Using Docker in Kali Linux to learn Web App Hacking

Why do we want to use docker to learn Web App Hacking?

Learning to hack Web Applications is an important step to becoming a penetration tester. Web Apps are becoming more and more important to companies around the world so learning how to hack them will become more and more important.

For those of you studying the various penetration testers certifications like the EC-Council CEH or the CompTIA PenTest+ or even the INE eJPT, all of these courses will make use of the various vulnerable web apps to help with their course.

Now you could just download the various virtual machines, add them to VirtualBox or VMware but it is more efficient to use docker and install them within your Kali Linux installation.

What is a Docker image?

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.

How do you install docker?

Open up a terminal in Kali and then run the following command:

sudo apt install docker.io docker-compose

This will install the latest Community Edition of Docker .

Next run the command:

sudo usermod -aG docker kali

Then log out of your kali machine and then back in

This command adds the kali user to the docker group so you do not need to use sudo to run docker commands. This will only work once you have logged out and back in or you have restarted your Kali machine.

Installing the various Web App Docker Images

bWAPP – an extremely buggy web app!

bWAPP Logo

The first docker image to download and install is bWAPP. This is one of the oldest buggy web apps.

To download the app onto your machine, run the command:

docker pull hackersploit/bwapp-docker

Now run the following to start the bwapp docker container

docker run -d -p 80:80 --name bwapp hackersploit/bwapp-docker

The command is broken down as follows:

  • docker run – runs the docker image
  • -d runs it in detached mode so you con continue to use the terminal
  • -p 80:80 tells the machine to use port 80 both inside the docker container and outside the docker container
  • –name names the image bwapp, otherwise it will get a random two word name
  • hackersploit/bwapp-docker – is the actual image

Now open up your favorite web browser and go to http://127.0.0.1:80 – This will let you access the docker. The first time you run the image, you will get the error message: Connection failed: Unknown database ‘bWAPP’ – This is to be expected as some configuration is needed.

Change the url to http://127.0.0.1/install.php – Then simply click on the here button to finish the bWAPP configuration.

Then go to http://127.0.0.1/login.php and use the login and password with bee/bug

Starting the bwapp image

Now whenever you want to use the bWAPP docker image, simply run the command:

docker start bwapp

This will work after you reboot or shutdown your kali machine.

Damn Vulnerable Web Application (DVWA)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s