Web application security principles, methods and technologies are a challenge to learn. Encoding types, scripting languages, HTML/XML concepts, AJAX, and more, all need to be understood, not only from a developer’s perspective, but also from the perspective of the attacker. The challenge is that it is very hard to find a safe infrastructure on which you can gain an understanding of all these technologies and how they can be exploited. Thankfully, the OWASP has put together an excellent learning tool known as WebGoat.
WebGoat WebGoat is the result of an effort led by the OWASP group to help web developers and security professionals understand web application security. It is a self-contained learning environment through which people can come to terms with the many security issues that are found in web applications. Ironically, this is accomplished through a very, very insecure web application that uses a Java backend to parse the incoming exploits and output the results. Unlike other web application security training tools, such as Foundstone's Hackme series and Badstore, WebGoat was primarily designed to be an educational tool. While the other training applications are valuable learning environments, WebGoat takes the learning aspect to the next level by including lessons plans, a report card, project hints, and even a "final exam" that tests the student's collective knowledge