Code license:	GNU General Public License v2
Labels:	Security, Java, J2EE, Authentication, CrossSiteScripting, SessionManagement, WebServices, InputValidation, AccessControl, SQLInjection, Training

Show all Featured downloads:
WebGoat-OWASP_Standard-5.2.zip

Links:	OWASP WebGoat Project WebGoat User Guide How to Build WebGoat WebGoat Mail List WebGoat Distributions at SourceForge (5.2) FAQ
Feeds:	Project feeds

People details

Project owners:
	mayhew64
Project committers:
	sherif.fathy, esheri3, planetlevel, rogan.dawes, Romain.Brechet, ast126, wirth.marcel, brandon.devries, stephencraig.evans, soylentmean, borlovan

Overview

WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name 'WebGoat'? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

Goals

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.

The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

Questions

If you have questions or suggestions regarding WebGoat, send email to Bruce Mayhew at "webgoat AT owasp DOT org"

Releases

WebGoat installation instructions

WebGoat 5.2 Standard:

The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.

WebGoat 5.2 Developer (at SourceForge):

Note: This release is NOT intended for developers to build and create new lessons. This release provides an environment to work on the labs.

Note: This release is at SourceForge.

The developer release includes the standard release with the addition of a configured eclipse environment. The developer release is also a download, unzip, and click-to-run release. It works exactly the same as the standard release if you only wish to explore the lessons. However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment. Detailed instructions are include at the top of the HOW TO create the WebGoat workspace.txt file.

How did I do that

References to articles on WebGoat installations. Contact Bruce Mayhew at webgoat AT owasp DOT org" if you have a detailed post.