Web Security


WebGoat is a web application that is deliberately vulnerable, to try out how such vulnerabilities can be exploited. It runs as a web application on the Apache Tomcat web server; Apache Tomcat is included when you download and install WebGoat. It uses Java, so if you don't have that, install that first.

To install WebGoat on your own laptop

Simply follow the Standalone instructions at Running Webgoat - Standalone instructions
NB it is better to start WebGoat from the command line, and not by double-clicking the jar, because on the command line you can see if WebGoat fails to start or crashes for some reason.

(Local copy of webgoat-container-7.1-war-exec.jar, in case website above is slow.)

There is a bug in WebGoat 7.0.1; the jar above has been updated to 7.1. If you used 7.0.1 earlier you have to clear your browser cache and remove cookies before it works.

The WebGoat has a Java Source tab, where you can see the Java source of the web application, but you can ignore that, as we won't be looking at the code behind the website.

More info about WebGoat on the OWASP WebGoat site.