A professional, containerized web security training platform with 28+ hands-on labs managed through a single portal. Built for penetration testing students and security researchers.
| Category | Labs |
|---|---|
| SQL Injection | Union-based, Blind, Error-based |
| Cross-Site Scripting (XSS) | Reflected, Stored, DOM |
| CSRF | Token bypass, Method bypass |
| Local File Inclusion (LFI) | Path traversal, Encoding, Null bytes |
| Remote File Inclusion (RFI) | Basic RFI |
| Command Injection | Simple, Filter bypass, Blind |
| Server-Side Request Forgery (SSRF) | Basic SSRF |
| Shell Upload | Blacklist/Whitelist bypass, WAF, Path traversal |
| XXE Injection | Basic XXE |
| PHP Filters | Input filters, Source code disclosure |
| Docker Security | Socket escape, Exposed API, Privileged escape |
| Platform | Requirement |
|---|---|
| Linux | Docker Engine + Docker Compose |
| macOS | Docker Desktop |
| Windows | Docker Desktop + WSL 2 |
# Install Docker
sudo apt install -y docker.io docker-compose
sudo usermod -aG docker $USER && newgrp docker
# Install the lab
sudo dpkg -i defender-lab_1.0.0_amd64.debPortal starts automatically after install.
- Install Docker Desktop and start it
- Open the
.dmgfile - Double-click Install.command
- Enter your password when prompted
Then start the lab:
defender-lab start- Install Docker Desktop with WSL 2 backend
- Double-click defender-lab_1.0.0_windows.exe
- Follow the installation wizard
- Launch from Start Menu → Defender Lab → Start Lab
Linux / macOS:
git clone https://github.com/haltacademy/Lab.git
cd Lab
chmod +x start.sh
./start.shWindows PowerShell:
git clone https://github.com/haltacademy/Lab.git
cd Lab
.\start.ps1Windows CMD:
git clone https://github.com/haltacademy/Lab.git
cd Lab
start.batFirst launch builds Docker images and takes 5–10 minutes. Subsequent starts are instant.
Expected output:
============================================
Defender Lab is running!
Open: http://localhost:9000
Login: admin / admin
============================================
Open your browser: http://localhost:9000
| Field | Value |
|---|---|
| Username | admin |
| Password | admin |
- Go to Web Application Pentesting in the sidebar
- Browse the catalog by category
- Click Launch — the lab deploys and opens automatically in a new tab
- If the lab is already running, the button shows Open — opens instantly with one click
- Click Destroy to stop a lab and free memory
- Use Nuke on the Dashboard to stop all running labs at once
Linux / macOS:
./stop.shWindows PowerShell:
.\stop.ps1Windows CMD:
stop.batLinux (installed via .deb):
defender-lab stopLab/
├── Nebula Security Suite/ ← Management portal (port 9000)
├── CSRF Lab/ ← 2 CSRF environments
├── Command Injection Lab/ ← 4 injection labs
├── SQL Injection Lab/ ← SQLi environments
├── XSS Lab/ ← Cross-site scripting labs
├── LFI Basic Bypasses/ ← 5 LFI bypass techniques
├── RFI Lab/ ← Remote file inclusion
├── Shell Uploading Lab/ ← 6 file upload bypass labs
├── SSRF Lab/ ← Server-side request forgery
├── XXE Injection Lab/ ← XML external entity
├── PHP Filters/ ← PHP filter exploitation
├── Docker Security Lab/ ← Container escape labs
├── start.sh / stop.sh ← Linux & macOS launcher
├── start.bat / stop.bat ← Windows CMD launcher
├── start.ps1 / stop.ps1 ← Windows PowerShell launcher
├── defender-lab_1.0.0_amd64.deb ← Linux installer
├── defender-lab_1.0.0_macos.dmg ← macOS installer
└── defender-lab_1.0.0_windows.exe ← Windows installer
# Linux .deb (requires: brew install dpkg on macOS)
./build-deb.sh
# macOS .dmg (built-in hdiutil, no extra deps)
./build-dmg.sh
# Windows .exe (requires: brew install nsis on macOS)
./build-exe.shDocker not running: Start Docker Desktop and wait for the icon to stop animating before running the start script.
Port 9000 already in use:
# Linux/macOS
sudo lsof -i :9000 && sudo kill -9 <PID>
# Windows PowerShell
netstat -ano | findstr :9000
taskkill /PID <PID> /FPermission denied (Linux):
sudo usermod -aG docker $USER && newgrp dockerWindows PowerShell blocked:
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSignedDefender Lab is for educational and authorized security research only. Never test systems without explicit written permission.
Built by Defender Labs © 2026