WebGoat 8 is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. You can use WebGoat to learn about application security and penetration testing techniques.
WebGoat 8: Intentionally Vulnerable Platform to Train Hacking & Pentesting
WebGoat 8 is an intentionally vulnerable application that allows hackers, pentesters and developers to test vulnerabilities commonly found in Java-based applications. Thanks to WebGoat 8 you can play around and test your security skills. In addition, you’ll probably learn some new things, even if you aren’t a beginner.
With WebGoat 8 you can practice different type of attacks, it will walk you trough how to preform specific attack and help you in testing and playing in order to build up your security/pentesting skills. Every category (type of attack) has specific number of lessons. In each lesson, you’ll need to demonstrate security issue understanding by exploiting a real vulnerability in the WebGoat applications. The lessons are arranged in the following areas:
- Injection Flaws
- SQL Injection (advanced)
- SQL Injection (mitigation
- Authentication flaws
- Authentication Bypasses
- JWT Tokens
- Password reset
- Cross-site Scripting (XSS)
- Access Control Flaws
- Insecure Direct Object References
- Missing Function Level Access Control
- Insecure Communication (Login)
- Insecure Deserialization
- Cross-Site Request Forgeries
- Vulnerable Components – A9
- Client side
- Bypass front-end restrictions
- Client side filtering
- HTML tampering
Download the latest WebGoat release:
$ java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
You may encounter the following error:
"org.hsqldb.HsqlException: Client driver version greater than '-1195.-72.-58.-56' is required. HSQLDB server version is '2.3.4'"
This error occurs due to the java version. If you are using
Java 9+ you need to run WebGoat as follows:
$ java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar
- Java 8
- Maven > 3.2.1
Clone it from the WebGoat 8 Github page:
$ git clone https://github.com/WebGoat/WebGoat.git
$ cd WebGoat $ git checkout <<branch_name>> $ mvn clean install
Now you can run it (WebGoat 8.x is using Spring-Boot):
$ mvn -pl webgoat-server spring-boot:run
If you want to change IP address, you can do it by adding the following variable to
The easiest way to run it form Docker container is to use the
docker-compose.yml file from Github repository. Connection between WebGoat and WebWolf will be set up automatically.
$ curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
When installed visit: http://localhost:8080/WebGoat
After registration and login, you’ll see WebGoat Interface.
You can use WebWolf to solve assignments. WebWolf is able to host files, receive e-mails and serve as a landing page. After you successfully login (with same credentials as for WebGoat), you’ll learn more about it.
You should be running WebWolf on http://localhost:9090/WebWolf.
That’s it! Happy hacking and pentesting learning. For detailed guide, click the “documentation” link below.