OWASP Webgoat download and installation – OWASP Top 10 training

Welcome back to the OWASP Top 10 training series. Today, you are going to learn how to install OWASP WebGoat and OWASP WebWolf using both java and Docker. We are slowly but surely building out our OWASP Top 10 lab to start practicing how to exploit the OWASP Top 10 vulnerabilities. If you haven’t been following along from the beginning, it’s not too late. All you have to do is follow the instructions on OWASP Zap or Burp Suite setup blog posts. Or, if you prefer videos, I created the OWASP Top 10 video training series just for you. I will be adding more episodes to it as we progress on this training.

What is OWASP Webgoat and why using it for this OWASP Top 10 training?

OWASP WebGoat is a deliberately insecure web application to test Java-based applications against common web application vulnerabilities. It is well maintained and contains most of the OWASP Top 10 vulnerabilities. 

OWASP WebGoat comes with another web application called OWASP WebWolf, which makes it easy for you to host malicious files, receive emails and HTTP requests. It is really handy for testing things like out-of-band attacks.

Both OWASP WebGoat and WebWolf are released as jar files, Docker images and, of course, source code. So it is very convenient for our OWASP Top 10 training. In fact, this is a great opportunity to learn how Docker can be used to setup a lab and learn web application hacking.

Disclaimer: this is a deliberately vulnerable Web application. I strongly discourage running it on your host machine. For this reason, I a m going to start on a fresh Debian 9 VM on Virtualbox. I explain how to setup one in my video on Youtube. For now, I’ll assume that you already have a Debian 9 VM running on your favorite Virtualization software. I am using VirtualBox.

How to install OWASP Webgoat  and WebWolf using the JAR

Feel free to skip this part if you’d like to use Docker in your OWASP Top 10 training. I’ve included it here so that you know how to install Java on your machine. Knowing how to install packages is a good skill to have in your learning journey. It allows you to discover and experiment with new tools, especially with the increasing number of open-source tools published everyday.

Installing Java

Once you’ve connected to your Debian 9 guest machine, run the following commands. Again, make sure to watch the video if you are blocked.

# Download JDK 11
cd /tmp && wget https://download.java.net/java/ga/jdk11/openjdk-11_linux-x64_bin.tar.gz

# Switch to the root user, type root password

# Create the folder /usr/lib/jvm
mkdir /usr/lib/jvm

# Extract the downloaded archive
tar xzvf /tmp/openjdk-11_linux-x64_bin.tar.gz --directory /usr/lib/jvm

# Create a symlink to the java binary 
ln -s  /usr/lib/jvm/jdk-11/bin/java /usr/bin/java

# exit from root user

# Verify that you have the right version running
java -version

# Remove the downloaded archive
rm /tmp/openjdk-11_linux-x64_bin.tar.gz

OWASP WebGoat download and run

# Download the latest WebGoat release jar
wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M26/webgoat-server-8.0.0.M26.jar

# Run WebGoat using java
java -jar webgoat-server-8.0.0.M26.jar --server.address=

Note that you have to set the server.address option to In fact, by default, WebGoat listens on localhost only.

OWASP WebWolf download and run

# Download the OWASP WebWolf jar
wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M26/webwolf-8.0.0.M26.jar

# Run it while setting the server’s address to
java -jar webwolf-8.0.0.M26.jar --server.address=

How to install OWASP Webgoat in Docker

Docker has many advantages over using plain Java. I can’t recommend it enough, not only in this OWASP Top 10 training series, but also in your overall hacking journey. In fact, you don’t need to install and configure any dependencies. Plus, Webgoat and webwolf are all run using one command. Finally, Docker will help you to easily setup other applications in the future.

Install Docker

The docker documentation includes a one-time script installation, but I wouldn’t recommend it. You need to develop the habit of understanding what a code does before running it on your own machines. Most of the following steps are inspired by the official Docker documentation for Debian.

# Switch to the root user, type root password

# Remove any previous installations of Docker
apt-get remove docker docker-engine docker.io

# Update your repository
apt-get update

# Install required packages
apt-get install \
     apt-transport-https \
     ca-certificates \
     curl \
     gnupg2 \

# Download Docker’s apt-key
curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add -

# Verify that the key belongs to Docker
apt-key fingerprint 0EBFCD88

# Add docker to the repository
add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
   $(lsb_release -cs) \

# Update the repository
apt-get update

# Install Docker
apt-get install docker-ce

# Add your user to the docker group
/sbin/usermod -aG docker thehackerish
# or
usermod -aG docker thehackerish

# Login with your user again on SSH and run: 
docker run hello-world

You should have a response similar to this oneOWASP Top 10 training: Docker setup

Download and run OWASP WebGoat for docker

Run WebGoat and WebWolf all in one go. Notice that you have to set the timezone variable TZ for JWT challenges to work properly. Here is a list of timezones that you can use according to your host machine location.

docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf

Testing our OWASP WebGoat setup

Now that OWASP WebGoat and WebWolf are running, let’s test if they work with OWASP ZAP or Burp Suite as intended.

  1. Launch OWASP Zap or BurpSuite.
  2. Choose your proxy from the FoxyProxy add-on. If you haven’t followed from the beginning, here is the link for installing and configuring FoxyProxy.
  3. Go to http://your-machine-ip:8080/WebGoat, where your-machine-ip is the IP address of the Debian 9 VM.
  4. If everything went well, you should have a login screen like the following screenshot.OWASP Top 10 training: Webgoat login page

Testing our OWASP WebWolf setup

  1. Launch OWASP Zap or BurpSuite.
  2. Choose your proxy from the FoxyProxy add-on. If you haven’t followed from the beginning, here is the link for installing and configuring FoxyProxy.
  3. Go to http://your-machine-ip:9090/WebWolf, where your-machine-ip is the IP address of the Debian 9 VM.
  4. If everything went well, you should have a login screen.OWASP Top 10 training: WebWolf login page

Congratulations! You’ve made another step towards practicing OWASP Top 10 vulnerabilities! In the next episode of this OWASP Top 10 training series, we will set up and configure OWASP Juice Shop.

If you enjoyed this tutorial, consider subscribing to the Newsletter below to be notified when there is news on thehackerish.com. Until then, stay curious, crave for learning, be ethical and share with the world!

If you enjoy learning on Youtube, I prepared the Owasp Top 10 training videos series just for you. Here is the OWASP WebGoat setup video.