This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
WebGoat Getting Started
WebGoat User Guide Table of Contents
In order to start using WebGoat, Tomcat must be launched using the startup script/bat in the Tomcat bin directory. For WebGoat to operate it must have permission to run as a server and allow some uncommon web behavior. When WebGoat is running it will make the host machine vulnerable to attack.
If the machine is connected to the internet it should be disconnected.
Running a personal firewall may prevent WebGoat from operating correctly. Disable any personal firewall while running WebGoat.
From a browser, the Tomcat server can be accessed on localhost port 80, e.g. http://127.0.0.1:8080
WebGoat resides in the WebGoat directory, and the lessons can be found at: http://127.0.0.1:8080/WebGoat/attack
WebGoat resides in the WebGoat directory, and the lessons can be found at: http://127.0.0.1/WebGoat/attack.
The WebGoat application enforces role based security. A login dialog requests credentials. Login as userid=guest, password=guest.
After a successful login the Tomcat server will show the WebGoat welcome page.