Feb

07

,

2026

by OG
Web Hacking Playground – Hands-On Web Security Lab for Ethical Hackers

Web Hacking Playground – Hands-On Web Security Lab

Description

Web Hacking Playground is a controlled and vulnerable web application designed for practicing real-world web penetration testing and ethical hacking techniques. It includes vulnerabilities commonly found in real pentests and Bug Bounty programs, allowing learners to safely practice detection and exploitation.

You will also explore advanced topics such as bypassing security filters with custom payloads, chaining multiple vulnerabilities in complex attacks, and developing proof-of-concept (PoC) exploit scripts.

Important

The application source code is visible. However, this lab follows a black-box testing approach. You should not review the source code to solve the challenges.

Fuzzing (parameters or directories) and brute-force attacks do not provide any advantage in this lab environment.

Setup

It is recommended to use Kali Linux. If using a virtual machine, we recommend VMware Workstation Player.

This environment is based on Docker and Docker Compose, so both must be installed.

Install Docker on Kali Linux:

sudo apt update -y
sudo apt install -y docker.io
sudo systemctl enable docker --now
sudo usermod -aG docker $USER

Install Docker on Debian-based systems:

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo systemctl enable docker --now
sudo usermod -aG docker $USER

Log out and log back in so your user is recognized as part of the docker group.

Install Docker Compose:

sudo apt install -y docker-compose

Note (Apple M1)

export DOCKER_DEFAULT_PLATFORM=linux/amd64

Clone and build the lab:

git clone https://github.com/takito1812/web-hacking-playground.git
cd web-hacking-playground
docker-compose build

Install FoxyProxy and Burp Suite Community Edition, then configure:

  • Proxy Type: HTTP
  • IP Address: 127.0.0.1
  • Port: 8080

Deployment

docker-compose up -d
  • whp-socially: Vulnerable social network application
  • whp-exploitserver: Simulated victim server (do NOT attack)

Important

sudo sed -i '/whp-/d' /etc/hosts
echo "$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' whp-socially) whp-socially" | sudo tee -a /etc/hosts
echo "$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' whp-exploitserver) whp-exploitserver" | sudo tee -a /etc/hosts

Access: http://whp-socially | http://whp-exploitserver

Simulate attacker server:

sudo python3 -m http.server 80

Stages

  • Stage 1: Access with any user
  • Stage 2: Access as admin
  • Stage 3: Read the /flag file

Solutions

Find detailed solutions here: Solutions Folder

Resources

Collaboration

Pull requests are welcome. If you find bugs, open an issue on GitHub.

View Project on GitHub

Tags:
Tag: Cybersecurity Fundamentals Ethical Hacking Web Application Security
Share:
next posts

Leave a comment

Translation missing: en.blogs.comments.discription