Back Cyber Security Practice Labs Web Security Labs
EN TH
Mock Demo
For educational purposes only. All data, products, and interactions shown here are entirely fictional mock examples — this is not a real product and nothing is for sale.

Web Security Labs

Three intentionally vulnerable web applications for practising OWASP Top 10 attack techniques. PHP, Node.js (Express), and ASP.NET Core variants — each covering SQL injection, XSS, broken auth, IDOR, path traversal, and more.

FOR LOCAL / ISOLATED TESTING ONLY. These applications are intentionally vulnerable by design. Never expose them to the internet or a shared network. Run only in a controlled environment.
Vulnerabilities
SQL InjectionA03
Stored / Reflected XSSA03
Command InjectionA03
LFI / Path TraversalA01
Broken AuthenticationA07
IDORA01
File Upload AbuseA04
Insecure DeserialisationA08
Security MisconfigurationA05
PHP 8 SQLite3 :7771
Start Command
php-lab — PowerShell
PS>cd web-labs\php-lab
PS>.\start.ps1
[+] PHP found: php 8.x
[+] Starting PHP built-in server...
[+] Lab ready → http://127.0.0.1:7771
Or Directly
PS>php -S 127.0.0.1:7771 index.php
Vulnerabilities
SQL InjectionA03
Command InjectionA03
Stored / Reflected XSSA03
JWT alg:none BypassA02
IDORA01
Path TraversalA01
Broken AuthenticationA07
Prototype PollutionA08
Mass AssignmentA04
Node.js Express better-sqlite3 :7772
Start Command
nodejs-lab — PowerShell
PS>cd web-labs\nodejs-lab
PS>.\start.ps1
[+] Node.js found: v20.x
[+] npm install complete
[+] SQLite database ready
[+] Lab ready → http://127.0.0.1:7772
Or Directly
PS>npm install && node app.js
Vulnerabilities
SQL InjectionA03
Stored / Reflected XSSA03
SSRFA10
IDORA01
Path TraversalA01
Broken AuthenticationA07
Open RedirectA01
Insecure DeserialisationA08
Missing Security HeadersA05
ASP.NET Core Newtonsoft.Json SQLite :7773
Start Command
aspnet-lab — PowerShell
PS>cd web-labs\aspnet-lab
PS>.\start.ps1
[+] .NET 8 SDK found
[!] Building VulnerableLab...
[+] SQLite database ready
[+] Lab ready → http://127.0.0.1:7773
Or Directly
PS>dotnet run
OWASP Top 10 — 2021 Coverage
A01:2021
Broken Access Control
A02:2021
Cryptographic Failures
A03:2021
Injection
A04:2021
Insecure Design
A05:2021
Security Misconfiguration
A06:2021
Vulnerable & Outdated Components
A07:2021
Identification & Auth Failures
A08:2021
Software & Data Integrity Failures
A09:2021
Security Logging & Monitoring Failures
A10:2021
Server-Side Request Forgery