I've been struggling over the last couple of days to install the OWASP Webgoat project in Backtrack. I wanted the Web App nicely installed alongside Burp Suite on my USB stick so that I could practice Web Hacking on the go.

I put together some notes as I went along and thought I would post them here in case they're of any use to others.

To install Webgoat under Backtrack you must download the Sun Java 6 JDK through synaptic. Be aware that this will probably break Burp Suite. You'll need to change the way Burp is launched later.

Make sure you set the JAVA_HOME environment variable in the bash.rc file:

kate /etc/bash.bashrc
export JAVA_HOME=/usr/lib/jvm/java-6-sun-
Next, download the Webgoat 5.2 zip file and unpack to a directory on the system. I put webgoat under /pentest/web/webgoat/

chmod 755 the webgoat.sh script. There's a problem with this script though; it checks for JDK 1.5 when the war deployment seems to need 1.6. I just commented out the conditional statement near the top of the script, where it checks the version.

From the webgoat directory launch webgoat with the following command:

./webgoat start80

Stop the server with:

./webgoat stop

Fix Burp by supplying the fully qualified path to the JRE 1.5:

sh -c "cd /pentest/web/burpsuite;/usr/lib/jvm/java-1.5.0-sun- -jar burpsuite.jar"