This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP WebGoat Project Roadmap"
From OWASP
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | The project's overall goal is to... | + | <webgoat/>The project's overall goal is to... |
Be the defacto standard web application security training environment | Be the defacto standard web application security training environment | ||
Line 6: | Line 6: | ||
# Demonstrate most common web application security vulnerabilities | # Demonstrate most common web application security vulnerabilities | ||
− | # | + | # Add educational support for secure coding practices |
+ | # Enhance enterprise lesson tracking | ||
# Attract more contributions of lessons | # Attract more contributions of lessons | ||
− | |||
# Revisit existing lesson base to standardize lesson theme. | # Revisit existing lesson base to standardize lesson theme. | ||
+ | # Increase ease-of-use and expand user base | ||
Here are the current tasks defined to help us achieve these goals | Here are the current tasks defined to help us achieve these goals | ||
'''Architectural''' | '''Architectural''' | ||
− | * | + | * Replace basic authentication with forms based authentication |
* Rewrite all lessons to follow common theme using common database | * Rewrite all lessons to follow common theme using common database | ||
* Rewrite user administration to allow better user management (non-hackable) | * Rewrite user administration to allow better user management (non-hackable) | ||
Line 22: | Line 23: | ||
'''General''' | '''General''' | ||
* General security cleanup. Remove exploits that are not lesson specific | * General security cleanup. Remove exploits that are not lesson specific | ||
− | * | + | * Remove non working lessons |
− | * | + | * |
− | |||
− | |||
− | |||
− | |||
− | |||
'''New Lessons''' | '''New Lessons''' | ||
* Server side forward allows access to WEB-INF resources | * Server side forward allows access to WEB-INF resources | ||
* Account enumeration using webscarab | * Account enumeration using webscarab | ||
− | |||
* SQLException lesson - could tie into overall error handling | * SQLException lesson - could tie into overall error handling | ||
* XML attacks - Entity recursion, ... | * XML attacks - Entity recursion, ... |
Latest revision as of 15:50, 4 January 2011
<webgoat/>The project's overall goal is to...
Be the defacto standard web application security training environment
In the near term, we are focused on the following tactical goals...
- Demonstrate most common web application security vulnerabilities
- Add educational support for secure coding practices
- Enhance enterprise lesson tracking
- Attract more contributions of lessons
- Revisit existing lesson base to standardize lesson theme.
- Increase ease-of-use and expand user base
Here are the current tasks defined to help us achieve these goals
Architectural
- Replace basic authentication with forms based authentication
- Rewrite all lessons to follow common theme using common database
- Rewrite user administration to allow better user management (non-hackable)
- Fix Logoff
- Defuse all lessons to disallow inadvertent harm to user's OS
General
- General security cleanup. Remove exploits that are not lesson specific
- Remove non working lessons
New Lessons
- Server side forward allows access to WEB-INF resources
- Account enumeration using webscarab
- SQLException lesson - could tie into overall error handling
- XML attacks - Entity recursion, ...
For more information contact Bruce Mayhew at webgoat at owasp dot org