Advice for HackerPenetration Testing

Create Your Own Web Penetration Testing Lab in Kali Linux

Today we’re going to create your own web penetration testing Lab in Kali Linux. Web applications have turned out to be the normal target for hackers. Hackers can influence generally basic vulnerabilities to access private data probably containing actually identifiable data.

While conventional firewalls and other system security controls are an imperative layer of any Information Security Program, they can’t protect alarms against a hefty portion of the assault vectors particular to web applications. It is basic for an association to guarantee that its web applications are not helpless to basic sorts of assault.

Best Practice proposes that associations should play out a web application test in standard security assessment keeping in mind the end goal to guarantee the security of its web applications.

Create Your Own Web Penetration Testing Lab in Kali Linux

For today’s post, I decided to share my very own lists of common vulnerable web applications to build our web penetration testing lab.

OWSAP Mantra

Mantra – Free and Open Source Browser based Security Framework, is a gathering of free and open-source instruments incorporated into a web program.

OWASP Mantra is a rendition of Firefox’s devoted security innovation that coordinates a weapons store of instruments to do an entire review and investigate your applications on the web.

Mantra is a security structure that can be exceptionally useful in playing out all five periods of assaults including surveillance, filtering, list, get to, heightening of benefits, keeping up get to, and backing tracks.

Aside from this, it likewise contains an arrangement of devices focused on web engineers and code debuggers which makes it extremely helpful for both hostile and cautious security-related security assignments.

DVWA (Dam Vulnerable Web Application)

This vulnerable PHP/MySQL web application is one of the famous web applications used for testing your skills in web penetration testing and your knowledge in manual SQL Injection, XSS, Blind SQL Injection, etc.

DVWA is developed by Ryan Dewhurst a.k.a ethicalhack3r and is part of the RandomStorm OpenSource project.

Create Your Own Web Penetration Testing Lab in Kali Linux!

Try the below command to download DVWA

wget -c

Unzip the downloaded file and copy dvwa folder into Computer → File system → var → www

Set the permission of DVWA into 755 for this open Terminal and type,

chmod -R 755 /var/www/dvwa

Run Apache for this go to Application → Kali Linux → System Service → HTTP → apache2start

/etc/init.d/apache2 restart

Run My SQL  for this go to Application → Kali Linux → System Service → MySQL → mysql start

/etc/init.d/mysql start

Now, Create Database for dvwa.

Open Terminal and type

# mysql -u root -p

# create database dvwa;

# exit

The configuration is done by opening the /var/www/dvwa/config/ and adding your MySQL password.

Now go to your browser and write or http://localhost/dvwa and write your username and password by default it is username – admin and password – password then click on login.

Mutillidae – is a free and open-source web application for website penetration testing and hacking which was developed by Adrian “Irongeek” Crenshaw and Jeremy “webpwnized” Druin.

It is designed to be exploitable and vulnerable and ideal for practicing your Web Fu skills like SQL injection, cross-site scripting, HTML injection, Javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution, and many more based on OWASP (Open Web Application Security) Top 10 Web Vulnerabilities.

Download the latest version of Mutillidae

#wget -c

Unzip the latest version (the only folder in the ZIP file is the “mutillidae” folder)

unzip -q

Copy the latest version to /var/www.

cp -R mutillidae /var/www/

Now Create Database for mutillidae.

Open Terminal and type:

mysql -u root -p
create database mutillidae;

The configuration is done by opening the /var/www/mutillidae/classes/MySQLHandler.php and adding your Mysql root password.

Starting the project is done by browsing to http://localhost/mutillidae  and clicking the Reset-DB button on the menu bar.


WebGoat is an OWASP project and a deliberately insecure J2EE web application designed to teach web application security lessons and concepts. What’s cool about this web application is that it lets users demonstrate their understanding of a security issue by exploiting a real vulnerability in the application in each lesson.

# wget -c

WebGoat is a platform-independent environment. It utilizes Apache Tomcat and the JAVA development environment.

For installing JAVA, try the below command.

#apt-get install openjdk-6-jre

Unzip the to your working directory.

# p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z

# cd WebGoat-5.3_RC1

Set JAVA_HOME to point to your JDK installation.

# export JRE_HOME=/usr/lib/jvm/java-6-openjdk-amd64/bin/../

# export CATALINA_BASE=./tomcat

# export CATALINA_HOME=./tomcat

# export JAVA_HOME=/usr/lib/jvm/java-6-openjdk-amd64/bin/../

# chmod +x

Since the latest version runs on a privileged port, you will need to start/stop WebGoat as root.

# sh start

# sh stop

Start your browser and browse to… http://localhost/webgoat/attack

Login in as: user = guest, password = guest

That’s it, make use of the vulnerable systems and understand vulnerabilities.

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button