OWASP WebGoat Series - Introduction



OWASP WebGoat project is a deliberately insecure web application designed to teach web application security lessons. Each lesson users must demonstrate their understanding of a security issue by exploiting a real vulnerability within the WebGoat application.

The WebGoat project is a demonstration of common server-side java application flaws. The exercises are intended to teach and learn about application security and penetration testing techniques. Java being the #1 server-side programming language, this is a great way to understand how to test and protect Java applications.


Upon successfully installing the jar file for WebGoat within Kali Linux, we need to head to localhost:8080/WebGoat/login to access the WebGoat web application. Registering is needed in order to access all of WebGoat’s content.

OWASP Successful Login

After successfully logging in, we are greeted with a quick introduction of what WebGoat is. On the sidebar you can see the list of commonly seen java-based application vulnerabilities. Each security risk gives the user a basic understanding of how it works, what it is used for, and the ability to perform the attack themselves.


Before starting the series, I would like to mention that this series is an introduction to OWASP’s Top 10 Security Risks. It’s inteded for learning purposes and to get a better understanding of the most common security risks in web applications. I’ll summarizing every topic in the WebGoat project, based on what I’ve learned from going through it. The information I write will be very basic and will only be touching the surface of each security risk.