CNIT 120 Project 11: WebGoat Setup (10 pts.)

WebGoat is a deliberately vulnerable Web application, now including helpful hints and videos to guide you into hacking it.

I am using Windows 7. I think the process is similar on other Windows versions.

Make Sure You Have Java Installed

Open a Web browser and go to Click the "Do I have Java?" link. On the next page, click the "Verify Java Version" button. If you don't have the recommended version, download and install it.

java (120K)

Downloading and Installing WebGoat

Open a Web browser and go to and download the latest version of WebGoat. When I did it, it was

Right-click the ZIP file and click "Extract All...", Extract.

A folder named WebGoat-5.4-OWASP_Standard_Win32 appears. Double-click the subfolder named WebGoat-5.4. Double-click the webgoat_8080.bat file. A Command Prompt opens and vanishes instantly, and another Command Prompt window opens titled "Tomcat". The Tomcat window fills with text and stays open, as shown below.

If a "Windows Firewall" box pops up, allow the program to use the network.

This is the Apache Tomcat Web server listening on the localhost, port 8080. Leave that window open.


If the window closes immediately, you are probably trying to run WebGoat from inside the Zip archive. You need to extract the files first and run the program from the decompressed folder.

tomcat (58K)

In Firefox, go to

A box pops up asking for a name and password. Use guest for both the name and the password.

The main WebGoat page opens. Click the "Start WebGoat" button. The "How to work with WebGoat" page opens, as shown below.

webgoat-main (279K)

Save this image with a filename of Proj_11_from_Your_Name.

Email the image to with a subject of "Project 11 from YOUR NAME".


WebGoat FAQ
Last modified: 3-2-14