WebGoat

WebGoat is a deliberately insecure web application maintained by OWASP, designed to teach web application security lessons and practices through hands-on experimentation.

WebGoat is built in JavaScript, distributed under the Other license, 8.8k GitHub stars, latest release v2025.3.

Stats refreshed

Language
JavaScript
Latest Release
v2025.3
License
Other

Our Newsletter

Get new Security tools right in your inbox

Get short emails with useful security projects, releases, and repos worth watching.


Key Features

  • Deliberately vulnerable web application for learning security
  • Hands-on tutorials with real vulnerabilities
  • Covers common web security risks and mitigations
  • Role-based user scenarios
  • Widely used in security training and workshops



Community

Stars
8.8k
Open Issues
49
Forks
7.0k