WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
Download the latest WebGoat release from https://github.com/WebGoat/WebGoat/releases
java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
By default WebGoat starts on port 8080 with --server.port
you can specify a different port. With server.address
you
can bind it to a different address (default localhost)
If you use Java 9 or higher you need to run WebGoat as follows:
java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar
Every release is also published on DockerHub.
The easiest way to start WebGoat as a Docker container is to use the docker-compose.yml
file
from our Github repository. This will start both containers and it also takes care of setting up the
connection between WebGoat and WebWolf.
curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
Important: the current directory on your host will be mapped into the container for keeping state.
Using the docker-compose
file will simplify getting WebGoat and WebWolf up and running.
- Java 8
- Maven > 3.2.1
- Your favorite IDE
- Git, or Git support in your IDE
Open a command shell/window:
git clone [email protected]:WebGoat/WebGoat.git
Now let's start by compiling the project.
cd WebGoat
git checkout <<branch_name>>
mvn clean install
Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
mvn -pl webgoat-server spring-boot:run
... you should be running webgoat on localhost:8080/WebGoat momentarily
To change IP address add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
server.address=x.x.x.x
We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
$ cd WebGoat/webgoat-images/vagrant-training
$ vagrant up
Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant. The source code will be available in the home directory.
NOTE: Travis will create a new Docker image automatically when making a new release.
WebGoat now has Docker support for x86 and ARM (raspberry pi).
On x86 you can build a container with the following commands:
cd WebGoat/
mvn install
cd webgoat-server
docker build -t webgoat/webgoat-8.0 .
docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
docker login
docker push webgoat/webgoat-8.0
On a Raspberry Pi (it has yet been tested with a Raspberry Pi 3 and the hypriot Docker image) you need to build JFFI for ARM first. This is needed by the docker-maven-plugin (see here):
sudo apt-get install build-essential
git clone https://github.com/jnr/jffi.git
cd jffi
ant jar
cd build/jni
sudo cp libjffi-1.2.so /usr/lib
When you have done this you can build the Docker container using the following commands:
cd WebGoat/
mvn install
cd webgoat-server
mvn docker:build -Drpi=true
docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
docker login
docker push webgoat/webgoat-8.0