(opens in new window)

OWASP Vulnerable Web Applications Directory

An OWASP production project

A comprehensive registry of known vulnerable web and mobile applications for legal security testing and training.

WebGoatPHP

OWASP port of WebGoat to PHP and MySQL/SQLite. Interactive teaching environment for web application security with lessons as challenges; users exploit the vulnerability to demonstrate understanding. Modes: single, workshop, contest, secure coding.

Collections offline
Technology PHP MySQL SQLite
Categories Guided lessons Single-player
Author OWASP
Stars 153 stars
Last contribution Apr 28, 2025 < 2y
Link Download Download

Notes

Clone to document root; import SQL/webgoat.php; set DB in app/config/application.php. Default guest/guest. Refresh list to show new lessons.

← Back to directory