Ethical hacking with WebGoat

Security testing

Security testing is one of the types of software testing which verifies if application under test is secure. This kind of testing is about finding all possible weak spots that can cause information leakage or loss. Like all other types of testing, also security testing will never give you 100% confidence that your application is secure.
It is also very important to have security always in mind while testing your application even if you are not a security tester. You may sometimes accidentally spot a security issue that could be exposed in future to application users.

Security testing is hard. Doubtlessly. It requires a very well knowledge of application under test, hundreds or even thousands of vulnerability types, using good test data. And a lot of practice. Of course, there are tools that can help in security testing but manual security testing and discovering vulnerabilities are obligatory.
One of the easiest and fun way to learn security testing is through ethical hacking. It sounds exciting, doesn’t it?
Ethical hacking is a type of testing activity that involves finding a weakness in a system, network or applications in our case to make them fixed. It’s also called penetration testing, intrusion testing or red teaming. An ethical hacker is usually called a white-hat hacker. It’s the opposite of black-hat hackers that uses found vulnerabilities to leak information, destroy them and any other “bad way”.
You can learn the fundamentals of ethical hacking in many ways. I’ll recommend you to try a WebGoat.

What is a WebGoat?

WebGoat is intentionally insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.

There are currently over 30 lessons, including those dealing with the following issues:

  • Cross-site Scripting (XSS)
  • Access Control
  • Thread Safety
  • Hidden Form Field Manipulation
  • Parameter Manipulation
  • Weak Session Cookies
  • Blind SQL Injection
  • Numeric SQL Injection
  • String SQL Injection
  • Web Services
  • Fail Open Authentication
  • Dangers of HTML Comments
  • … and many more!

How to install?

There are currently three available ways to run WebGoat

  1. Run using Docker
  2. Compile from Sources
  3. Run using Vagrant

Using Docker is probably the easiest so I’ll show it this way.

What is Docker?

Wikipedia defines Docker as an open-source project that automates the deployment of software applications inside containers. Provides an additional layer of abstraction and automation of OS-level virtualization on Linux.

To put it in simple way, Docker is a tool that allows developers, testers etc. to easily deploy their applications in a sandbox (called containers) to run on the host operating system i.e. Linux. The key benefit of Docker is that it allows users to package an application with all of its dependencies. Unlike virtual machines, containers do not have the high overhead and hence enable more efficient usage of the underlying system and resources.

How to start?

Download docker for windows from here:

* Requires Microsoft Windows 10 Professional or Enterprise 64-bit For previous versions get Docker Toolbox

Install Docker like you would any other windows application and follow on-screen instructions. Then open a command shell and type:

docker pull webgoat/webgoat-7.1

WebGoat installation with docker. Pull command

After successfull download run container with webgoat using:

docker run -d -p 8080:8080 webgoat/webgoat-7.1

8080 is the port that the server will use for communication with web browser. If it’s already in use, please choose any other, i.e 8081:8081

And verify if container is running

docker ps

Running container with WebGoat image

And finally you can open WebGoat page by going to address:


How to use?

After logging in, the main screen with all instructions needed to quick start with WebGoat are presented.
I suggest you to read that carefully. It will help.


On the left side menu, you’ll have a green ticker once you successfully complete a lesson.

Let’s proceed to General lesson about HTTP Basics.

This lesson’s purpose is to familiarize you with the lessons convention. Read the lesson description and then click “Show plan” to know how to complete this exercise.

You can also use OWASP Zed Attack Proxy here.

As soon as the lesson goal will be achieved, the message “Congratulations. You have successfully completed this lesson.” will appear under the hint buttons.

After completing this lesson you have still at least 70 exercises to clear. The challenge is waiting for you at the end. Your mission is to break the authentication scheme, steal all the credit cards from the database, and then deface the website. You will have to use many of the techniques you have learned in the other lessons.

Can you handle it?