█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/Hands-on: OWASP Top 10 in DVWA and WebGoat
75 minIntermediate

Hands-on: OWASP Top 10 in DVWA and WebGoat

After this lesson, you will be able to: Stand up DVWA or WebGoat in Docker and exploit at least four OWASP Top 10 categories yourself, then patch the code that allowed each.

Reading about the OWASP Top 10 only sticks once you've broken something with your own hands. This lab uses Damn Vulnerable Web Application (DVWA) and OWASP WebGoat, both intentionally vulnerable, in Docker, so you can attack and remediate in a safe environment.

Prerequisites:Web Application Firewalls and Security Testing

Why hands-on the OWASP Top 10 is non-negotiable

Every AppSec interview includes a 'have you actually exploited X' question. Reading explanations is not enough. DVWA and WebGoat are the canonical learning targets. Both ship with multiple difficulty levels (Low / Medium / High) so you can graduate from copy-paste to real bypass thinking. Working through both gives you the talking points for every interview question on injection, broken access control, XSS, IDOR, and SSRF.

Spin up the lab in Docker

Two containers, two URLs, two completely different teaching styles.

  1. 1

    Install Docker Desktop and ensure it's running

  2. 2

    Run DVWA: docker run --rm -it -p 8080:80 vulnerables/web-dvwa

  3. 3

    Open http://localhost:8080, log in admin/password, click Create / Reset Database, switch security level to Low

  4. 4

    In a second terminal, run WebGoat: docker run --rm -p 8081:8080 -p 9090:9090 -e TZ=UTC webgoat/webgoat

  5. 5

    Open http://localhost:8081/WebGoat, register an account, start the Introduction lessons

  6. 6

    Fire up Burp Suite Community Edition; set browser proxy to 127.0.0.1:8080 (Burp default)

Exploit and remediate, four OWASP categories

Don't skim. Do each attack, then read the source-code fix in the Medium and High security levels of DVWA.

  1. 1

    A03 Injection (SQL): DVWA > SQL Injection > submit '1' UNION SELECT user,password FROM users-- '. Read the Low-level PHP source, then read the Medium / High versions to see prepared statements + bind parameters.

  2. 2

    A03 Injection (Command): DVWA > Command Execution > submit '127.0.0.1; cat /etc/passwd'. Compare the Low source (raw concatenation) to High (allowlist + shell escape).

  3. 3

    A01 Broken Access Control (IDOR): WebGoat > Access Control Flaws > complete the IDOR challenges. Note how URL parameter tampering reveals other users' data.

  4. 4

    A07 XSS (Reflected): DVWA > XSS Reflected > submit '<script>alert(1)</script>'. Read Low source vs High (htmlspecialchars on input).

  5. 5

    For each, write 2-3 sentences in your notes: what was the bug, what was the fix, why does the fix work.

💡 The fix is the lesson

Anyone can find SQLi in DVWA-Low. The skill is being able to look at code and say 'this fix is correct because of X' or 'this fix is incomplete because of Y'. Spend more time on the High-level source code than on the exploit itself. The fix is the deliverable, not the breach.

Going further with intentionally vulnerable apps

OWASP Juice Shop, modern JavaScript stack (Node.js + Angular), 100+ challenges. Run: docker run --rm -p 3000:3000 bkimminich/juice-shop. PortSwigger Web Security Academy, free, browser-only, the most realistic lab environment outside of bug bounty. VulnHub, downloadable VMs covering AD, kubernetes, and full enterprise topologies. HackTheBox 'Starting Point', free guided machines with web vectors.

Common mistakes only experienced AppSec engineers catch

Treating one fix as the whole defence. A SQL prepared statement still allows logic flaws if the query joins user-controlled data into the wrong column. Defaulting to a WAF instead of fixing the code. WAFs catch obvious payloads; logic bugs (IDOR, business-logic) sail through. Confusing input validation with output encoding. Both are needed; they solve different problems. Believing 'we don't write our own SQL, we use an ORM, so we're safe'. ORMs prevent injection only when you don't write raw queries; most teams write raw queries somewhere.

Quick Check

Why is htmlspecialchars($input) on output a stronger fix than a regex on input?

Pick the strongest reason.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Web Application Firewalls and Security Testing
Back to Application Security
OWASP A01: Broken Access Control→