Category:OWASP WebGoat Project

Welcome to the WebGoat Project 

Web application security is difficult to learn and practice. Very few people have full blown web applications like online book stores or online banks that can be used to search for vulnerabilities. In addition, security professionals frequently need to test tools against a known vulnerable platform to ensure they perform as advertised. All of this needs to happen in a safe and legal environment; we believe you should never attempt to find vulnerabilities without permission, even if your intentions are good.

WebGoat is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.



Goals
The WebGoat project goals are simply to create the de-facto interactive teaching environment for web security. Eventually the project may consider extending WebGoat to become an assessment tools benchmarking platform and a Java based Web site HoneyPot.

Why the name WebGoat? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, get it? Just blame it on the Goat!

Download
You can download WebGoat from the OWASP download page. Choose the version with or without Java, unzip, and run.

For your convenience, you can also download the WebGoat.war file and drop it into application server.

Overview
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are automated installers for Linux, OS X Tiger and Windows. Current lessons include:
 * Cross Site Scripting
 * SQL Injection
 * Thread Safety
 * Hidden Form Field Manipulation
 * Parameter Manipulation
 * Weak Session Cookies
 * Fail Open Authentication
 * Dangers of HTML Comments
 * Web services lessons
 * Blind SQL lesson
 * Weak session identifier lesson
 * Split SQL lesson into numeric and string SQL lessons
 * Added parameterized query stage to SQL lessons
 * Additional stage for basic authentication lesson
 * Summary report card for multi-user environment
 * and many more...

Click here to view the screenshots!

News and Status
WebGoat 3.7 Released! Tue Sep 06 16:43:54 EDT 2005 OWASP is pleased to announce the new release of WebGoat 3.7. OWASP would like to thank Laurence Casey, Jeremy Ferragamo, Alex Smolen, Rogan Dawes, Chuck Willis and the many people who have sent comments and suggestions.

New key features include:

 * Runs on Linux and OSX 10.4
 * WebGoat is now current in CVS.
 * Improved ant build process and added Unix support
 * Infrastructure changes to support multi-stage lessons
 * Eclipse development release
 * Minor screen improvements
 * Web services lessons
 * Blind SQL lesson
 * Weak session identifier lesson
 * Split SQL lesson into numeric and string SQL lessons
 * Added parameterized query stage to SQL lessons
 * Additional stage for basic authentication lesson
 * Summary report card for multi-user environment

Project Contributors
The WebGoat project was conceived by Jeff Williams, who developed the initial version. Bruce Mayhew now leads the project. The WebGoat framework is extremely easy to extend with additional lessons. We are actively seeking developers to add new lessons. Please contact Bruce or send a message to the owasp-webgoat mailing list. Thanks!

Project Sponsors
The WebGoat project is sponsored by Aspect Security.

Feedback and Participation
We hope you find WebGoat useful. Please contribute back to the project by sending your comments, questions, and suggestions to the WebGoat mailing list. Thanks!