Webgoat is pretty cool! It’s a good idea, and to a large part it delivers what it promises. My main gripes:
- Some of the lessons listed are actually not available, they aren’t implemented yet. A bit disappointing to first see the long list and then being cheated out of about 5 of them.
- I didn’t get one of the lessons to complete, the one on dangerous XSS. I’m not sure but I think the reason was I’m not using a browser made by Microsoft.
- One lesson, the one with the admin interface, I didn’t finish. The hints were utterly useless (what source should I follow?). After looking both in the source in WebGoat and in WebGoat’s CVS repo (you don’t have to play fair when breaking things you know) I was even more confused.
Many lessons are somewhat simplistic and naive, I don’t doubt people still make those mistakes though. I’d say WebGoat is a nice, short, introduction to hands-on playing with web vulnerabilities.
The maybe most valuable thing about WebGoat is that it suggests using WebScarab.