WebGoat is an intentionally insecure program for Windows maintained by OWASP. It was created to impart lessons on web protection. Serving as a demonstration of server side vulnerabilities, it allows you to learn about penetration testing techniques. To put skills to practice, you may try a tool called Metasploit.

Cautionary notes

While using this app, your computer will be highly vulnerable to attacks. It is strongly recommended to disconnect your machine from the Internet. Additionally, the default configuration binds to localhost to mitigate exposure to external threats.

This software is distributed for educational purposes only. Unauthorized attempts to apply these techniques are likely to be detected. If you are caught hacking, you may face termination of employment from most companies.

Main capabilities

The main objective of this project is simple. Developers want to establish an interactive educational platform for web application security. Looking ahead, the team aims to expand its capabilities by transforming it into a comprehensive benchmarking solution.

Teaching is a central focus of this program, so vulnerabilities are explained in detail. The emphasis is put on providing detailed descriptions, starting from the basics, such as understanding what a SQL injection is. The assignments help to facilitate the learning process.

Features

free to download and use;
compatible with modern Windows versions;
enables you to learn about application security;
you can perform penetration testing on PC;
there is support for standalone installation.