Deliberately Insecure Web Application – WebGoat 8

CyberPunk Pentesting Playgrounds
Last Release: 09/05/2021     Last Commit: 08/30/2022
Deliberately Insecure Web Application – WebGoat 8

Introduction

WebGoat 8 is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. This program is a demonstration of common server-side application flaws. You can use WebGoat to learn about application security and penetration testing techniques.

WebGoat Logo

WebGoat 8: Intentionally Vulnerable Platform to Train Hacking & Pentesting

WebGoat 8 is an intentionally vulnerable application that allows hackers, pentesters and developers to test vulnerabilities commonly found in Java-based applications. Thanks to WebGoat 8 you can play around and test your security skills. In addition, you’ll probably learn some new things, even if you aren’t a beginner.

With WebGoat 8 you can practice different type of attacks, it will walk you trough how to preform specific attack and help you in testing and playing in order to build up your security/pentesting skills. Every category (type of attack) has specific number of lessons. In each lesson, you’ll need to demonstrate security issue understanding by exploiting a real vulnerability in the WebGoat applications. The lessons are arranged in the following areas:

  • Injection Flaws
    • SQL Injection (advanced)
    • SQL Injection (mitigation
    • XXE
  • Authentication flaws
    • Authentication Bypasses
    • JWT Tokens
    • Password reset
  • Cross-site Scripting (XSS)
  • Access Control Flaws
    • Insecure Direct Object References
    • Missing Function Level Access Control
  • Insecure Communication (Login)
  • Insecure Deserialization
  • Cross-Site Request Forgeries
  • Vulnerable Components – A9
  • Client side
    • Bypass front-end restrictions
    • Client side filtering
    • HTML tampering

Install

Standalone

Download the latest WebGoat release:

$ java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]

You may encounter the following error:

"org.hsqldb.HsqlException: Client driver version greater than '-1195.-72.-58.-56' is required. HSQLDB server version is '2.3.4'"

This error occurs due to the java version. If you are using Java 9+ you need to run WebGoat as follows:

$ java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar

From Source

Requirements:

  • Java 8
  • Maven > 3.2.1

Clone it from the WebGoat 8 Github page:

$ git clone https://github.com/WebGoat/WebGoat.git

Then compile:

$ cd WebGoat
$ git checkout <<branch_name>>
$ mvn clean install

Now you can run it (WebGoat 8.x is using Spring-Boot):

$ mvn -pl webgoat-server spring-boot:run

If you want to change IP address, you can do it by adding the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file:

$ server.address=x.x.x.x

Docker

The easiest way to run it form Docker container is to use the docker-compose.yml file from Github repository. Connection between WebGoat and WebWolf will be set up automatically.

$ curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up

Usage

When installed visit: http://localhost:8080/WebGoat

Webgoat 8 Login Screen

After registration and login, you’ll see WebGoat Interface.

WebGoat Client Interface

WebWolf

You can use WebWolf to solve assignments. WebWolf is able to host files, receive e-mails and serve as a landing page. After you successfully login (with same credentials as for WebGoat), you’ll learn more about it.

You should be running WebWolf on http://localhost:9090/WebWolf.

WebGoat 8 - WebWolf login

That’s it! Happy hacking and pentesting learning. For detailed guide, click the “documentation” link below.

Documentation Box
Download Box
JavaPentestingSQL InjectionVulnerabilitiesXSS