WebGoat is a web application that is deliberately vulnerable, to
try out how such vulnerabilities can be exploited.
It runs as a web application on the Apache Tomcat web server;
Apache Tomcat is included when you download and install WebGoat.
It uses Java, so if you don't have that, install that first.
To install WebGoat on your own laptop
Standalone instructions on github.
NB it is better to start WebGoat from the command line, with
java -jar webgoat-server-8.0.0.M21.jar
and not by double-clicking the jar, because on the command line you can
then see if WebGoat fails to start or crashes for some reason.
More info about WebGoat on the OWASP WebGoat site.
There is also a
FAQ on github.