VaaS - Vulnerability as a Service

Using Docker to showcase vulnerabilities in a training environment

Posted by Emre Bastuz on July 11, 2015

For pentesting training I mostly use virtual machines that have been created with multiple vulnerabilities to train exploiting techniques.

Examples for such virtual machines are the Kioptrix series of VMs and the extensive library of VMs available at VulnHub.

Those machines mostly include several vulnerabilities, so that penetrating a system through multiple exploitation techniques becomes a challenge to be solved.

However sometimes a "smaller" approach is necessary:

  • if the goal is to see a specific vulnerability in action or
  • to see if a certain defense mechanism indeed does protect from an exploit

This is why I came with the idea of using Docker (which I wanted to learn about anyway) to publish systems that contain only a single exploitable vector.

I named this "Vulnerability as a Service" and created my first Docker container with a shellshock exploitable web application.

For those who are interested in the details, please see GitHub or simply install the container via the Docker hub.