Difference between revisions of "Category:OWASP WebGoat Project"

From OWASP
Jump to: navigation, search
m (Initial change to add WebGoat.Net)
(Description)
 
(47 intermediate revisions by 10 users not shown)
Line 1: Line 1:
<webgoat/>
+
=Main=
{{OWASP Book|1416452}}
+
  
[[Image:WebGoat-Phishing-XSS-Lesson.JPG|thumb|300px|right|Detailed solution hints]][[Image:WebGoat-Bypass-Access-Control-Lesson.JPG|thumb|300px|right|WebGoat in action]]
+
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE (this page) or [[WebGoat.Net]] in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.
+
  
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
  
'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''
+
==OWASP WebGoat Project==
  
==Goals==
+
[https://github.com/WebGoat/WebGoat/releases WebGoat 7.0]  is done.  The 6.0 release updated the UI and some infrastructure.  WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.
  
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.
+
This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.. Thank you to all the volunteers!!
  
The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
 
  
 +
===Help Needed:===
  
== Overview ==
+
* We have an immediate need for Lesson Solutions and Lesson Translations.  There may be a little work involved with creating new strings for the translations but it is fairly easy work.
[[Image:WebGoat-Session-Hijack-Lesson.JPG|thumb|300px|right|Performing session hijacking]]
+
 
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
+
* We also need UI developers with experience in any/all parts of the Web stack.  Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.
 +
 
 +
* We'd love to update our content.  If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community.  Instructions for creating a lesson are under the General menu in WebGoat.
 +
 
 +
==Introduction==
 +
 
 +
'''WebGoat''' is a deliberately insecure web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as [http://owasp.org/index.php/WebGoatFor.Net WebGoat for .Net]. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.
 +
 
 +
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!
 +
 
 +
'''To get started:
 +
* For the Latest WebGoat (7.0, in development), go here: https://github.com/WebGoat/WebGoat
 +
 
 +
==Description==
 +
 
 +
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
 
{|
 
{|
 
|valign="top"|
 
|valign="top"|
Line 37: Line 51:
 
|}
 
|}
  
For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].
+
==Licensing==
 +
OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)
  
== Future Development ==
+
==Project Sponsors==
 +
The WebGoat project is sponsored by
 +
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}
  
WebGoat has been fairly stable for a few years.  There are some issues on the WebGoat issues page that require fixing, any help there would be appreciated.
 
  
Going forward WebGoat should take advantage of the training material provided at OWASP and incorporate that material into the lesson plans. WebGoat has been useful in educating security folks in the type of attacks and how they could be exploited. WebGoat should start focusing on educating the security staff and developers on potential mitigation strategies.  I would also like to see an expansion of the report card feature and the enterprise architecture used for tracking the lessons completed.  WebGoat could be used in organizations as a introduction to secure coding practices.
+
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.
+
== What is WebGoat? ==
  
==Downloads==
+
OWASP WebGoat Project provides:
  
The WebGoat downloads are available at [http://code.google.com/p/webgoat/downloads/list WebGoat Google code downloads].
+
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.
 +
The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
  
You can synch to the current WebGoat source tree at [http://code.google.com/p/webgoat/ Google code].
 
  
==Releases==
+
== Project Leaders ==
  
You can download older versions of WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.
+
[mailto:webgoat@owasp.org Bruce Mayhew]<br/>
 +
[mailto:nanneb@gmail.com Nanne Baars]<br/>
 +
[mailto:jason.white@owasp.org Jason White]
  
===WebGoat 5.2 Standard:===
+
== Related Projects ==
The standard release is a download, unzip, and click-to-run release.  It comes with the Java Runtime Environment and a configured Tomcat 5.5 server.
+
    * Double-click on webgoat.bat - a Tomcat command window starts
+
    * Browse to http://localhost/WebGoat/attack
+
  
===WebGoat 5.2 Developer (At [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge]):===
 
  
'''Note:''' This release is intended to provide an environment for working on the WebGoat labs.  If you would like to develop lessons, synch to the baseline at Google code.
 
  
The developer release includes the standard release with the addition of a configured eclipse environment.  The developer release is also a download, unzip, and click-to-run release.  It works exactly the same as the standard release if you only wish to explore the lessons.  However, if you want to perform the labs or use WebGoat in the classroom, use the eclipse.bat to start up a preconfigured WebGoat environment.  Detailed instructions are include at the top of the _HOW TO create the WebGoat workspace.txt_ file.
+
== Quick Download ==
    * Extract the Eclipse-Workspace.zip file to the working directory
+
    * Double-click the eclipse.bat file
+
    * In the Eclipse package explorer (top right), right click the WebGoat project and refresh
+
    * In the Eclipse package explorer (top right), right click the Servers project and refresh
+
    * In the Eclipse servers view (bottom), right click LocalHost server and start
+
    * Browse to http://localhost/WebGoat/attack
+
    * Any changes made to the source will automatically compile and redeploy when saved
+
  
Please send all comments to Bruce Mayhew at '''webgoat AT owasp.org''' regarding this release.
+
*Latest Release @ [https://github.com/WebGoat/WebGoat/releasest WebGoat]
  
== Movie Demonstration Solutions ==
+
*Source Code @ [https://github.com/WebGoat WebGoat on Github]
  
Aung Khant (YGN Ethical Hacker Group) has created a series of movies showing possible solutions to the WebGoat lessons. These training movies can be viewed at
+
*Latest Info @ [https://github.com/WebGoat/WebGoat/wiki WebGoat Project Wiki]
  
http://yehg.net/lab/pr0js/training/webgoat.php
+
== Email List ==
  
Feel free to contact him for any help with WebGoat.
+
[https://lists.owasp.org/mailman/listinfo/owasp-webgoat Sign Up]
  
==== Movie Links ====
+
== News and Events ==
 +
*WebGoat 7 please February 1, 2016
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Midlevel projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
  
{|
 
|valign="top"|
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#General General]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Code_Quality Code Quality]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Concurrency Concurrency ]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Unvalidated_Parameters Unvalidated Parameters]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Access_Control_Flaws Access Control Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Authentication_Flaws Authentication Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Session_Management_Flaws Session Management Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Cross-Site_Scripting_(XSS) Cross-Site Scripting (XSS)]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Buffer_Overflows Buffer Overflows]
 
|valign="top"| 
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Injection_Flaws Injection Flaws]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Storage Insecure Storage]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Denial_of_Service_(DOS) Denial of Service (DOS)]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Insecure_Configuration_Insecure Configuration]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Web_Services Web Services]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#AJAX_Security AJAX Security]
 
* [http://yehg.net/lab/pr0js/training/webgoat.php#Challenge Challenge]
 
 
|}
 
|}
  
== Project Contributors ==
+
=FAQs=
 +
'''Q:''' Are you aware that lesson X does not work? 
  
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''.  WebGoat distributions are currently maintained on [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 SourceForge] and [http://code.google.com/p/webgoat/downloads/list Google]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].
+
'''A:''' We may beHead over to https://github.com/WebGoat/WebGoat-Lessons and log an issue if there is a specific, you have encountered on a lesson. Give us as much information as you can.
 +
  
Thanks to [http://www.ouncelabs.com Ounce Labs] for allowing me time to work on and run the WebGoat project during my day job!
+
'''Q:''' When will WebGoat 7 be 'released'?
  
== Project Sponsors ==
+
'''A:''' As soon as we can get a critical mass of lessons we feel are necessary. Current target is late January to Early Feb. 2016
  
The WebGoat project is sponsored by
 
{{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}
 
  
[[Category:OWASP Project|WebGoat Project]]
+
The rest are questions we hope people ask, but maybe haven't really yet ...
[[Category:OWASP Download]]
+
 
[[Category:OWASP Tool]]
+
 
[[Category:OWASP Release Quality Tool]]
+
'''Q:''' Do you need help?
 +
 
 +
'''A:''' Of course we would always love help, especially with testing and feedback.  Experienced Java, UI and Design folk are welcome as well. Security professionals willing to develop content are also welcome, of course.
 +
 
 +
 
 +
'''Q:''' How do I get involved?
 +
 
 +
'''A:''' Fork the repo. (https://help.github.com/articles/fork-a-repo/) you want to work on and stay in sync with the mainstream development in master (https://help.github.com/articles/syncing-a-fork/)
 +
 
 +
 
 +
'''Q:''' What's the difference between the repo at https://github.com/WebGoat/WebGoat and the repo at https://github.com/WebGoat/WebGoat
 +
 
 +
'''A:''' As of WebGoat 7, the architecture is more modular and lessons can be loaded dynamically. The first repo is for the 'container' or main 'framework' for containing lessons.  The WebGoat-Lessons repo. is for lesson development
 +
 
 +
 
 +
'''Q:''' How do I author a lesson for WebGoat?
 +
 
 +
'''A:''' We are working on that.  For WebGoat 8, we plan to make that much simpler (read, no more ECS!). We still hope/plan to provide a stripped down lesson template for 7.x
 +
 
 +
= Acknowledgements =
 +
==Volunteers==
 +
The WebGoat project is run by Bruce Mayhew. He can be contacted at '''webgoat AT owasp.org'''.  WebGoat distributions are currently maintained on [https://github.com/WebGoat GitHub]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list].
 +
 
 +
= Road Map and Getting Involved =
 +
 
 +
== Road Map / Goals ==
 +
The project's overall goal is to...
 +
 
 +
  Be the defacto standard web application security training environment
 +
 
 +
In the near term, we are focused on the following tactical goals...
 +
 
 +
# Add educational support for secure coding practices
 +
# Enhance enterprise lesson tracking
 +
# Attract more contributions of lessons
 +
# Translate all lessons to other languages
 +
# Increase ease-of-use and expand user base
 +
 
 +
Here are the current tasks defined to help us achieve these goals
 +
 
 +
'''Architectural'''
 +
* Create a service layer (done)
 +
* Creater plugin architecture and port all lessons to plugins (done)
 +
* Remove dependencies on Tomcat (done)
 +
* Rewrite user administration to allow better user management (non-hackable)
 +
* Fix Logoff (done)
 +
* Defuse all lessons to disallow inadvertent harm to user's OS
 +
 
 +
'''General'''
 +
* General security cleanup. Remove exploits that are not lesson specific
 +
* Remove non working lessons
 +
 
 +
'''New Lessons'''
 +
* Server side forward allows access to WEB-INF resources
 +
* XML attacks - Entity recursion, ...
 +
 
 +
== Getting Involved ==
 +
For more information contact one of the project leads. Involvement in the development and promotion of WebGoat is actively encouraged!
 +
You do not have to be a security expert in order to contribute.
 +
 
 +
If you'd like to contribute coding-wise ...
 +
# Get on the WebGoat mailing list (http://lists.owasp.org/mailman/listinfo/owasp-webgoat)
 +
# Fork one of the repo's on github:
 +
## https://github.com/WebGoat/WebGoat << this is the WebGoat 'container'. Instructions on getting up and running are here as well.
 +
## https://github.com/WebGoat/WebGoat-Lessons << this is the Lesson repository
 +
# Keep you repo in sync (https://help.github.com/articles/syncing-a-fork/)
 +
# Issue pull requests as you fix bugs, add features etc.
 +
 
 +
'''Testers are always welcome/needed'''. Again, log issues and features requests at https://github.com/WebGoat/WebGoat. If you are a college or university and would like to use WebGoat for classes, we'd especially love to hear your feedback and what content/lessons you would like to see added to the project.
 +
 
 +
'''Adding content/lesssons''' We are working to make adding your own content easier and to integrate with other OWASP projects/content. We'd love to hear from you to move this forward.
 +
 
 +
=Project About=
 +
{{:Projects/OWASP_WebGoat_Project_Page}}
 +
 
 +
__NOTOC__ <headertabs />
  
__NOTOC__
+
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]][[Category:SAMM-EG-1]]

Latest revision as of 06:44, 5 February 2016

[edit]

Lab big.jpg

OWASP WebGoat Project

WebGoat 7.0 is done. The 6.0 release updated the UI and some infrastructure. WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.

This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.. Thank you to all the volunteers!!


Help Needed:

  • We have an immediate need for Lesson Solutions and Lesson Translations. There may be a little work involved with creating new strings for the translations but it is fairly easy work.
  • We also need UI developers with experience in any/all parts of the Web stack. Please send an email to Bruce Mayhew webgoat@owasp.org and/or jason.white@owasp.org if you are interested in helping.
  • We'd love to update our content. If you've run across a particularly interesting exploit in the field, create a lesson for it and contribute to the community. Instructions for creating a lesson are under the General menu in WebGoat.

Introduction

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

To get started:

Description

WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:

Licensing

OWASP WebGoat Project is free to use. It is licensed under the GNU General Public License version 2.0 (GPLv2)

Project Sponsors

The WebGoat project is sponsored by Aspect_logo_owasp.jpg       


What is WebGoat?

OWASP WebGoat Project provides:

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.


Project Leaders

Bruce Mayhew
Nanne Baars
Jason White

Related Projects

Quick Download

Email List

Sign Up

News and Events

  • WebGoat 7 please February 1, 2016


Classifications

Midlevel projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Q: Are you aware that lesson X does not work?

A: We may be. Head over to https://github.com/WebGoat/WebGoat-Lessons and log an issue if there is a specific, you have encountered on a lesson. Give us as much information as you can.


Q: When will WebGoat 7 be 'released'?

A: As soon as we can get a critical mass of lessons we feel are necessary. Current target is late January to Early Feb. 2016


The rest are questions we hope people ask, but maybe haven't really yet ...


Q: Do you need help?

A: Of course we would always love help, especially with testing and feedback. Experienced Java, UI and Design folk are welcome as well. Security professionals willing to develop content are also welcome, of course.


Q: How do I get involved?

A: Fork the repo. (https://help.github.com/articles/fork-a-repo/) you want to work on and stay in sync with the mainstream development in master (https://help.github.com/articles/syncing-a-fork/)


Q: What's the difference between the repo at https://github.com/WebGoat/WebGoat and the repo at https://github.com/WebGoat/WebGoat

A: As of WebGoat 7, the architecture is more modular and lessons can be loaded dynamically. The first repo is for the 'container' or main 'framework' for containing lessons. The WebGoat-Lessons repo. is for lesson development


Q: How do I author a lesson for WebGoat?

A: We are working on that. For WebGoat 8, we plan to make that much simpler (read, no more ECS!). We still hope/plan to provide a stripped down lesson template for 7.x

Volunteers

The WebGoat project is run by Bruce Mayhew. He can be contacted at webgoat AT owasp.org. WebGoat distributions are currently maintained on GitHub. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat mailing list.

Road Map / Goals

The project's overall goal is to...

 Be the defacto standard web application security training environment

In the near term, we are focused on the following tactical goals...

  1. Add educational support for secure coding practices
  2. Enhance enterprise lesson tracking
  3. Attract more contributions of lessons
  4. Translate all lessons to other languages
  5. Increase ease-of-use and expand user base

Here are the current tasks defined to help us achieve these goals

Architectural

  • Create a service layer (done)
  • Creater plugin architecture and port all lessons to plugins (done)
  • Remove dependencies on Tomcat (done)
  • Rewrite user administration to allow better user management (non-hackable)
  • Fix Logoff (done)
  • Defuse all lessons to disallow inadvertent harm to user's OS

General

  • General security cleanup. Remove exploits that are not lesson specific
  • Remove non working lessons

New Lessons

  • Server side forward allows access to WEB-INF resources
  • XML attacks - Entity recursion, ...

Getting Involved

For more information contact one of the project leads. Involvement in the development and promotion of WebGoat is actively encouraged! You do not have to be a security expert in order to contribute.

If you'd like to contribute coding-wise ...

  1. Get on the WebGoat mailing list (http://lists.owasp.org/mailman/listinfo/owasp-webgoat)
  2. Fork one of the repo's on github:
    1. https://github.com/WebGoat/WebGoat << this is the WebGoat 'container'. Instructions on getting up and running are here as well.
    2. https://github.com/WebGoat/WebGoat-Lessons << this is the Lesson repository
  3. Keep you repo in sync (https://help.github.com/articles/syncing-a-fork/)
  4. Issue pull requests as you fix bugs, add features etc.

Testers are always welcome/needed. Again, log issues and features requests at https://github.com/WebGoat/WebGoat. If you are a college or university and would like to use WebGoat for classes, we'd especially love to hear your feedback and what content/lessons you would like to see added to the project.

Adding content/lesssons We are working to make adding your own content easier and to integrate with other OWASP projects/content. We'd love to hear from you to move this forward.

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP WebGoat Project
Purpose: WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard
License: GNU General Public License version 2.0 (GPLv2)
who is working on this project?
Project Leader(s):
  • Bruce Mayhew @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: Not Yet Created
Key Contacts
  • Contact Bruce Mayhew @ to contribute to this project
  • Contact Bruce Mayhew @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases