WebGoat is a java web application made up to test your web penetration testing skills. It is deliberately insecure and is developed and maintained by the Open Web Application Security Project (OWASP), who builds and releases a lot of interesting material in order to learn web penetration testing. Beside being a platform to test your web application hacking skills, it also gives you basic hints about the challenges you have to face in the real life. To access Webgoat, you will need to install it on you machine, or on a dedicated server.
The WebGoat application embeds a web server that is running on your local machine. It listens by default on the port 8080. You just need to download the application and launch it.
You can get the last release of WebGoat by downloading it from the git repository: https://github.com/WebGoat/WebGoat/releases
Select the webgoat-server-***.jar
You can then start the WebGoat application with the following command
java -jar webgoat-server-8.0.0.M24.jar
Set your browser
You can now connect to the WebGoat application by opening firefox and going to the following url
You will see a login form. You can here register a user, connect and then start to attack the application.
What you need to attack WebGoat
Some of the attacks require that you set-up WebWolf. WebWolf is an application made to simulate the ‘hackers’ machine. It allows you to host files, receive email and land pages for incoming requests.
You can download the WebWolf application at the same link as for WebGoat:
Select the WebWolf version that corresponds to the WebGoat app you downloaded.
Open a terminal and launch WebWolf
java -jar webwolf-8.0.0.M24.jar
WebWolf is by default running on the port 9090.
Using an intercepting proxy
An intercepting proxy is also required for some attacks. You can use Burp Suite for that. Just pay attention that by default, burp suite is set on the port 8080, which is the same that on which WebGoat is listening.