Skip to content
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases.
PHP JavaScript CSS Other
Find file
Latest commit 6f48c99 Oct 25, 2014 @shivamdixit Merge pull request #44 from SethCLong/update_gitignore
Removed Eclipse project files from repo and updated .gitignore
Failed to load latest commit information.
app Fix trailing spaces, code style Aug 19, 2014
fonts Added index page May 12, 2014
script Fixed minor typo Aug 10, 2014
LICENSE Initial commit Apr 26, 2014 Updated README Aug 9, 2014
jframework.php Initial commit. Setup jframework May 12, 2014
robots.txt Added robots.txt Aug 17, 2014


OWASP WebGoatPHP is a port of OWASP WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

WebGoatPHP supports four different modes i.e single mode, workshop mode, contest mode and secure coding mode.

Project Proposal

The proposal of the project can be found here


Single User Mode:

WebgoatPHP Interface

  1. List of all the lessons and their categories
  2. To refresh the list of lessons and categories (if a new lesson/category is added)
  3. Content of the lesson
  4. Reset the lesson to inital state
  5. Get random hints of the lesson
  6. This will show GET parameters
  7. This will show the COOKIES
  8. Get the plan of the lesson
  9. This will show the solution of the lesson

Workshop Mode:

Workshop Mode


  • Clone the git repo. git clone
  • Move it to your document root
  • Import the database from SQL/webgoat.php
  • Enter your database connection details in app/config/application.php (Line 52)
  • Open the application from localhost
  • Default username:password for single-user mode: guest:guest


  • Fork the repo
  • Create your branch
  • Commit your changes
  • Create a pull request

Adding a lesson/challenge

Adding a new challenge is very simple. All the challenges must be present in 'challenges' directory and must extend class 'BaseLesson'. A template is provided in template/SampleLesson. The name of the directory must be same as the name of the class in index.php. Any static content like images, scripts etc. must be placed inside a sub-directory 'static' within the lesson directory.

There are few methods which your lesson need to implement like start(), getTitle(), getCategory(), reset() etc.

Once you have added the lesson click on "Refresh List" button at the top of the application to display your lesson in the list.


  • Abbas Naderi
  • Johanna Curiel
  • Shivam Dixit
  • Prasham Gupta (Logo)


If you have any questions join the discussion on our mailing list or write an email to: shivam.dixit[at]

Something went wrong with that request. Please try again.