This is a fork of the original "Vulnerable" Web Application developed by Cyber Security and Privacy Foundation (www.cysecurity.org). We have updated and fixed it to work seamlessly in 2026 environments.
Original Repository: CSPF-Founder/JavaVulnerableLab
- Containerization: Fully fixed
Dockerfileanddocker-compose.ymlto support modern Docker environments.- Switched to
maven:3-jdk-8for building. - Switched to
tomcat:9.0-jdk8for runtime stability.
- Switched to
- XSS Challenges:
- Reto 2 (Fixed): Implemented missing "Label Filters" challenge (
xss2.jsp), allowing bypass techniques. - Reto 3 (Fixed): Implemented missing "Non-recursive Filters" challenge (
xss3.jsp), testing nested tag payloads.
- Reto 2 (Fixed): Implemented missing "Label Filters" challenge (
- Footer: Updated copyright information.
- Install Docker and Docker Compose.
- Clone this repository:
git clone https://github.com/TiiZss/JavaVulnerableLab.git cd JavaVulnerableLab - Run the container:
docker-compose up -d --build
- Access the lab at:
http://localhost:8080/JavaVulnerableLab
Navigate to http://localhost:8080/JavaVulnerableLab/vulnerability/xss/ to access the challenges.
- Reto 2: Try to evade filter using
<SCRIPT>or<img onerror>. - Reto 3: Try "nested" payloads like
<scr<script>ipt>.
This app is intended for Java Programmers and other people who wish to learn about Web application vulnerabilities and write secure code.
Warning: Don't run this app in Your Main Machine or in an online server. Install it in a Virtual Machine or Container.