this is not a real howto but some hints to let you play with WebGoat in BT4.
First download webgoat from this link and visit the OWASP WebGoat pages for more info about WebGoat.
Next you have to install p7zip to extract the archive, you can do this with the apt package manager from console running
apt-get install p7zip
and then extract the archive using
p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z
You can leave it in your root folder but if you like "clean desktops" move it inside /pentest/web/webgoat, you can do this from terminal with
mv WebGoat-5.3_RC1/* /pentest/web/webgoat
now make /pentest/web/webgoat/webgoat.sh executable with
chmod +x /pentest/web/webgoat/webgoat.sh
and then install openjdk-6-jre and openjdk-6-jdk with apt:
apt-get install openjdk-6-jre openjdk-6-jdk
Now you can run webgoat on port 80 or 8080 running
sh /pentest/web/webgoat/webgoat.sh start80 or sh /pentest/web/webgoat/webgoat.sh start8080
and to stop tomcat and webgoat use
sh /pentest/web/webgoat/webgoat.sh stop
Open up firefox and connect to http://127.0.0.1/webgoat/attack or http://127.0.0.1:8080/webgoat/attack according to the port you use to run tomcat. the username and password are both guest.
OWASP provide some intresting readings, you can find them on OWASP wiki and on the books page.
Hope this helps noobs like me who want to learn something about webapp security.