WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. In each challenge the user must exploit the real vulnerability to demonstrate their understanding. The application is a realistic teaching environment and supports four different modes.

Learn more »

Single-User Mode

Browse all the lessons that are available. You can view hints and submit solutions. This mode is suitable for individuals who want a hands-on experience with various security flaws.

Get Started

Workshop Mode

It has a centralized control system using which a lecturer controls various options like challenge selection, hints etc. This mode provides an ideal collaborative learning environment.

Get Started

Contest (CTF) Mode

Take part in a live CTF contest. You are required to sign-up before you can take part in a contest.

Get Started

Secure Coding Mode

Patch security vulnerabilities and learn about secure coding practices. You are required to modify vulnerable source code in such a way that vulnerability no longer exists.

Get Started