspect, modify, and replay HTTP requests and responses.
While DVWA is excellent, having multiple vulnerable applications gives you broader exposure. We will also deploy WebGoat and bWAPP for additional practice targets.
Your complete lab environment now consists of several components working together. Understanding this architecture will help you troubleshoot issues and expand your lab as you progress.
βββββββββββββββββββββββββββββββββββββββββββββββ
β YOUR HOST MACHINE β
β β
β ββββββββββββ ββββββββββββββββββββββββ β
β β Browser βββββΆβ Burp Suite Proxy β β
β β(Firefox) β β (127.0.0.1:8080) β β
β ββββββββββββ ββββββββββββ¬ββββββββββββ β
β β β
β ββββββββββΌβββββββββ β
β β Docker Host β β
β βββββββββββββββββββ€ β
β β :80 β DVWA β β
β β :8081β WebGoat β β
β β :8082β bWAPP β β
β βββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββπ‘ Take a snapshot or backup of your Docker containers once everything is configured. If you accidentally break something during testing, you can quickly restore to a clean state without reinstalling everything.
Before moving on, verify that every component of your lab is working correctly. Run the following checks to ensure you are ready for the hands-on exercises ahead.
Your lab is now ready. Every vulnerability you learn in the coming lessons can be practiced safely in this environment. Remember: this lab is your playground β experiment freely, break things, and learn from every mistake.
Verify exercises to earn β 110 XP and unlock next lab level.