WebGoat with Podman

Ready-made Containerfile to that runs WebGoat 2023.4 on http://localhost:8888/WebGoat

WebGoat is a practice target to learn web penetration testing. Podman is a container tool. Similar to Docker, Podman can run applications in light virtual machines. Unlike Docker, Podman does not need root.


This article has not been troughoutly tested yet. It assumes you have installed the prerequisites and a firewall yourself.

For a well-tested article running the WebGoat, check Try Web Hacking on New Webgoat 2023.4

Use of penetration testing techniques requires legal and ethical considerations. To safely use these tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws.

WebGoat Containerfile for Podman

Copy-paste contents to "Containerfile" in an empty directory, follow instructions in comments.

# podman Containerfile to run Webgoat
# Copyright 2024 Tero Karvinen https://TeroKarvinen.com

# Build and run
# $ podman build -t webgoatee .
# $ podman run --publish=8888:8888 webgoatee:latest

# On a different window:
# $ curl -I localhost:8888/WebGoat/
# HTTP/1.1 302 Found
# Location: http://localhost:8888/WebGoat/login

# Use your web browser to go to http://localhost:8888/WebGoat/

# To quit
# $ podman ps
# $ podman kill gallant_cohen

# Happy hacking!

FROM debian:bookworm-slim

RUN apt-get update
RUN DEBIAN_FRONTEND=non-interactive apt-get -yyy install openjdk-17-jre
RUN DEBIAN_FRONTEND=non-interactive apt-get -yyy install wget
RUN wget https://terokarvinen.com/thirdparty/webgoat-2023.4.jar
RUN sha256sum webgoat-2023.4.jar |tee webgoat-2023.4.jar.sha256sum


CMD java -Dfile.encoding=UTF-8 -Dwebgoat.port=8888 -Dwebwolf.port=9090 -Dserver.address= -jar webgoat-2023.4.jar


The package I used was about 100 MB, 101 947 142 bytes (ls -l), sha256sum below.

$ sha256sum webgoat-2023.4.jar
db37949d79a5926d6b67c321af387ca17f7fbe590840bc8bcfd1caeb38303bb4  webgoat-2023.4.jar