WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!
We’ve written about various Vulnerable Web Apps before including those such as:
– Mutillidae – Vulnerable Web-Application To Learn Web Hacking
– OWASP Bricks – Modular Deliberately Vulnerable Web Application
– WackoPicko – Vulnerable Website For Learning & Security Tool Evaluation
– Jarlsberg – Learn Web Application Exploits and Defenses
– Damn Vulnerable Web App – Learn & Practise Web Hacking
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard.
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised.
All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.
What can you learn?
- Cross-site Scripting (XSS)
- Access Control
- Thread Safety
- Hidden Form Field Manipulation
- Parameter Manipulation
- Weak Session Cookies
- Blind SQL Injection
- Numeric SQL Injection
- String SQL Injection
- Web Services
- Fail Open Authentication
- Dangers of HTML Comments
- … and many more!
It’s easy to get started with WebGoat.
The easiest way is to simply download the
WebGoat-6.0.1-war.exec.jar binary and run it with:
java -jar WebGoat-6.0.1-war.exec.jar
Then browse to http://localhost:8080/WebGoat to access the app. Detailed instructions here.
You can download WebGoat 6.0.1 here:
Or read more here.