A deliberately insecure PHP application running in Docker with Apache, MySQL, Redis, and phpMyAdmin. Perfect for testing your favorite vulnerability detection plugins, security scanners, and penetration testing tools. Because sometimes you need a punching bag that punches back!
For VS Code users (Recommended for beginners):
- See SETUP_GUIDE.md for a complete step-by-step guide to setting up your development environment using VS Code Dev Containers
- Includes detailed prerequisites, troubleshooting, and everything a new user needs
- Docker & Docker Compose (obviously)
- Git (for version control, because YOLO deployments are so last year)
- Optional: VS Code with Dev Containers extension (see SETUP_GUIDE.md)
See SETUP_GUIDE.md for detailed instructions.
Quick version:
- Install Docker Desktop, VS Code, and Dev Containers extension
- Open project folder in VS Code
- Click "Reopen in Container" when prompted
- Wait for setup to complete (5-15 minutes first time)
- Access at http://localhost:8080
-
Clone and setup the project:
git clone <your-repo-url> cd vulsearch
-
Build and run the application:
docker-compose up -d --build
-
Install PHP dependencies:
docker-compose exec app composer install -
Access your application:
- Main App: http://localhost:8080
- phpMyAdmin: http://localhost:8081
- MySQL: localhost:3306
βββ public/ # Web root directory
β βββ index.php # Application entry point
βββ src/ # PHP source code
β βββ Models/ # Data models
β βββ Services/ # Service classes (TemplateService, etc.)
β βββ Database.php # Database connection class
β βββ helpers.php # Helper functions
βββ views/ # Smarty templates
β βββ layouts/ # Layout templates
β βββ pages/ # Page templates
β βββ cache/ # Template cache (auto-generated)
β βββ templates_c/ # Compiled templates (auto-generated)
βββ docker/ # Docker configuration
β βββ apache/ # Apache configuration
β βββ php/ # PHP configuration
β βββ mysql/ # MySQL initialization
βββ config/ # Application configuration
βββ Dockerfile # PHP-Apache container definition
βββ docker-compose.yml # Multi-container orchestration
This application contains the following intentional vulnerabilities for testing:
- β Basic SQL Injection - Classic injection vulnerabilities (GET, POST, search, ORDER BY, LIMIT)
- β
Production-Style Vulnerabilities - Real-world patterns based on actual enterprise codebases:
- Array implode SQL injection (extremely common in production)
- Integer casting bypass vulnerabilities
- Date parameter injection (reporting systems)
- Dynamic table/column name injection (admin systems)
- Locale function injection (enterprise applications)
- Filter condition building vulnerabilities (search systems)
- π΄ SQL Injection - Multiple injection points (GET, POST, cookie-based)
- π΄ Cross-Site Scripting (XSS) - Reflected, Stored, and DOM-based
- π΄ Cross-Site Request Forgery (CSRF) - Unprotected state-changing operations
- π΄ Local File Inclusion (LFI) - Directory traversal and file reading
- π΄ Remote File Inclusion (RFI) - Remote code execution via includes
- π΄ Command Injection - OS command execution vulnerabilities
- π΄ Path/Directory Traversal - Access to restricted files
- π΄ Insecure File Upload - Malicious file upload capabilities
- π΄ Authentication Bypass - Weak authentication mechanisms
- π΄ Session Management Issues - Session fixation and hijacking
- π΄ Information Disclosure - Sensitive data exposure
- π΄ Weak Cryptography - Poor encryption implementations
Use this application to test:
- SAST Tools (Static Analysis) - CodeQL, SonarQube, Semgrep, etc.
- DAST Tools (Dynamic Analysis) - OWASP ZAP, Burp Suite, Netsparker
- Vulnerability Scanners - Nessus, OpenVAS, Nikto
- Web Application Firewalls - ModSecurity rules testing
- Penetration Testing Tools - Manual exploitation practice
Currently Available:
/vulnerable/- Main vulnerability showcase/vulnerable/sqli/- SQL injection examples/vulnerable/sqli/basic- Basic GET parameter injection/vulnerable/sqli/login- Login form injection/vulnerable/sqli/search- Search function injection/vulnerable/sqli/orderby- ORDER BY clause injection/vulnerable/sqli/limit- LIMIT clause injection
/vulnerable/realistic/- Production-style vulnerabilities/vulnerable/realistic/implode- Array implode injection/vulnerable/realistic/casting- Integer casting bypass/vulnerable/realistic/dates- Date parameter injection/vulnerable/realistic/dynamic- Dynamic table/column names/vulnerable/realistic/locale- Locale function injection/vulnerable/realistic/filters- Filter condition building
Coming Soon:
/vulnerable/xss/- XSS demonstrations/vulnerable/lfi/- File inclusion vulnerabilities/vulnerable/upload/- Insecure file uploads
# Start all services
docker-compose up -d
# Stop all services
docker-compose down
# View logs
docker-compose logs -f
# Access PHP container shell
docker-compose exec app bash
# Run Composer commands
docker-compose exec app composer install
docker-compose exec app composer require package-name
# Database access
docker-compose exec mysql mysql -u app_user -p app_dbThe application provides a simple REST API:
- GET
/api/status- Application status - GET
/api/users- List all users - GET
/api/posts- List all posts - POST
/api/users- Create new user - POST
/api/posts- Create new post
# Get all users
curl http://localhost:8080/api/users
# Create a new user
curl -X POST http://localhost:8080/api/users \\
-H "Content-Type: application/json" \\
-d '{"username":"newuser","email":"[email protected]","password":"password123"}'
# Create a new post
curl -X POST http://localhost:8080/api/posts \\
-H "Content-Type: application/json" \\
-d '{"user_id":1,"title":"Hello Docker","content":"This is my first post!"}'The application uses MySQL 8.0 with the following default configuration:
- Database:
app_db - Username:
app_user - Password:
secret_password - Root Password:
root_secret
The database is initialized with sample users and posts for testing purposes.
Copy .env.example to .env and adjust as needed:
APP_NAME="PHP Docker Application"
APP_ENV=development
DB_HOST=mysql
DB_DATABASE=app_db
DB_USERNAME=app_user
DB_PASSWORD=secret_password
REDIS_HOST=redisCustom PHP settings can be modified in docker/php/php.ini.
Apache virtual host settings are in docker/apache/vhost.conf.
The application uses Smarty 5.x for templating to separate logic from presentation.
- Layouts:
views/layouts/- Base templates with common structure - Pages:
views/pages/- Specific page templates - Cache:
views/cache/- Template cache (auto-generated) - Compiled:
views/templates_c/- Compiled templates (auto-generated)
// In your controllers
use App\Services\TemplateService;
// Render and display template
TemplateService::display('pages/home.tpl', [
'users' => $users,
'posts' => $posts
]);
// Or get rendered content as string
$html = TemplateService::render('pages/404.tpl');- Template inheritance with
{extends}and{block} - Global variables (app config, request info, server info)
- Security policies enabled by default
- Automatic caching in production
- Debug mode for development
# Access container and clear cache
docker-compose exec app php -r "App\Services\TemplateService::clearCache();"- PHP 8.2 with Apache
- Smarty 5.x templating engine
- Composer for dependency management
- Custom PHP configuration
- Volume mounted for live reload
- MySQL 8.0
- Persistent data storage
- Initialization scripts
- Direct access available
- Web interface for MySQL
- Pre-configured connection
- Development convenience
- Session storage
- Caching layer
- Persistent data
- Port already in use: Change ports in docker-compose.yml
- Permission issues: Check file permissions and Docker daemon
- Database connection failed: Ensure MySQL container is running
- Composer autoload issues: Run
composer dump-autoload
# Check container status
docker-compose ps
# Rebuild specific service
docker-compose up -d --build app
# Clear all Docker data (nuclear option)
docker system prune -aThis application is INTENTIONALLY VULNERABLE and contains serious security flaws. It is designed exclusively for:
- β Security research and education
- β Testing vulnerability scanners and security tools
- β Penetration testing practice in controlled environments
- β Security awareness training
- β Production environments
- β Public-facing deployments
- β Any real-world applications
- β Malicious activities
Users are responsible for complying with applicable laws and regulations. This tool should only be used in authorized environments where you have explicit permission to test. The authors are not responsible for any misuse or damage caused by this application.
- Only run in isolated/controlled networks
- Use for authorized penetration testing only
- Consider using VPN or isolated lab environments
- Monitor network traffic during testing
The original application setup notes (now superseded by intentional vulnerabilities):
Change all default passwords(Now using weak passwords for testing)Use proper SSL certificates(Deliberately using HTTP for vulnerability testing)Implement proper authentication(Implementing weak auth for bypass testing)Review security headers(Removing security headers for testing)Use environment-specific configurations(Using insecure configs for testing)
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
This project is open source and available under the MIT License.
Built with β€οΈ and a healthy dose of sarcasm by developers, for developers.