Skip to content
Choose a tag to compare
Choose a tag to compare

Version v8.2.1

New functionality

  • New Docker image for arm64 architecture is now available (for Apple M1)
Choose a tag to compare

Version 8.2.0

New functionality

  • Add new zip slip lesson (part of path traversal)
  • SQL lessons are now separate for each user, database are now per user and no longer shared across users
  • Moved to Java 15 & Spring Boot 2.4 & moved to JUnit 5

Bug fixes


Special thanks to the following contributors providing us with a pull request:

  • nicholas-quirk
  • VijoPlays
  • aolle
  • trollingHeifer
  • maximmasiutin
  • toshihue
  • avivmu
  • KellyMarchewa
  • NatasG
  • gabe-sky
Choose a tag to compare

Version 8.1.0

New functionality

  • Added new lessons for cryptography and path-traversal
  • Extra content added to the XXE lesson
  • Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
  • Docker improvements + docker stack for complete container with nginx
  • Included JWT token decoding and generation, since does not support None anymore

Bug fixes


Special thanks to the following contributors providing us with a pull request:

  • Satoshi SAKAO
  • Philippe Lafoucrière
  • Cotonne
  • Tiago Mussi
  • thegoodcrumpets
  • Atharva Vaidya
  • torleif
  • August Detlefsen
  • Choe Hyeong Jin

And everyone who provided feedback through Github.

Team WebGoat

Choose a tag to compare

The WebGoat 7.1 Release is comprised 104 commits from 16 different contributors a over a period of 9 months.

This is a release ta include many bug fixes and is intended to be the last release of the 7.X branch, as the WebGoat team have big plans for next release.

For a glimpse of what has been implemented, check our change log:

Change Log

7.1 (2016-11-18)

Full Changelog

Implemented enhancements:

  • i8n highlighting #96
  • Improve uniqueness of menu item Id's #45

Fixed bugs:

  • Stored XSS Lesson does not render message and attack does not fire #141
  • Source code is not available for this lesson. #137

Closed issues:

  • Fix lesson client side filtering #272
  • Reset lesson does not work anymore #271
  • Lesson plans not loading with manual build and easy-run jar (standalone jar) not running at all #268
  • Unable to download webgoat jar file #261
  • Developer edition build isn't working in its entirety #260
  • Amazon S3 downloadable JAR is missing #259
  • Code does not compile on dev branch #258
  • Executable jar crashes if empty .extract folder exist #251
  • Java Error Message in Lesson "How to Bypass a Path Based Access Control Scheme" #240
  • developer bootstrap says git is missing when it is installed #236
  • Application Won't Start #234
  • Restart lesson button isn't working #226
  • Navigation to start page is broken after login #218
  • Links in menu missing pointer cursor #216
  • Restart lesson button not working #213
  • WebGoat stops at DEBUG - Exit: getEngine() #211
  • Labs: Remnant files and solved stages #208
  • Labs: Navigating to Instructor java examples #206
  • WebGoat 7.0 and ZAP 2.4.3 will not proxy #204
  • Failing Build #201
  • Missing mvn package of webgoat-container in README.MD #200
  • Seems translation to Russian for "Congratulations. You have successfully completed this lesson." phrase is broken. #199
  • HtmlEncoder uses static methods but must be instantiated #195
  • webgoat-container should unpack all the lessons #192
  • Access Control Flaws, LAB stage 3: Remove the FindProfile screen #186
  • Injection Flaws | XPath Injection date file path issue #184
  • hints don't appear to work on labs #183
  • Session Management Flaws - Spoof an Authentication Cookie render issue #181
  • Challenge - Show* buttons show on initial lesson load #180
  • Http Basics - minor edits and change completion state #178
  • Lab Cross-Site Scripting Stage 1 solution #176
  • Backdoor lesson breaks menu CSS #175
  • Redirect localhost:8080 to localhost:8080/WebGoat #173
  • Session Fixation link in stage 2 does not work #170
  • A failure occurred when execute the command "sh" #145
  • Copy lessons into plugin_lessons #254
  • WebGoat // Lesson Plan and Solution are note available #242
  • Lab: Client side filtering - broken path #232
  • AXIS class not found error in Web Services / WSDL Scanning #222
  • WSDL link in SOAP Request Lesson crashing with AXIS error #221
  • Labs: RBAC stage 1 and 3 not working #209
  • How to create a Legacy Lesson - instruction edit #177
  • Can't tell when WebGoat has actually started when using: #75

Merged pull requests:

Choose a tag to compare

WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.

This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.