My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Summary | Updates | People
Code license: GNU General Public License v2
Labels: Security, Java, J2EE, Authentication, CrossSiteScripting, SessionManagement, WebServices, InputValidation, AccessControl, SQLInjection, Training
Links:
Feeds:
People details
Project owners:
  mayhew64
Project committers:
sherif.fathy, esheri3, planetlevel, rogan.dawes, Romain.Brechet, ast126, wirth.marcel, brandon.devries, stephencraig.evans, soylentmean, borlovan, ch...@securityfoundry.com, ch.ko123, mjawurek, cam.morris

Overview

WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name 'WebGoat'? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

Goals

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.

The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

Questions

If you have questions or suggestions regarding WebGoat, send email to Bruce Mayhew at "webgoat AT owasp DOT org"

Releases

WebGoat installation instructions

WebGoat 5.3 Standard:

The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.

WebGoat 5.3 Developer :

Version 5.3 now uses maven. See the readme file for instructions on how to build and setup an eclipse environment.

How did I do that

References to interesting articles on WebGoat. Contact Bruce Mayhew at webgoat AT owasp DOT org" if you have a detailed post.

External Documentation

References to WebGoat documentation or solutions.









Hosted by Google Code