WebGoat is an education tool used to learn more about web application flaws, such as SQL Injection, Cross-Site Scripting (XSS), Buffer Overflows, and other web application vulnerabilities. Webgoat hasn’t been updated in a while but still looks useful as a learning platform so I decided to install it and give it a try. (more details on the project are at https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)
I ran into some issues installing it in Windows 7 on one of my computers, and in searching Google for help found a couple of posts from others having the same problem (I did try to reply to at least one of the posts with this solution but the thread was old and was closed/locked.)
So in case it helps, if anyone comes across this blog post also looking for help in getting WebGoat working, here is how I finally got it running:
- First, extract the file, in my case and for this example, the webgoat folder is located at C:\WebGoat-5.3_RC1
- There are ways to change the ports, but since this is only a regular PC that doesn’t already run a web server, make sure that you disable your World Wide Web Publishing service (if it’s running), otherwise it won’t run because port 80 is already in use.
- Make sure you have Java runtime installed
- From a command prompt, run the webgoat.bat script. This will then launch a 2nd DOS window that starts up the Tomcat services.
- Now here is where I ran into problems (as did some others)… when I went to http://localhost/webgoat/attack , I got a 404 Not Found error.I tried with capital W and G as the docs suggested as well as all lowercase. I believe this is some redirect problem, because on another PC where I installed this later it worked fine from the start (all lowercase), but on the first computer I got the 404 error no matter how I formatted the URL.
- What I did to fix the issue – is I copied the ‘webgoat‘ folder from C:\WebGoat-5.3_RC1\tomcat\webapps\webgoat into the ROOT folder at C:\WebGoat-5.3_RC1\tomcat\webapps\ROOT
- Once I did that it finally prompted me to login and seems to be working fine.