License:	GNU General Public License v2
Labels:	Security, Java, J2EE, Authentication, CrossSiteScripting, SessionManagement, WebServices, InputValidation, AccessControl, SQLInjection, Training

Links:	OWASP WebGoat Project WebGoat User Guide How to Build WebGoat WebGoat Mail List WebGoat Distributions (5.1) FAQ

Join project

Project owners:
	mayhew64
Project members:
	sherif.fathy, esheri3, planetlevel, rogan.dawes, Romain.Brechet, ast126, wirth.marcel, brandon.devries

Overview

WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name 'WebGoat'? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

Goals

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.

The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

Questions

If you have questions or suggestions regarding WebGoat, send mail to "webgoat AT owasp DOT org"

Releases

WebGoat 5.2 For Beta Testers:

This is a release for beta testing. If you are not on the beta test list, please enter bugs using Google Issues for WebGoat.

WebGoat installation instructions

WebGoat 5.1 Standard:

The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.

WebGoat 5.1 Developer (at SourceForge):

Note: This release is NOT intended for developers to build and create new lessons. This release provides an environment to work on the labs.

Note: This release is at SourceForge.

The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the HOW TO create the WebGoat workspace.txt file.

Linux Note

The webgoat.sh file for the Linux can be found at http://webgoat.googlecode.com/svn/tags/webgoat-5.1/main/webgoat.sh