As of February 1st 2016, the version "7.0.1" is considered the first STABLE version of a major architecture and UI changes.
Older/Legacy version of WebGoat an be found at: WebGoat-Legacy
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
- Home Page
- OWASP Project Home Page
- Source Code
- Easy-Run Download
- Wiki
- FAQ (old info):
- Project Leader - Direct to Bruce Mayhew
- Mailing List - WebGoat Community - For most questions
- Artifacts generated from Continuous Integration
- Output from our Travis.CI Build server
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should to disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
Every successful build of the WebGoat Lessons Container and the WebGoat Lessons in our Continuous Integration Server creates an "Easy Run" Executable JAR file, which contains the WebGoat Lessons Server, the lessons and a embedded Tomcat server.
You can check for the "Last Modified" date of our "Easy Run" jar file HERE
The "Easy Run" JAR file offers a no hassle approach to testing and running WebGoat. Follow these instructions if you wish to simply try/test/run the current development version of WebGoat
- Java VM 1.8
1. Download the easy run executable jar file which contains all the lessons and a embedded Tomcat server:
https://s3.amazonaws.com/webgoat-war/webgoat-standalone-7.1-SNAPSHOT-exec.jar
Open a command shell/window, browse to where you downloaded the easy run jar and type:
java -jar webgoat-standalone-7.0.1-exec.jar [-p | --p <port>] [-a | --address <address>]
Using the --help
option will show the allowed command line arguments.
To run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
$ cd WebGoat/webgoat-images/vagrant-users
$ vagrant up
Once you see the message 'Browse to http://localhost:9999/WebGoat and happy hacking! you can open a browser.
For an easy development experience you can use Vagrant. Note you should have Vagrant and Virtualbox installed on your system.
$ cd WebGoat/webgoat-images/vagrant-developers
$ vagrant up
Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant. The source code will be available in the home directory.
Follow these instructions if you wish to run Webgoat and modify the source code as well.
- Java 1.8
- Maven > 2.0.9
- Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed.
- Git, or Git support in your IDE
The webgoat_developer_bootstrap.sh script will clone the necessary repositories, call the maven goals in order launch Tomcat listening on localhost:8080
mkdir WebGoat-Workspace
cd WebGoat-Workspace
curl -o webgoat_developer_bootstrap.sh https://raw.githubusercontent.com/WebGoat/WebGoat/master/webgoat_developer_bootstrap.sh
./webgoat_developer_bootstrap.sh
Open a command shell/window, navigate to where you wish to download the source and type:
git clone https://github.com/WebGoat/WebGoat.git
git clone https://github.com/WebGoat/WebGoat-Lessons.git
cd WebGoat
git checkout develop
mvn clean compile install
cd ..
If you don't run this step, you will not have any Lessons to work with!
cd WebGoat-Lessons
git checkout develop
mvn package
(linux) cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
(windows) xcopy "target\plugins\*.jar" "..\WebGoat\webgoat-container\src\main\webapp\plugin_lessons\"
cd ..
Then you can run the project with one of the steps below (From the WebGoat folder not WebGoat-Lessons):
The maven tomcat7:run-war goal runs the project in an embedded tomcat:
cd WebGoat
mvn -pl webgoat-container tomcat7:run-war
Browse to http://localhost:8080/WebGoat and happy hacking !
The maven package goal generates an executable .jar file:
cd WebGoat
mvn package
cd webgoat-standalone/target
java -jar webgoat-standalone-7.1-SNAPSHOT-exec.jar [-p | --p <port>] [-a | --address <address>]
Browse to url shown in the console and happy hacking !
The maven package goal generates a .war file that can deployed into an Application Server, such as Tomcat
cd WebGoat
mvn package
cp webgoat-container/target/webgoat-container-7.1-SNAPSHOT.war <your_tomcat_directory>/webapps/
Browse to http://localhost:8080/WebGoat and happy hacking !
If you want to reload all the plugin and lessons, open a new browser tab and visit the following url:
http://localhost:8080/WebGoat/service/reloadplugins.mvc
After the plugin reload is complete, reloading a message will appear and you can refresh the main WebGoat browser tab.
To be able to see which labels are loaded through a property file, open a new browser tab and visit the following url:
http://localhost:8080/WebGoat/service/debug/labels.mvc
Switch back to the main WebGoat broswer tab and reload the main WebGoat browser tab.
After the reload is complete, all labels which where loaded from a property file will be marked green.