Launching Visual Studio

If nothing happens, download the extension for Visual Studio and try again.

Đang xem: Webgoat là gì về bảo mật? cài Đặt webgoat Để học security testing

Go back


IntroductionWebGoat is a deliberately insecure web application maintained by OWASP designed to teach webapplication security lessons.

This program is a demonstration of common server-side application flaws. Theexercises are intended to be used by people to learn about application security andpenetration testing techniques.

WARNING 1: While running this program your machine will be extremelyvulnerable to attack. You should disconnect from the Internet while usingthis program. WebGoat”s default configuration binds to localhost to minimizethe exposure.

WARNING 2: This program is for educational purposes only. If you attemptthese techniques without authorization, you are very likely to get caught. Ifyou are caught engaging in unauthorized hacking, most companies will fire you.Claiming that you were doing security research will not work as that is thefirst thing that all hackers claim.

Installation Instructions:

1. Run using Docker

Every release is also published on DockerHub.

Xem thêm: Tuyệt Chủng Là Gì – 15 Loài Nguy Cấp Nhất Hành Tinh

Using docker run

The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.

docker run -p -p -e TZ=Europe/Amsterdam webgoat/goatandwolf
WebGoat will be located at: will be located at:

Important: Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.

2. Standalone

Download the latest WebGoat and WebWolf release from

java -jar webgoat-server-8.1.0.jar <--server.port=8080> <--server.address=localhost>java -jar webwolf-8.1.0.jar <--server.port=9090> <--server.address=localhost>
The latest version of WebGoat needs Java 15 or above. By default, WebGoat and Webwolf start on port 8080, 9000 and 9090 with the environment variable WEBGOAT_PORT, WEBGOAT_HSQLPORT and WEBWOLF_PORT you can set different values.

export WEBGOAT_PORT=18080export WEBGOAT_HSQLPORT=19001export WEBWOLF_PORT=19090java -jar webgoat-server-8.1.0.jarjava -jar webwolf-8.1.0.jar
Use set instead of export if you”re using Windows cmd.

3. Run from the sources


Java 15Maven > 3.2.1Your favorite IDEGit, or Git support in your IDEOpen a command shell/window:

git clone git
Now let”s start by compiling the project.

cd WebGoatgit checkout branch_name>>mvn clean install
Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.

Xem thêm: ” Sole Trader Là Gì ? Nghĩa Của Từ Sole Proprietorship Trong Tiếng Việt

mvn -pl webgoat-server spring-boot:run
… you should be running webgoat on localhost:8080/WebGoat momentarily

To change the IP address add the following variable to the WebGoat/webgoat-container/src/main/resources/ file:


4. Run with custom menu

For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables.

For instance running as a jar on a Linux/macOS it will look like this:

export EXCLUDE_CATEGORIES=”CLIENT_SIDE,GENERAL,CHALLENGE”export EXCLUDE_LESSONS=”SqlInjectionAdvanced,SqlInjectionMitigations”java -jar webgoat-server/target/webgoat-server-v8.2.0-SNAPSHOT.jar
Or in a docker run it would (once this version is pushed into docker hub) look like this:

Leave a Reply

Your email address will not be published. Required fields are marked *