Setting Up WebGoat for Pen-testing
Posted on September 21, 2016.

As I have been preparing to teach my security course, I wanted to incorporate a variety of tools into the course so that students gain a more technical understanding regarding security topics such as general DOS commands, cryptography, stegonography, secure networks, access controls, application security, database security, incident disaster and response, etc. Anyway, I searched for effective tools to examine application and database insecurities with a way to track individual student progress. Enters WebGoat. WebGoat allows you test a bunch of insecurities to gain an understanding of possible weaknesses when building a web application and database. You could run the standalone jar file per the instructions; however, I wanted each user to have access to their own account so these were the steps I followed to make this possible:

  1. Download Maven binary zip file, extract it, and save the directory where you want.
  2. Download and install the latest Java JDK.
  3. Add JAVA_HOME to the environment variables by opening System Properties and then clicking Environment Variables on the Advanced tab
  4. Add the path to the JDK you installed in
  5. Enter JAVA_HOME as the Variable name and the directory to your JDK as the Variable value
  6. Click OK twice.
  7. Click edit while selecting Path under the System variables
  8. Add two new path variables %JAVA_HOME%in and the bin folder in the Maven folder you saved in
  9. Click OK twice.
  10. Check to see if Maven is running by running the following in command prompt:
    mvn -v
  11. Install Git.
  12. Open command prompt, navigate to where you want to download WebGoat, and run the following:
    git clone
    git clone
    cd WebGoat
    git checkout develop
    mvn clean compile install
    cd ..
    cd WebGoat-Lessons
    git checkout develop
    mvn package
    xcopy "targetplugins*.jar" "..WebGoatwebgoat-containersrcmainwebappplugin_lessons"
    cd ..
  13. If you want to add more users to track individual logins, follow these instructions before continuing. Note: The spring-security.xml file is located at WebGoatwebgoat-containersrcmainwebappWEB-INF. If you skip this step you can still login with the guest, webgoat, and server default accounts. If you remove the guest, webgoat, and server account, make sure you delete the following from the login.jsp file located at WebGoatwebgoat-containersrcmainwebappWEB-INFpages:
      <h4>The following accounts are built into Webgoat</h4>
      <table class="table table-bordered" style="width:400px;">
          <tr class="warning"><th>Account</th><th>User</th><th>Password</th></tr>
          <tr><td>Webgoat User</td><td>guest</td><td>guest</td></tr>
          <tr><td>Webgoat Admin</td><td>webgoat</td><td>webgoat</td></tr>
  14. The Show Source, Show Solution, Show Plan, Show Hints, and Restart Lesson links will duplicate unless you hide (style=”display:none) the following lines of code in the main.jsp file located at WebGoatwebgoat-containersrcmainwebappWEB-INFpages.
      <button class="btn btn-primary btn-xs help-button" id="show-source-button">Show Source</button>
      <button class="btn btn-primary btn-xs help-button" id="show-solution-button">Show Solution</button>
      <button class="btn btn-primary btn-xs help-button" id="show-plan-button">Show Plan</button>
      <button class="btn btn-primary btn-xs help-button" id="show-hints-button">Show Hints</button>
      <button class="btn btn-xs help-button" id="restart-lesson-button">Restart Lesson</button>
  15. Run the standalone jar file:
    cd WebGoat
    mvn package
    cd webgoat-container/target
    java -jar webgoat-container-7.1-SNAPSHOT-war-exec.jar

    Note: you can specify the port or address to run WebGoat by adding the following after the previous line:

    --p <port> --address <address>
    -p <port> -a <address>
  16. Open WebGoat in your browser by visiting: