Version 2025.3

🐞 Bug fixes

• Changed URLs imply other exclusion filters for ZAP (#2052)
• XSS lesson stage 12 (2 issues) (#1178)

🔄 Technical tasks

• bump docker/setup-qemu-action from 3.4.0 to 3.6.0 (#2049)
• bump docker/build-push-action from 6.14.0 to 6.15.0 (#2050)

Full change log: v2025.2...v2025.3

Team WebGoat

Version 2025.2

Full change log: v2025.1...v2025.2

🐞 Bug fixes

• Fix SQL advanced lesson assignment 5 (#2047)

Team WebGoat

Version 2025.1

Full change log: v2023.8...v2025.1

🚀 New functionality

• Introduce Playwright for UI testing
• Refactoring of core code

🐞 Bug fixes

• Introduce assignment progress (#2043)
• Add test case for multiple users solving lessons (#2043)
• Register user while already logged in as other user. (#2042)
• Small updates and improvements in HTTP Basic lesson (#2024)
• Improve HTTP basics lesson
• Solve compiler warnings
• Cleanup attack result and builder
• Format all code according to SPDX
• Fixed one invalid solution about CSRF attack (#2010)
• Reset a lesson no longer removes all assignments
• Hint labels showing default text regardless of localization (#1965)
• Automatically solve XSS mitigation (#1957)
• Remove implicit context path guessing (#1956)
• JWT kid/jku lessons (#1949)
• Fix password reset lesson (#1941)
• Fix passing command line arguments (#1933)
• Use banners correctly
• Show boolean operators priority on where (#1902)
• Remove WebGoat session object (#1929)
• Reset form and quiz color on reset lesson (#1903)
• XSS lesson typo
• Copying file using transferTo sometimes fails. (#1862)
• Fix report card (#1845)
• Success if only Smith earn most salary (#1744)
• Update HttpBasics_plan.adoc - fix broken link to https://www.zaproxy.org/ (#1803)
• Move CSRF to A3 (#1776)
• Fix typo in SQLi blind case
• Use $ instead of jQuery which is undefined (#1736)
• Fix hidden links in MissingFunctionAC.html. (#1710)

🔄 Technical tasks

• Lots of dependency updates

Contributors

Special thanks to the following contributors providing us with a pull request:

• François Capon
• GoogTech HackHuang
• Peter Potrowl
• cap-dev0x
• Benjamin Mouncer
• Jeong Rok Suh
• Rui Melo
• Vandeputte Brice

And everyone who provided feedback through Github.

Team WebGoat

Version v2023.8

🚀 New functionality

• Consistent environment values and url references (#1677)
• Show directly requested file in requests overview
• Show creating time in file upload overview

🐞 Bug fixes

• Fix startup message (#1687)
• Fix/state of software supply chain links (#1683)
• Fix WebWolf UI (#1686)

🔄 Technical tasks

• bump actions/setup-java from 3 to 4 (#1690)
• bump commons-io:commons-io from 2.14.0 to 2.15.1 (#1689)
• bump com.diffplug.spotless:spotless-maven-plugin (#1688)

Full change log: v2023.5...v2023.8

Team WebGoat

Version 2023.5

New functionality

• Implement JWT jku example (#1552)
• Java 21 initial support (#1622)
• improve MFAC lesson hint texts for a better user experience (#1424)
• upgrade to Spring Boot version 3 (#1477)

Bug fixes

• typo in WebGoad.txt (#1667)
• search box moved and jwt encode/decode with little delay (#1664)
• skip validation for JWT (#1663)
• fixed issue in JWT test tool and added robot test (#1658)
• Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)
• fix servers id (#1619)
• potential NPE in the stored XSS assignment
• crypto basics broken links
• fixes the default change in trailing slash matching and address the affected assignments
• hint that was breaking the template, causing hints from different assignments to mix (#1424)
• HijackSession lesson template deprecated Tymeleaf attribute
• Fix NPE in IDOR lesson
• Add new assignment IT tests
• XSS mitigation
• Stored Cross-Site Scripting Lesson
• Add Assignment7 Tests
• Fix IDOR lesson
• remove steps from release script (#1509)
• robotframework fails due to updated dependencies (#1508)
• fix Java image inside Docker file The image now downloads the correct Java version based on the architecture.
• Fix typo of HijackSession_content0.adoc
• Restrict SSRF Regexes
• update challenge code - Flags are now wired through a Spring config - Introduced Flag class - Removed Flags from the FlagController

Full change log: v2023.4...v2023.5

Contributors

Special thanks to the following contributors providing us with a pull request:

• Àngel Ollé Blázquez
• Nanne Baars
• René Zubcevic
• Agustín Díaz
• François Capon
• Loris Sierra
• caputdraconis
• test2user-aqil

And everyone who provided feedback through Github.

Team WebGoat

Version 2023.3

With great pleasure, we present you with a new release of WebGoat 2023.3. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).

A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.

New functionality

• New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
• Move away from multi-project setup:
  • This has a huge performance benefit when building the application. Build time locally is now Total time: 42.469 s (depends on your local machine of course)
  • No longer add Maven dependencies in several places
  • H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
• More explicit paths in html files to reference adoc files, less magic.
• Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
• Add WebWolf button in WebGoat
• Move all lessons into src/main/resources
• WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
• WebGoat logs URL after startup: Please browse to http://127.0.0.1:8080/WebGoat to get started...
• Simplify Dockerfile as we no longer need a script to start everything
• Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
• Added Initializable interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See BlindSendFileAssignment for an example.
• Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
• Updated introduction lesson to WebWolf.
• Added language switch for support for multiple languages.
• Removed logic to start WebGoat on a random port when port 8080 is taken. We would loop until we found a free port. We simplified this to just start on the specified port.
• Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
• Renaming of all packages and folders.
• #1039 New OWASP Top 10
• #1065 New lesson about logging

Bug fixes

• #1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module
• #1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson
• #1134 "Exploiting XStream" assignment does not work
• #1130 Typo: Using Indrect References
• #1101 SQL lesson not correct
• #1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB
• #1379 Move XXE to A05:2021-Security Misconfiguration
• #1298 SocketUtils is deprecated and will be removed in Spring Security 6
• #1248 Rewrite the WebWolf Introduction Lesson with the new changes
• #1200 Type cast error in sample code at JWT token section
• #1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)
• #1103 (A1) path traversel lesson 7 seems broken
• #986 - User registration not persistant

Full change log: v8.2.2...v2023.3

Contributors

Special thanks to the following contributors providing us with a pull request:

And everyone who provided feedback through Github.

Team WebGoat

Version 2023.2

With great pleasure, we present you with a new release of WebGoat 2023.2. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).

A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.

New functionality

• New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
• Move away from multi-project setup:
  • This has a huge performance benefit when building the application. Build time locally is now Total time: 42.469 s (depends on your local machine of course)
  • No longer add Maven dependencies in several places
  • H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
• More explicit paths in html files to reference adoc files, less magic.
• Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
• Add WebWolf button in WebGoat
• Move all lessons into src/main/resources
• WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
• WebGoat logs URL after startup: Please browse to http://127.0.0.1:8080/WebGoat to get started...
• Simplify Dockerfile as we no longer need a script to start everything
• Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
• Added Initializable interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See BlindSendFileAssignment for an example.
• Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
• Updated introduction lesson to WebWolf.
• Added language switch for support for multiple languages.
• Removed logic to start WebGoat on a random port when port 8080 is taken. We would loop until we found a free port. We simplified this to just start on the specified port.
• Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
• Renaming of all packages and folders.
• #1039 New OWASP Top 10
• #1065 New lesson about logging

Bug fixes

• #1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module
• #1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson
• #1134 "Exploiting XStream" assignment does not work
• #1130 Typo: Using Indrect References
• #1101 SQL lesson not correct
• #1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB
• #1379 Move XXE to A05:2021-Security Misconfiguration
• #1298 SocketUtils is deprecated and will be removed in Spring Security 6
• #1248 Rewrite the WebWolf Introduction Lesson with the new changes
• #1200 Type cast error in sample code at JWT token section
• #1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)
• #1103 (A1) path traversel lesson 7 seems broken
• #986 - User registration not persistant

Full change log: v8.2.2...v2023.2

Contributors

Special thanks to the following contributors providing us with a pull request:

And everyone who provided feedback through Github.

Team WebGoat

Version v8.2.1

New functionality

• New Docker image for arm64 architecture is now available (for Apple M1)