Current stable version and instructions can be found at: WebGoat-Legacy
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
- Home Page
- OWASP Project Home Page
- Source Code
- Easy-Run Download TBD
- Wiki
- FAQ (old info):
- Project Leader - Direct to Bruce Mayhew
- Mailing List - WebGoat Community - For most questions
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should to disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
Note - Use WebGoat-Legacy for a stable build
Follow these instructions if you simply wish to run WebGoat
- Java VM >= 1.6 installed ( JDK 1.7 recommended)
- Download the executable jar file which contains all the lessons:
https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar
- Run it using java:
java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar
- Then navigate in your browser to: (http://localhost:8080/WebGoat)
4.(Optional) If you would like to change the port or other options, use:
java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar --help
Follow these instructions if you wish to run Webgoat and modify the source code as well.
- Java >= 1.6 ( JDK 1.7 recommended )
- Maven > 2.0.9
- Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed.
- Git, or Git support in your IDE
The webgoat_developer_bootstrap.sh script will clone the necessary repositories, call the maven goals in order launch Tomcat listening on localhost:8080
mkdir WebGoat-Workspace
cd WebGoat-Workspace
curl -o webgoat_developer_bootstrap.sh https://raw.githubusercontent.com/WebGoat/WebGoat/master/webgoat_developer_bootstrap.sh
sh webgoat_developer_bootstrap.sh
Open a command shell/window, navigate to where you wish to download the source and type:
git clone https://github.com/WebGoat/WebGoat.git
git clone https://github.com/WebGoat/WebGoat-Lessons.git
cd WebGoat
mvn clean compile install
cd ..
** If you don't run this step, you will not have any Lessons to work with!**
cd WebGoat-Lessons
mvn package
cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
cd ..
Then you can run the project with one of the steps below (From the WebGoat folder not WebGoat-Lessons):
The maven tomcat7:run-war goal runs the project in an embedded tomcat:
cd WebGoat
mvn -pl webgoat-container tomcat7:run-war
Browse to http://localhost:8080/WebGoat and happy hacking !
The maven package goal generates an executable .jar file:
cd WebGoat
mvn package
cd webgoat-container/target
java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar http://localhost:8080/WebGoat
Browse to http://localhost:8080/WebGoat and happy hacking !
The maven package goal generates a .war file that can deployed into an Application Server, such as Tomcat
cd WebGoat
mvn package
cp webgoat-container/target/webgoat-container-7.0-SNAPSHOT-war-exec.jar <your_tomcat_directory>/webapps/
Browse to http://localhost:8080/WebGoat and happy hacking !
If you want to reload all the plugin visit the following url: http://localhost:8080/WebGoat/service/reloadplugins.mvc
in a new browser tab. After reloading a message will appear and you can refresh the WebGoat browser tab.