VulApps

VulApps is a collection of intentionally vulnerable application environments that security researchers and students can spin up on their own computers to practice finding and exploiting known software flaws. Each environment comes packaged as a Docker image, which means you can start a realistic broken version of a real product with a single command and tear it down just as quickly when you are done.

The project covers a wide range of well-known software: web servers like Nginx and Tomcat, content management systems like WordPress and Joomla, frameworks like Spring and Struts2, databases like Redis and Memcached, and tools like Jenkins and JBoss. Most entries correspond to specific publicly documented security bugs, often referenced by their CVE identifier, so you can look up what the flaw is and then try to reproduce it in a safe, isolated setting.

Using a specific environment follows a short two-step process. You look up the Docker image tag listed in the README for the vulnerability you want to study, pull the image from Docker Hub, and then run a container from it. Within seconds you have a live web application running locally with that vulnerability present and ready to test against.

The project is written mainly in Shell and the Dockerfiles that define each image. It is aimed at people learning offensive security techniques, running capture-the-flag challenges, or building and testing detection tools. The README is in Chinese, though the technical commands are standard Docker syntax that any user familiar with containers can follow. A companion project called vulhub covers similar ground and is linked from the repository.