Why do we want to use docker to learn Web App Hacking?
Learning to hack Web Applications is an important step to becoming a penetration tester. Web Apps are becoming more and more important to companies around the world so learning how to hack them will become more and more important.
For those of you studying the various penetration testers certifications like the EC-Council CEH or the CompTIA PenTest+ or even the INE eJPT, all of these courses will make use of the various vulnerable web apps to help with their course.
Now you could just download the various virtual machines, add them to VirtualBox or VMware but it is more efficient to use docker and install them within your Kali Linux installation.
What is a Docker image?
A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.
How do you install docker?
Open up a terminal in Kali and then run the following command:
sudo apt install docker.io docker-compose
This will install the latest Community Edition of Docker .
Next run the command:
sudo usermod -aG docker kali
Then log out of your kali machine and then back in
This command adds the kali user to the docker group so you do not need to use sudo to run docker commands. This will only work once you have logged out and back in or you have restarted your Kali machine.
Installing the various Web App Docker Images
bWAPP – an extremely buggy web app!
The first docker image to download and install is bWAPP. This is one of the oldest buggy web apps.
To download the app onto your machine, run the command:
docker pull hackersploit/bwapp-docker
Now run the following to start the bwapp docker container
docker run -d -p 80:80 --name bwapp hackersploit/bwapp-docker
The command is broken down as follows:
- docker run – runs the docker image
- -d runs it in detached mode so you con continue to use the terminal
- -p 80:80 tells the machine to use port 80 both inside the docker container and outside the docker container
- –name names the image bwapp, otherwise it will get a random two word name
- hackersploit/bwapp-docker – is the actual image
Now open up your favorite web browser and go to http://127.0.0.1:80 – This will let you access the docker. The first time you run the image, you will get the error message: Connection failed: Unknown database ‘bWAPP’ – This is to be expected as some configuration is needed.
Change the url to http://127.0.0.1/install.php – Then simply click on the here button to finish the bWAPP configuration.
Then go to http://127.0.0.1/login.php and use the login and password with bee/bug
Starting the bwapp image
Now whenever you want to use the bWAPP docker image, simply run the command:
docker start bwapp
This will work after you reboot or shutdown your kali machine.