After this lesson, you will be able to: Stand up DVWA or WebGoat in Docker and exploit at least four OWASP Top 10 categories yourself, then patch the code that allowed each.
Reading about the OWASP Top 10 only sticks once you've broken something with your own hands. This lab uses Damn Vulnerable Web Application (DVWA) and OWASP WebGoat, both intentionally vulnerable, in Docker, so you can attack and remediate in a safe environment.
Every AppSec interview includes a 'have you actually exploited X' question. Reading explanations is not enough. DVWA and WebGoat are the canonical learning targets. Both ship with multiple difficulty levels (Low / Medium / High) so you can graduate from copy-paste to real bypass thinking. Working through both gives you the talking points for every interview question on injection, broken access control, XSS, IDOR, and SSRF.
Two containers, two URLs, two completely different teaching styles.
Install Docker Desktop and ensure it's running
Run DVWA: docker run --rm -it -p 8080:80 vulnerables/web-dvwa
Open http://localhost:8080, log in admin/password, click Create / Reset Database, switch security level to Low
In a second terminal, run WebGoat: docker run --rm -p 8081:8080 -p 9090:9090 -e TZ=UTC webgoat/webgoat
Open http://localhost:8081/WebGoat, register an account, start the Introduction lessons
Fire up Burp Suite Community Edition; set browser proxy to 127.0.0.1:8080 (Burp default)
Don't skim. Do each attack, then read the source-code fix in the Medium and High security levels of DVWA.
A03 Injection (SQL): DVWA > SQL Injection > submit '1' UNION SELECT user,password FROM users-- '. Read the Low-level PHP source, then read the Medium / High versions to see prepared statements + bind parameters.
A03 Injection (Command): DVWA > Command Execution > submit '127.0.0.1; cat /etc/passwd'. Compare the Low source (raw concatenation) to High (allowlist + shell escape).
A01 Broken Access Control (IDOR): WebGoat > Access Control Flaws > complete the IDOR challenges. Note how URL parameter tampering reveals other users' data.
A07 XSS (Reflected): DVWA > XSS Reflected > submit '<script>alert(1)</script>'. Read Low source vs High (htmlspecialchars on input).
For each, write 2-3 sentences in your notes: what was the bug, what was the fix, why does the fix work.
OWASP Juice Shop, modern JavaScript stack (Node.js + Angular), 100+ challenges. Run: docker run --rm -p 3000:3000 bkimminich/juice-shop. PortSwigger Web Security Academy, free, browser-only, the most realistic lab environment outside of bug bounty. VulnHub, downloadable VMs covering AD, kubernetes, and full enterprise topologies. HackTheBox 'Starting Point', free guided machines with web vectors.
Treating one fix as the whole defence. A SQL prepared statement still allows logic flaws if the query joins user-controlled data into the wrong column. Defaulting to a WAF instead of fixing the code. WAFs catch obvious payloads; logic bugs (IDOR, business-logic) sail through. Confusing input validation with output encoding. Both are needed; they solve different problems. Believing 'we don't write our own SQL, we use an ORM, so we're safe'. ORMs prevent injection only when you don't write raw queries; most teams write raw queries somewhere.
Pick the strongest reason.
Sign in and purchase access to unlock this lesson.