WebGoat
WebGoat is a deliberately insecure web application maintained by OWASP, designed to teach web application security lessons and practices through hands-on experimentation.
WebGoat is built in JavaScript, distributed under the Other license, 8.8k GitHub stars, latest release v2025.3.
Stats refreshed
- Language
- JavaScript
- Latest Release
- v2025.3
- License
- Other
Our Newsletter
Get new Security tools right in your inbox
Get short emails with useful security projects, releases, and repos worth watching.
Key Features
- Deliberately vulnerable web application for learning security
- Hands-on tutorials with real vulnerabilities
- Covers common web security risks and mitigations
- Role-based user scenarios
- Widely used in security training and workshops
Alternative Tools
Resources
Community
More Security tools
Rustdesk
An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer. It allows secure remote access and control while providing the flexibility and security of a self-hosted solution.
Sherlock
Sherlock is a powerful tool to hunt down social media accounts by username across numerous social networks efficiently.
Caddy
A fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS, providing easy configuration and built-in support for modern protocols.
Ghidra
Ghidra is a comprehensive software reverse engineering (SRE) framework developed by the NSA, offering tools for analyzing various platforms.
Mkcert
A simple zero-config tool designed to create locally trusted development certificates for any domain, enhancing local SSL/TLS setup.
Joplin
Joplin is a privacy-focused note-taking application that supports synchronization and is available on Windows, macOS, Linux, Android, and iOS.