OWASP WebGoat Download – Deliberately Insecure Web Application


WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

OWASP WebGoat Download - Deliberately Insecure Web Application


What does OWASP WebGoat Do?

In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name “WebGoat”? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!

Once deployed, the user can go through the lessons and track their progress with the scorecard.

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised.

All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security.

We’ve written about various Vulnerable Web Apps before including those such as:

Mutillidae – Vulnerable Web-Application To Learn Web Hacking
OWASP Bricks – Modular Deliberately Vulnerable Web Application
WackoPicko – Vulnerable Website For Learning & Security Tool Evaluation
Jarlsberg – Learn Web Application Exploits and Defenses
Damn Vulnerable Web App – Learn & Practise Web Hacking

What can you learn from OWASP WebGoat?


  • Cross-site Scripting (XSS)
  • Access Control
  • Thread Safety
  • Hidden Form Field Manipulation
  • Parameter Manipulation
  • Weak Session Cookies
  • Blind SQL Injection
  • Numeric SQL Injection
  • String SQL Injection
  • Web Services
  • Fail Open Authentication
  • Dangers of HTML Comments
  • … and many more!

How to use OWASP WebGoat & Tutorials

The easiest way to start WebGoat is to use Docker.

Run it Docker:

Browse to http://localhost:8080/WebGoat and Happy Hacking!

You find tutorials, installation details and everything else you need to get going here:

https://github.com/WebGoat/WebGoat/wiki

WebGoat Download

The WebGoat download for 7.1 is here:

webgoat-container-7.1-exec.jar

Or read more here.

Posted in: Web Hacking

, , , ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


Comments are closed.