Skip to main content

WebGoat + Full Linux Desktop

What is this lab?

OWASP WebGoat is a deliberately insecure training application for learning web application security in a safe environment. The CSN environment includes a full Linux desktop so you can use a browser, terminal, and optional tools alongside the lessons.

What you will learn

  • How common web flaws show up in HTTP requests and responses
  • Authentication, access control, and input-handling weaknesses
  • How to validate behavior with a proxy and structured notes
  • Mapping issues to risk categories and reasonable fixes

Prerequisites

Tools

  • Web browser with developer tools
  • Web proxy (Burp Suite or OWASP ZAP), optional but recommended

Knowledge

  • Basic HTTP and web application concepts
  • Familiarity with browser DevTools

Launch the lab

Open WebGoat in CSN Labs

Getting started

  1. Click Start Lab and open the URL shown for your instance.
  2. If you do not see the WebGoat UI, try appending /WebGoat to the lab URL.
  3. Create a user account and sign in (recommended over shared defaults).
  4. Optionally route browser traffic through Burp or ZAP.

How to use this lab

  • Pick one lesson category and work through lessons in order at first.
  • For each lesson: read the objective, interact with the app, then confirm behavior in your proxy.
  • Write down entry point, parameter, response, and what control should exist.
  • After a category, summarize root cause and remediation in a few sentences.

Suggested lesson themes

  • Authentication and session — login flows, passwords, sessions
  • Access control — what different users can see or do
  • Injection and input handling — SQLi, XSS, and related patterns
  • Client-side and misconfiguration — CORS, headers, unsafe defaults

WebGoat sometimes includes WebWolf for some exercises; if it is exposed, it is often on a second port (for example 9090).

Scenarios

Scenario walkthroughs for WebGoat will be added here over time.

Safety and ethics

Use these techniques only in authorized lab environments. Unauthorized testing against systems you do not own or lack permission to test is illegal and unethical.

References