This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP WebGoat Project Roadmap

Jump to: navigation, search

<webgoat/>The project's overall goal is to...

 Be the defacto standard web application security training environment

In the near term, we are focused on the following tactical goals...

  1. Demonstrate most common web application security vulnerabilities
  2. Add educational support for secure coding practices
  3. Enhance enterprise lesson tracking
  4. Attract more contributions of lessons
  5. Revisit existing lesson base to standardize lesson theme.
  6. Increase ease-of-use and expand user base

Here are the current tasks defined to help us achieve these goals


  • Replace basic authentication with forms based authentication
  • Rewrite all lessons to follow common theme using common database
  • Rewrite user administration to allow better user management (non-hackable)
  • Fix Logoff
  • Defuse all lessons to disallow inadvertent harm to user's OS


  • General security cleanup. Remove exploits that are not lesson specific
  • Remove non working lessons

New Lessons

  • Server side forward allows access to WEB-INF resources
  • Account enumeration using webscarab
  • SQLException lesson - could tie into overall error handling
  • XML attacks - Entity recursion, ...

For more information contact Bruce Mayhew at webgoat at owasp dot org