Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite
Hands-on guide to building an isolated web pentest lab with DVWA, Juice Shop and Burp Suite configured under clear legal and safety rules.
Some people fire up Burp Suite against the first site that pops up on Google and immediately call themselves pentesters. That is a felony in more than thirty countries, including the US under the Computer Fraud and Abuse Act. The only sane path is building your own lab, isolated and stuffed with legally vulnerable targets, before touching any real system. In this guide the Basilisk team builds a reproducible environment on a 16GB RAM box using DVWA, OWASP Juice Shop and Burp Suite Community as the starting trio. Everything runs on a VirtualBox host-only network, with zero bits leaking to the outside world.
Start with the isolation layer, because that is what separates research from incident. Create a Kali Linux 2026.1 VM with two adapters: a toggleable NAT for pulling updates and a host-only adapter on the 192.168.56.0/24 range. Target machines (one Ubuntu 22.04 running DVWA in Docker and another Ubuntu running Juice Shop on port 3000) stay ONLY on host-only. Drop any default route inside them with `ip route del default`. The same principle shows up in more depth in Pivoting with Chisel and Ligolo-ng: Segmented Networks in a Pentest Lab once you start segmenting subnets. Snapshots before every session save hours of reinstall.
Spin up DVWA with `docker run --rm -it -p 80:80 vulnerables/web-dvwa` and set security level to low on first contact. The goal is not finishing every module on day one but understanding the cycle: watch the request in Burp, tweak a parameter, watch the response, craft a payload, repeat. The DVWA SQL Injection module is the classic mind-opener, but compare it with the deeper coverage in SQL Injection in Practice: Exploiting, Detecting and Mitigating in a Controlled Lab once your first `' OR 1=1-- -` lands. Same logic for XSS: tinker in DVWA, then go deeper with Modern XSS: DOM, Stored and Reflected With Real Examples in a Test Lab.
Juice Shop is a brutal realism upgrade. It is an Angular SPA with 100+ challenges, a hidden scoreboard, a poorly validated JWT and REST endpoints full of IDOR. Bring it up with `docker run --rm -p 3000:3000 bkimminich/juice-shop` and configure Burp Suite Community as a proxy at 127.0.0.1:8080. Import Burp's CA certificate into the dedicated Kali Firefox profile (NEVER into your personal browser) to intercept TLS. To stretch into API testing, REST and GraphQL API Pentest: Technical Checklist for Legal Bug Bounty covers the GraphQL flow Juice Shop exposes at `/api`, and SSRF Demystified: Exploiting Cloud Metadata in a Local AWS Lab complements the SSRF challenges hidden in the higher levels.
Configure Burp with an aggressively tight scope. Under Target > Scope, add only `192.168.56.0/24` and tick the option to drop out-of-scope traffic. That single click prevents the classic intern nightmare of leaving Intruder running against a CDN. Create one Project File per target (`dvwa.burp`, `juiceshop.burp`) so findings stay clean. Enable Logger++ from the BApp Store for full audit trail and install Param Miner to discover hidden headers. Anyone working in a team should read OPSEC for Security Researchers: Building a Personal Threat Model before pasting any screenshot into a public chat, no matter how innocent it looks.
Document every exploit with three artifacts: raw request, exact payload and expected vs observed behavior. Use a dedicated Obsidian vault for the lab, with tags following the OWASP Top 10. When you find that Juice Shop has a poorly filtered avatar upload, write the report before chasing the next challenge; that discipline is what separates a hobbyist from a professional, and the topic is covered head-on in Exploring File Upload Vulnerabilities Without Breaking the Law. Keep encrypted backups of the vault, because your exploit notebook is gold and a liability the moment it leaks.
Before closing the session, power off the VMs with `VBoxManage controlvm