Install Webgoat 8 - Learn Web Pentesting

Learning to hack

WebGoat is a beginner friendly practice target for web penetration testing.

In this article, I'll install WebGoat 8 on Kali and Ubuntu using Java.

NEW: Use version 2023.4

The Small Print

Using penetration testing techniques requires many legal and ethical considerations, which are not taught in this article. You're responsible for following the law.

Note that WebGoat is extremely vulnerable, and you must consider the risks of adding such a vulnerable piece of software to your computer.

This article is about the latest WebGoat 8. My earlier article shows how to run older WebGoat 7 in Docker.


Install Java (and some helpful tools)

$ sudo apt-get update
$ sudo apt-get -y install openjdk-17-jre ufw wget bash-completion

This command works with Debian 12-Bookworm. If you run an older system, you might need an older version of OpenJDK Java. For example, Debian 11 Bullseye has "openjdk-11-jre". Webgoat version 8 used in this article works with both Java versions.

Enable firewall.

$ sudo ufw enable

Install and Run WebGoat

Download and run Webgoat 8:

$ wget
$ java -jar webgoat-server-8.0.0.M26.jar

Here, we're using a version that works with Java 11 that's easy to install to Debian 11-Bullseye.



Open WebGoat in browser. Notice the path, or you get an empty page. Webgoat is made in Java, so the start might take half a minute.


Register a new user, using the link below the login fields.

Log in.

Become a Hacker

Well done, you're runnning web goat. You're on the path to becoming a hacker. Only use your new powers for good!

Learning to hack

Updated: title, minor improvements in text; fixed '...opendjk...' -> 'sudo apt-get install openjdk-11-jre'. Updated link to Webgoat Java jar file, thanks Jukka. 2023-08-29 updated required openjdk version and apt-get command for Debian 12 Bookworm.