Web application security is difficult to learn and practice. Very few people have full blown web applications like online book stores or online banks that can be used to search for vulnerabilities. In addition, security professionals frequently need to test tools against a known vulnerable platform to ensure they perform as advertised. All of this needs to happen in a safe and legal environment; we believe you should never attempt to find vulnerabilities without permission, even if your intentions are good.
WebGoat is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.
The WebGoat project goals are simply to create the de-facto interactive teaching environment for web security. Eventually the project may consider extending WebGoat to become an assessment tools benchmarking platform and a Java based Web site HoneyPot.
For full information and download visit
http://www.owasp.org/software/webgoat.html