WebGoat 8: An intentionally Insecure Web Application for WebApp Testing

As an instructor, from time to time to teach a concept, I need to perform an actual test to get my point across to the students.  Testing or hacking a live site may have some repercussions that I rather not have to deal with, so using an insecure application locally works great for me.  I recently using OWASP’s WebGoat to show a bunch of students how to test and location security issues in Web Applications.

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.

WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.


  1. Download
  1. Install
    • java -jar webgoat-server-<<version>>.jar [–server.port=8080] [–server.address=localhost]
      • By default WebGoat starts on port 8080 with –server.port you can specify a different port. With address you can bind it to a different address (default localhost)
  1. Access
    • http://localhost:8080/WebGoat

Let me know your experience with WebGoat.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.