Developer Getting Started
This page is for tips and tricks for developers who want to build WebGoat themselves and think about contributing to WebGoat.
Development and test of WebGoat can be done on Microsoft Windows, Apple MacOS or a Linux based OS. WebGoat is finally packaged and released as Java jar files and docker containers on Docker Hub. The end result should be runnable on all of the mentioned operating systems.
WebGoat also supports multiple languages. The unit tests and integration tests should be able to handle localisation and user zone settings.
Travis is used to test code that is pushed to GitHub. Everyone with a GitHub account can contribute by creating a fork of WebGoat, then create a branch off of develop in their local repository and making a cross repository pull request. This will trigger the Travis build. Pull requests require that a contributor signs an agreement. Otherwise the pull request can never be merged.
- Windows, MacOS, Linux operating system (also used in GitHub Actions build pipelines
- Maven 3.8 or higher
- Java 17 hotspot type
- An IDE will be handy: e.g. Visual Studio Code, Eclipse or IntelliJ. Make sure that the IDE has the extensions to support Lombok.
- (optionally) docker (e.g. Docker Desktop for Windows, MacOS)
- Browser to test manually: Safari, Firefox, Chrome, Edge
When you build or run the application with default settings make sure that the following ports are not in use:
- 8080
- 9090
git clone https://github.com/yourgitaccount/WebGoat.git
cd WebGoat
git checkout -b yourbranch
mvn clean install
The Java build results in one ‘executable’ jar file:
- WebGoat in the target directory that looks similar to webgoat-server-v8.2.3-SNAPSHOT.jar
java -jar webgoat-server/target/webgoat-server-v8.2.3-SNAPSHOT.jar
or
men spring-boot:run
This starts WebGoat with the UI on http://127.0.0.1:8080/WebGoat And an hsql database on port 9001 which has persistent data stored in .webgoat folder And starts WebWolf with an UI on http://127.0.0.1:9090/WebWolf which is connected to the database on port 9001
When you open WebGoat for the first time, you will see the login screen. If you do not have a username and password, then you can use the register function to create a new user. As long as you do not delete the .webgoat folder that username and your results will be present when you use it the next time. Even if you stop and start the application.
At the root level there is a overall parent pom.xml which contains all the references to all components of WebGoat and WebWolf. All sources can be found in the src folder:
-
src/main
- All code for WebGoat and WebWolf and the individual lessons
-
src/test
- All unit test code for the lessons
-
src/it
- All integration test code
WebGoat comes with an built-in lesson on how to build your own WebGoat lesson. Make sure you first complete this exercise before you try to add a new lesson.