
- WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
- For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name ‘WebGoat‘?
- Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the ‘Goat!
Runtime environment for OWASP WebGoat
The following picture shows the ideal local setup for running WebGoat and following the lessons. It also shows WebWolf and how OWASP Zap can be used between the browser and OWASP WebGoat.

Releases
- WebGoat consists of two applications that work together. One is called WebGoat and one is called WebWolf. WebWolf depends on WebGoat and requires that WebGoat is started first.
- Both WebGoat and WebWolf are runnable jar files. Make sure the following ports are available: 80, 8080, 9090, 9001 when running locally.
- There are several options to run WebGoat (and WebWolf):
- Fork/Clone the repository, checkout the develop branch, build the artifacts using Java 11 and Maven 3.6+, and run the archives.
mvn clean install - java -jar webgoat-server/target/webgoat-server-v8.0.0-SNAPSHOT.jar
#then in another shell
java -jar webwolf/target/webwolf-v8.0.0-SNAPSHOT.jar
Download the released and build jar files and run using Java 11
Standalone WebGoat 8.0
Use the all-in-one docker container which contains a reverse proxy and both WebGoat and WebWolf which start in the correct order
Docker WebGoat 8.0
docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
Installing Java
WebGoat requires installation of the Java Runtime Environment (JRE). If you already have Java installed, it is worth updating to the latest version to avoid any possible issues.
First, update the package index:
sudo apt-get update
Then install the JRE by running this command:
sudo apt-get install default-jre
To check the Java version after installing the package:
java -version
Installing WebGoat
Download and install the latest version of WebGoat Server to a suitable location, such as your Downloads folder.
All releases can be found here: https://github.com/WebGoat/WebGoat/releases
The latest version (at the time of writing) is: webgoat-server-8.0.0.M23.jar
wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M23/webgoat-server-8.0.0.M23.jar
To start the WebGoat Server:
java -jar webgoat-server-8.0.0.M23.jar
Note: if using Java 9 or higher you might need to start WebGoat as follows (update version number as required):
java –add-modules java.xml.bind -jar webgoat-server-8.0.0.M23.jar
You will see the following message when WebGoat has started successfully:

Note: if you wish to run WebGoat on an alternate port and address, you can do so with the following options:
java -jar webgoat-server-8.0.0.M23.jar [–server.port=8080] [–server.address=localhost]
Accessing the WebGoat Interface
To access the WebGoat interface, open your browser and navigate to:
You will then be presented with the WebGoat login screen:

To access the lessons and challenges you will need to select ‘Register new user’ and create a login.
Note the terms of use when creating a new user:
- While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.
- This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
Once you are logged in, then it’s time to get started:

Conclusion:
- Learning the basic techniques necessary to secure web applications is absolutely essential for professional web developers. The OWASP project and especially the WebGoat are great resources for doing exactly that. Especially in the field of web security, learning how to hack can be greatly beneficial for anyone aspiring to improve their skills in web security.
- But you don’t have to take my word for it, Michael Coates, Chief Information Security Officer at Twitter, in his great talk Applications Through an Attacker’s Lens at InfoQ, mentioned WebGoat and OWASP’s Security Shepherd as some of the best ways to learn how to hack in a safe environment.
- So if you’re interested in improving your web security skills, I encourage you to start out by hacking the WebGoat! ~:)