This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Lesson Plans"
From OWASP
Line 4: | Line 4: | ||
The current lesson plans included in this release of WebGoatv5 include: | The current lesson plans included in this release of WebGoatv5 include: | ||
{| border=1 | {| border=1 | ||
+ | |- | ||
|| Http Basics | || Http Basics | ||
|- | |- | ||
Line 23: | Line 24: | ||
|- | |- | ||
|| How to Bypass a Path Based Access Control Scheme | || How to Bypass a Path Based Access Control Scheme | ||
+ | |- | ||
+ | || LAB: Role based Access Control | ||
|- | |- | ||
|| Using an Access Control Matrix | || Using an Access Control Matrix | ||
Line 33: | Line 36: | ||
|- | |- | ||
|| Basic Authentication | || Basic Authentication | ||
+ | |- | ||
+ | || LAB: Cross Site Scripting | ||
+ | |- | ||
+ | || How to Perform Stored Cross Site Scripting (XSS) | ||
+ | |- | ||
+ | || How to Perform Reflected Cross Site Scripting (XSS) | ||
+ | |- | ||
+ | || How to Perform Cross Site Trace Attacks (XSS) | ||
+ | |- | ||
+ | || Buffer Overflow (TBD) | ||
|- | |- | ||
|| How to Perform Cross Site Trace Attacks | || How to Perform Cross Site Trace Attacks | ||
Line 42: | Line 55: | ||
|| HttpOnly Test | || HttpOnly Test | ||
|- | |- | ||
− | || How to Perform | + | || How to Perform Command Injection |
|- | |- | ||
− | || How to Perform | + | || How to Perform Parameter Injection |
|- | |- | ||
|| How to Perform Blind SQL Injection | || How to Perform Blind SQL Injection | ||
|- | |- | ||
|| How to Perform Numeric SQL Injection | || How to Perform Numeric SQL Injection | ||
+ | |- | ||
+ | || How to Perform String SQL Injection | ||
|- | |- | ||
|| How to Perform Log Spoofing | || How to Perform Log Spoofing | ||
Line 54: | Line 69: | ||
|| How to Perform XPATH Injection Attacks | || How to Perform XPATH Injection Attacks | ||
|- | |- | ||
− | || | + | || LAB: SQL Injection |
|- | |- | ||
|| How to Bypass a Fail Open Authentication Scheme | || How to Bypass a Fail Open Authentication Scheme | ||
Line 77: | Line 92: | ||
|- | |- | ||
|| The Challenge | || The Challenge | ||
+ | |- | ||
+ | |||
|- | |- | ||
|} | |} |
Revision as of 02:06, 24 December 2006
WebGoat User Guide Table of Contents
The current lesson plans included in this release of WebGoatv5 include:
Http Basics |
HTTP Splitting and Cache Poisining |
How to Exploit Thread Safety Problems |
How to Discover Clues in the HTML |
How to Exploit Hidden Fields |
How to Exploit Unchecked Email |
How to Bypass Client Side JavaScript Validation |
How to Force Browser Web Resources |
How to Bypass a Role Based Access Control Scheme |
How to Bypass a Path Based Access Control Scheme |
LAB: Role based Access Control |
Using an Access Control Matrix |
How to Exploit the Forgot Password Page |
How to Spoof an Authentication Cookie |
How to Hijack a Session |
Basic Authentication |
LAB: Cross Site Scripting |
How to Perform Stored Cross Site Scripting (XSS) |
How to Perform Reflected Cross Site Scripting (XSS) |
How to Perform Cross Site Trace Attacks (XSS) |
Buffer Overflow (TBD) |
How to Perform Cross Site Trace Attacks |
How to Perform Stored Cross Site Scripting |
How to Perform Reflected Cross Site Scripting |
HttpOnly Test |
How to Perform Command Injection |
How to Perform Parameter Injection |
How to Perform Blind SQL Injection |
How to Perform Numeric SQL Injection |
How to Perform String SQL Injection |
How to Perform Log Spoofing |
How to Perform XPATH Injection Attacks |
LAB: SQL Injection |
How to Bypass a Fail Open Authentication Scheme |
How to Peform Basic Encoding |
Denial of Service from Multiple Logins |
How to Create a SOAP Request |
How to Perform WSDL Scanning |
How to Perform Web Service SAX Injection |
How to Perform Web Service SQL Injection |
How to Perform DOM Injection Attack |
How to Perform XML Injection Attacks |
How to Add a New Lesson |
The Challenge |
For each lesson within WebGoat, an overview and objectives are provided. These are accessed through the Show Lesson Plan button.
These lesson plans describe the operation of each aspect of the target application, the areas of interest relating to the security assessment and the type of attack that should be attempted.