Firstly for those of you not familiar with WebGoat, it "is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system"

I had some issues setting it up as it is not as well documented as it could be. To set it up on Windows:

• Download WebGoat with Java (48MB), other versions don't seem to work as well.
  
• Unzip and run the batch file.
  
• Make sure nothing is running on port 80 or it will fail.
• Username: guest & password: guest
  

I had this running in a fully patched W2K SP4 VMWare session. I run VNC in my VM sessions, and logged into the machine itself and tried to run http://localhost/WebGoat/attack or http://127.0.0.1/WebGoat/attack I got basic auth dialogue box, and input the credentials guest and guest (as discovered on the OWASP mailing list).

Could not get to work, BUT remotely from another machine on the network with same credentials it worked fine (ie http://10.0.0.52/WebGoat/attack) which is how I would use anyway.