WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
What does OWASP WebGoat Do?
In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!
Once deployed, the user can go through the lessons and track their progress with the scorecard.
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised.
All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.
We’ve written about various Vulnerable Web Apps before including those such as:
– Mutillidae – Vulnerable Web-Application To Learn Web Hacking
– OWASP Bricks – Modular Deliberately Vulnerable Web Application
– WackoPicko – Vulnerable Website For Learning & Security Tool Evaluation
– Jarlsberg – Learn Web Application Exploits and Defenses
– Damn Vulnerable Web App – Learn & Practise Web Hacking
What can you learn from OWASP WebGoat?
- Cross-site Scripting (XSS)
- Access Control
- Thread Safety
- Hidden Form Field Manipulation
- Parameter Manipulation
- Weak Session Cookies
- Blind SQL Injection
- Numeric SQL Injection
- String SQL Injection
- Web Services
- Fail Open Authentication
- Dangers of HTML Comments
- … and many more!
How to use OWASP WebGoat & Tutorials
The easiest way to start WebGoat is to use Docker.
Run it Docker:
docker run -p 8080:8080 webgoat/webgoat-7.1
http://localhost:8080/WebGoat and Happy Hacking!
You find tutorials, installation details and everything else you need to get going here:
The WebGoat download for 7.1 is here:
Or read more here.