WebScarab uses Java, so if you don't have that, install that first.
WebScarab is a bit old, but simpler and less
confusing than more modern and advanced tools, such as
OWASP Zap (free and open source) or Burpsuite (commercial, but with a free trial license).
You can use these alternative tools too, if you want, or give
them a try.
To install WebScarab
Configuring your browser to use WebScarab as proxy
WebScarab listens to port 8008, so you have to configure
your web browser to use port 8008 on localhost.
To do this in Firefox, go to
Options -> Advanced -> Network ->
and select proxy localhost and port 8008, and press OK.
An example network settings page in Firefox is shown below.
NB watch out that at the bottom of the Settings screen there are no
entries under No proxy for. In particular, localhost,
not be mentioned here, otherwise WebScarab won't intercept the
traffic to localhost, which includes the traffic to the Webgoat.
WebScarab has two user interfaces: the simple (lite) version and
the fully-fledged one with all the features. In the
Intercept/Proxy tab you can choose to intercept requests and/or
responses. This means that you can view, edit and optionally
discard an outgoing HTTP response to the server (after it has
left your browser and before it reaches the server - in this
case, the WebGoat server), or an incoming HTTP response sent by
the server before it enters your browser.
If you choose to do intercept requests, a new WebScarab window
will open for every HTTP request. In this window you can inspect
the request (either in raw, unparsed, form or in a more readable,
parsed format) and you can edit the request before passing it on,
or you can abort the request (which means it is discarded).
More info about WebScarab is at the OWASP WebScarab site.