Deliberately Insecure Web Application – WebGoat 8

Last Release: 09/05/2021     Last Commit: 08/30/2022

Deliberately Insecure Web Application – WebGoat 8


WebGoat 8 is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. You can use WebGoat to learn about application security and penetration testing techniques.

WebGoat Logo

WebGoat 8: Intentionally Vulnerable Platform to Train Hacking & Pentesting

WebGoat 8 is an intentionally vulnerable application that allows hackers, pentesters and developers to test vulnerabilities commonly found in Java-based applications. Thanks to WebGoat 8 you can play around and test your security skills. In addition, you’ll probably learn some new things, even if you aren’t a beginner.

With WebGoat 8 you can practice different type of attacks, it will walk you trough how to preform specific attack and help you in testing and playing in order to build up your security/pentesting skills. Every category (type of attack) has specific number of lessons. In each lesson, you’ll need to demonstrate security issue understanding by exploiting a real vulnerability in the WebGoat applications. The lessons are arranged in the following areas:

  • Injection Flaws
    • SQL Injection (advanced)
    • SQL Injection (mitigation
    • XXE
  • Authentication flaws
    • Authentication Bypasses
    • JWT Tokens
    • Password reset
  • Cross-site Scripting (XSS)
  • Access Control Flaws
    • Insecure Direct Object References
    • Missing Function Level Access Control
  • Insecure Communication (Login)
  • Insecure Deserialization
  • Cross-Site Request Forgeries
  • Vulnerable Components – A9
  • Client side
    • Bypass front-end restrictions
    • Client side filtering
    • HTML tampering



Download the latest WebGoat release:

$ java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]

You may encounter the following error:

"org.hsqldb.HsqlException: Client driver version greater than '-1195.-72.-58.-56' is required. HSQLDB server version is '2.3.4'"

This error occurs due to the java version. If you are using Java 9+ you need to run WebGoat as follows:

$ java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar

From Source


  • Java 8
  • Maven > 3.2.1

Clone it from the WebGoat 8 Github page:

$ git clone

Then compile:

$ cd WebGoat
$ git checkout <<branch_name>>
$ mvn clean install

Now you can run it (WebGoat 8.x is using Spring-Boot):

$ mvn -pl webgoat-server spring-boot:run

If you want to change IP address, you can do it by adding the following variable to WebGoat/webgoat-container/src/main/resources/ file:

$ server.address=x.x.x.x


The easiest way to run it form Docker container is to use the docker-compose.yml file from Github repository. Connection between WebGoat and WebWolf will be set up automatically.

$ curl | docker-compose -f - up


When installed visit: http://localhost:8080/WebGoat

Webgoat 8 Login Screen

After registration and login, you’ll see WebGoat Interface.

WebGoat Client Interface


You can use WebWolf to solve assignments. WebWolf is able to host files, receive e-mails and serve as a landing page. After you successfully login (with same credentials as for WebGoat), you’ll learn more about it.

You should be running WebWolf on http://localhost:9090/WebWolf.

WebGoat 8 - WebWolf login

That’s it! Happy hacking and pentesting learning. For detailed guide, click the “documentation” link below.

Documentation Box
Download Box