OWASP WebGoat — Deliberately Insecure Web Application

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE or WebGoat for .Net in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications.

WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. Once deployed, the user can go through the lessons and track their progress with the scorecard.

[adsense size='1']

What can you learn?

WebGoat contains 28 lessons, 4 labs, and 4 developer labs. Two distributions are available, depending on what you would like to do.

[adsense size='1']

1. Easy-run package

   The easiest version to play with. The easy-run package is a platform-independent executable jar file, so it has minimal muss and fuss. Since this distribution does not include source, you cannot complete the 4 developer labs. Pre-requisites : Java JRE >= 1.6

2. Source distribution

   Allows modifying the source code of WebGoat. WebGoat is a standard Maven project. This is the right choice if you wish to complete the developer labs, or you wish to contribute to WebGoat. Pre-requisites — Java JDK >= 1.6, Maven >= 3

WebGoat is a platform independent environment. It utilizes Apache Tomcat and the JAVA development environment. Installers are provided for Microsoft Windows and UN*X environments, together with notes for installation on other platforms.

Prerequisites

All you need to run WebGoat is a Java VM, but you’ll need the standard Java development tooling to use the source distribution.

Easy-run Prerequisites

• Any JRE >= 1.6 will work.

[adsense size='1']

Source Distribution Prerequisites

To run from source, you’ll need a standard Java development environment. If you are already a Java developer, you’ve likely got the tooling you need.

1. Java JDK. A JRE distribution will not do.
2. Maven. Maven is all that is required to compile, package, and run WebGoat.

Quick Start — Easy Run

1. Install a Java JVM.
2. Download WebGoat.
3. Make Sure Java is in your path This should already be the case after you install Java. If it is not, add it to your path
4. Run WebGoat by executing this command in the same directory you downloaded WebGoat into:

       java -jar WebGoat-6.0.1-war-exec.jar
   

5. Verify it worked by pointing your browser to https://localhost:8080/WebGoat. You should see a signin screen.That’s it! If you need to change the port or other options, you can use –help to display more options. For example, to run WebGoat on port 9090, you can run:

         java -jar WebGoat-6.0.1-war-exec.jar -httpPort 9090
   

[adsense size='1']

Quick Start — Source Distribution

1. Install the Prerequisites Minimally, this is a JDK and Maven, but it may include an IDE
2. Download the source from WebGoat-Legacy You’ll want to clone it if you intend to contribute, otherwise you can just download an archive
3. Run WebGoat with Maven Change to the project location, and run:

       mvn clean tomcat7:run-war
   

4. Verify it worked by pointing your browser to https://localhost:8080/WebGoat. You should see a signin screen.
5. Open with your IDE to modify the source. WebGoat is a standard maven project, so you should be able to import it with most any IDE

Note: If Tomcat7 is not specified, WebGoat will throw exceptions in some lessons.

Source && Download