Overview
WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name 'WebGoat'? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!
Goals
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
Questions
If you have questions or suggestions regarding WebGoat, send email to Bruce Mayhew at "webgoat AT owasp DOT org"
Releases
WebGoat installation instructions
WebGoat 5.3 Standard:
The standard release is a download, unzip, and click-to-run release. It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.
WebGoat 5.3 Developer :
Version 5.3 now uses maven. See the readme file for instructions on how to build and setup an eclipse environment.
How did I do that
References to interesting articles on WebGoat. Contact Bruce Mayhew at webgoat AT owasp DOT org" if you have a detailed post.
- Creating a OWASP WebGoat Ubuntu-based VM
- Developing Secure Applications
- Securing WebGoat using OWASP ModSecurity Project
- Black Hat - Securing WebGoat using OWASP ModSecurity
External Documentation
References to WebGoat documentation or solutions.