From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


This is a tutorial and info site on the OWASP's vulnerable web application WebGoat.


The OWASP WebGoat project provides an insecure web application that demonstrates the most common client-side application flaws and explains and tests the vulnerabilities from the OWASP Top 10. Lessons, exercises and challenges are provided to give interested developers hands-on experience to test and better understand the material. When starting each lesson, the user is provided with content and interactive questions about the already explained material or demonstrations of the explained functionality through a dialog from different pages. The learning of the content is thus brought to the user in a playful, hands-on experience. The lessons are structured strictly according to the OWASP Top 10 and can be tested and reviewed individually.


There are three possible ways to install the programm: Standalone, Docker Image and cloning the repository (open source) [1]


  • Operating system:
    • Windows 8 or higher
    • Ubuntu Linux 20.04 LTS or higher
    • macOS 10.14 or higher
    • Or any other OS which is supported by Java 17
  • Java 17 OR
  • Docker Desktop
  • Internet Browser of any type
  • GIT

Installation Instructions

Run with Docker

Need to insall Docker first, then you can install WebGoat as Docker Image.

sudo apt install docker.io
sudo docker run -it -p -p -p -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2


Download .jar file (Java Archive file) from https://github.com/WebGoat/WebGoat/releases

java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-8.2.3.jar 

Run from the sources

Clone GitHub Repository (Open Source)

git clone git@github.com:WebGoat/WebGoat.git

Compile the Project using Java 17

cd WebGoat
git checkout <<branch_name>>
# On Linux/Mac:
./mvnw clean install 
# On Windows:
./mvnw.cmd clean install

When the priject is compiled successfully we are ready to run the project. WebGoat is using Spring Boot.

# On Linux/Mac:
./mvnw spring-boot:run
# On Windows:
./mvnw.cmd spring-boot:run


  • Web goat

To gain access to the lessons and challenges, you need to register.

WebGoat Lessons

The OWASP WebGoat Lessons are embedded in the WebGoat Tool. Here, various attack vectors are demonstrated using hands-on examples. In general, WebGoat contains lessons, exercises and challenges. These lessons are divided into different categories and contain several pages of information and exercises. The challenges are more demanding and do not contain any hints. The current version 8.2.2 contains 10 lessons:

  • Broken Access Control
  • Cryptographic Failures
  • Injection
  • Vuln & Outdated Components
  • Identity & Auth Failure
  • Security Logging Failures
  • Server-Side Request forgery

Each lesson contains further sub-chapters which each contain several pages. In the first steps, the material is explained, and in the further steps it is explained by means of exercises.

In the future additional lessons corresponding to the following topics will be added:

  • Lesson about cryptography (In Progress)
  • Lesson about path traversal (in progress)
  • Session Management
  • More password reset lessons



Since the lessons of WebGoat cover very extensive concepts of penetration testing and therefore build critical vulnerabilities into the local system to make lessons practically implementable as well, OWASP decided to provide its own local tool called WebWolf. WebWolf is automatically delivered with the installation of WebWolf. The tool acts as a locally hosted attacker machine. This is to highlight more clearly which operations need to be performed as the attacker and which need to be performed at the target in order to successfully execute an exploit. Some lessons use WebWolf, for example, to provide a file that must be loaded onto the target machine (e.g., for persistent XSS attacks, which will be discussed in more detail later in the thesis) or to provide a connection to the own environment (ReverseTCP). Since these services should not be provided in the open and connected Internet, WebWolf was developed.


WebWolf is an included tool that is directly in the repository (Git and DockerHub) and should already be on the machine after downloading WebGoat. If the tool has already been started via a Docker image, WebWolf is already running and should be accessible at http://localhost:9090/WebWolf. If the repository is cloned locally in standalone mode, the WebWolf Java Archive file still needs to be downloaded to start it locally. This can be done with the following command. If WebWolf has been started successfully, it will also be available under the above link.

java -jar webwolf<<version>>.jar [--server.port=9090][server.address=localhost]


WebWolf in the current version (8.2.2) provides the following functionalities:

  • File Hosting Service
  • Landing Page for incoming requests
  • Email Server with Client


  1. WebGoat Github, WebGoat, 2022, accessed on: 02.01.2023, [Online]. Available: https://github.com/WebGoat/WebGoat