WebGoat is a deliberately insecure J2EE web application designed to teach web application security concepts

WebGoat is java web application which can show you a lot of the web attacks that can be performed on your website. It is a must have for all web developers.

You can download it from sourceforge or from google

The package contains a tomcat server and you can run it from the distribution. But in my case there was only windows configuration files so I have to take the war file and put in the standalone tomcat installation. Also move the permissions for the roles/users to my tomcat installation.

After manage to run it you will need some sniffer/proxy to monitor the requests. I have tried it with WebScarab but there is another one here and this one here

  • Run WebGoat in tomcat
  • Run you proxy/sniffer/pluging or what ever monitoring tool.
  • Start your browser
  • Setup your browser to use the proxy in case you choose to use proxy
  • Redirect your browser to WebGoat application ( )

You are ready to pass all the tests. Here are the options extracted from the lates WebGoat version:

  • Admin Functions
  • General
  • Code Quality
  • Concurrency
  • Unvalidated Parameters
  • Access Control Flaws
  • Authentication Flaws
  • Session Management Flaws
  • Cross-Site Scripting (XSS)
    • Phishing with XSS
    • LAB: Cross Site Scripting
    • Stage 1: Stored XSS
    • Stage 2: Block Stored XSS using Input Validation
    • Stage 3: Stored XSS Revisited
    • Stage 4: Block Stored XSS using Output Encoding
    • Stage 5: Reflected XSS
    • Stage 6: Block Reflected XSS
    • Stored XSS Attacks
    • Cross Site Request Forgery (CSRF)
    • Reflected XSS Attacks
    • HTTPOnly Test
    • Cross Site Tracing (XST) Attacks
  • Buffer Overflows
  • Injection Flaws
    • Command Injection
    • Blind SQL Injection
    • Numeric SQL Injection
    • Log Spoofing
    • XPATH Injection
    • LAB: SQL Injection
    • Stage 1: String SQL Injection
    • Stage 2: Parameterized Query #1
    • Stage 3: Numeric SQL Injection
    • Stage 4: Parameterized Query #2
    • String SQL Injection
    • Database Backdoors
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration
  • Web Services
  • AJAX Security
  • Challenge