WebGoat Notes

WebGoat is a deliberately vulnerable Web application, now including helpful hints and videos to guide you into hacking it.

I am using Windows 7. I think the process is similar on other Windows versions.

Part 1: Getting WebGoat and WebScarab Running on Windows

Make Sure You Have Java Installed

Open a Web browser and go to java.com. Click the "Do I have Java?" link. On the next page, click the "Verify Java Version" button. If you don't have the recommended version, download and install it.

java (120K)

Downloading and Installing WebGoat

Open a Web browser and go to http://code.google.com/p/webgoat/downloads/list and download the latest version of WebGoat. When I did it, it was WebGoat-OWASP_Standard-5.3_RC1.7z. Also download the Solving the WebGoat Labs Draft V2.pdf file.

Extract the zip file. It's a 7-zip file, so you will need to download and install 7-zip if you don't already have it. A folder named WebGoat-OWASP_Standard-5.3_RC1 appears. Double-click the subfolder named WebGoat-5.3_RC1. Double-click the webgoat_8080.bat file. A Command Prompt opens and vanishes instantly, and another Command Prompt window opens titled "Tomcat". The Tomcat window fills with text and stays open, as shown below. This is the Apache Tomcat Web server listening on the localhost, port 8080. Leave that window open.

tomcat (58K)

In Firefox, go to http://localhost:8080/webgoat/attack. A box pops up asking for a name and password. Use guest for both the name and the password.

The main WebGoat page opens. Click the "Start WebGoat" button. The "How to work with WebGoat" page opens, as shown below.

webgoat-main (279K)

Installing WebScarab

You need WebScarab to complete the lessons. Open a Web browser and go to


On the left side, click the Download link. In the first sentence in the Download section, click the word "here". On the next page, in the "Snapshots" section, click the "the current development snapshot" link. When I did it, I got a file named webscarab-one-20100820-1632.jar.

Double-click the webscarab-one-20100820-1632.jar file. A "Webscarab Lite" window opens. This is the Lite Interface. From the menu bar, click Tools, Use Full-Featured Interface. Close WebScarab and restart it. Now you should see many more options, as shown below.

webscarab1 (37K)

Configuring Firefox to Use WebScarab as a Proxy

In Firefox, click Tools, Options. In the Options box, click the Advanced button. Click the Network tab. Click the Settings button. Click the "Manual proxy configuration" radio button. Enter a HTTP Proxy server of localhost and port 8008.

Near the bottom of the "Connection Settings" window, empty the "No Proxy for:" box. This is very important! If you don't clear that box, WebScarab won't intercept traffic to and from WebGoat!

The "Connections Settings" box should look like the image below. Click OK. In the Options box, click OK.

firefox-proxy (43K)

On the left side of the WebGoat page, click "Introduction". Click the "Tomcat Configuration" link. In the WebScarab window, on the "Summary" tab, you shoud see a list of each HTTP request and response, as shown below.

webscarab2 (64K)


WebGoat FAQ
Last modified: 2-2-11