Installing WebGoat on Windows

Recently, I had to work on WebGoat to study the possible vulnerabilities we can have on a test web application. But since I used to normally work on Windows (Linux now), installing it and having it to start to work was a bit tiresome. After a while, I managed to install everything needed. So here are the steps I followed to get it work.

You need to have Java and Tomcat installed on your system. Assuming Java will be there, you can download Tomcat from here. Install Tomcat in the root folder instead of the Program Files folder to avoid messing with the permission settings. When the installation finishes, go to the installation directory and navigate to the conf folder and open tomcat-users.xml file. Under <tomcat-users> tag, insert the following text

<role rolename=”admin-gui”/>
<role rolename=”manager-gui”/>

<role rolename=”webgoat_admin”/>
<role rolename=”webgoat_user”/>
<role rolename=”webgoat_basic”/>

<user name=”webgoat” password=”webgoat” roles=”webgoat_admin” />
<user name=”guest” password=”guest” roles=”webgoat_user” />
<user name=”basic” password=”basic” roles=”webgoat_basic” />
<user name=”admin” password=”yourpassword” roles=”admin-gui,manager-gui” />

Now download the latest version of WebGoat WAR file from here. At this time, Tomcat should be listening on http://localhost:8080 unless you modified this setting during the installation of Tomcat. Open that address on your browser. Click on Manage App and then insert the username and password you specified at the last line of the above code. Then go down to WAR file to deploy section and locate your installation file from your download folder and click on Deploy.

That’s it. Now you should be able to see the WebGoat app working by navigating to http://localhost:8080/WebGoat/attack.