Home Security WebGoat Teaches You To Fix Web Application Flaws In Real-time

WebGoat Teaches You To Fix Web Application Flaws In Real-time

Learn web application security lessons with WebGoat

By sk
Published: Last Updated on 1.3K views

Good day, web developers! Today, we are going to discuss about a super useful application that teaches you web application security lessons. Say hello to WebGoat, a deliberately insecure web application developed by OWASP, with the intention of teaching how to fix common web application flaws in real-time with hands-on exercises. This application can be quite useful for those who wants to learn about application security and penetration testing techniques.

A word of caution: WebGoat is PURELY FOR EDUCATIONAL PURPOSE. It turns your system extremely vulnerable to attackers. So, I insist you to use it in a virtual machine in your local area network. Don't connect your testing machine to Internet. You have been warned!

How to deploy WebGoat

WebGoat can be deployed either using Docker or as a standalone application. Since, it is purely for learning and educational purpose, I prefer to use it in Docker.

Install Webgoat using Docker

Refer the following links to install Docker if you haven't installed it already.

After installing Docker, run the following command to deploy WebGoat.

$ docker run -it -p -p -p -e TZ=Asia/Kolkata webgoat/goatandwolf:v8.2.2

Replace the timezone with your own in the above command.

This command will pull the latest WebGoat docker image and start the WebGoat and webwolf instances in few minutes. Once it has started, you will see an output something like below.

2017-12-05 11:22:50,132 INFO - FrameworkServlet 'mvc-dispatcher': initialization completed in 533 ms
2017-12-05 11:22:50,171 INFO - Initializing main webgoat servlet
2017-12-05 11:22:50,173 INFO - Browse to http://localhost:8080/WebGoat and happy hacking!
Dec 05, 2017 11:22:50 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]

After docker image is launched, you can access landing page, WebGolf and WebWolf interfaces at the following URLs.

  • The landing page - http://localhost
  • WebGoat dashboard - http://localhost:8080/WebGoat
  • WebWolf interface - http://localhost:9090/WebWolf

Install Webgoat as a standalone application

Make sure you have installed Java. Then, download the latest WebGoat version from the releases page.

Finally, start WebGoat as shown below.

$ java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.2.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001]
$ java -Dfile.encoding=UTF-8 -jar webwolf-8.2.2.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]

Now it is time to fix the vulnerabilities. As I mentioned earlier, disconnect the Internet before start using it.

How To Fix Web Application Flaws In Real-time Using WebGoat

Open up your web browse and navigate to http://localhost:8080/WebGoat or http://IP-address:8080/WebGoat. You will see with the following screen.

Log in with: webgoat/webgoat. This is the administrative login. You can also use normal user account: guest/guest.

Login to WebGoat web interface
Login to WebGoat web interface

Now, you will be landed in the overview section of WebGoat where you various instructions on how to work with WebGoat to fix common flaws and vulnerabilities of a web application.

How to work with WebGoat
How to work with WebGoat

As you can see, there are many lesson categories at the left pane. Click on a category to view the included lessons.

For example, let me choose Injection Flaws -> Command Injection lesson plan.

Command Injection section
Command Injection section

As you can see, there are 5 tabs for the selected lesson.

  1. Show Source - This will show the underlying Java source code.
  2. Show Solution - This will show the complete solution of the selected lesson.
  3. Show Plan - This will show goals and objectives of the lesson.
  4. Show Hints - This will show technical hints to solve the lesson.
  5. Restart Lesson - If you want to restart a lesson you can use this link.

Click on each lesson and try to solve the lesson and if necessary, use the hints. If you cannot solve the lesson using the hints, view the solution for complete details.


You May Also Like


bassem November 15, 2021 - 4:43 am

hello can you tell me how to find the part for insecure storage on webgoat
thanks for advance!

sk November 15, 2021 - 11:56 am

WebGoat is for learning to secure web applications. I don’t think it will help you to find insecure storages.


Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More