This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP WebGoat Project Roadmap"
From OWASP
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | The project's overall goal is to... | + | <webgoat/>The project's overall goal is to... |
Be the defacto standard web application security training environment | Be the defacto standard web application security training environment | ||
| Line 6: | Line 6: | ||
# Demonstrate most common web application security vulnerabilities | # Demonstrate most common web application security vulnerabilities | ||
| − | # | + | # Add educational support for secure coding practices |
| + | # Enhance enterprise lesson tracking | ||
# Attract more contributions of lessons | # Attract more contributions of lessons | ||
| + | # Revisit existing lesson base to standardize lesson theme. | ||
| + | # Increase ease-of-use and expand user base | ||
Here are the current tasks defined to help us achieve these goals | Here are the current tasks defined to help us achieve these goals | ||
| − | * | + | '''Architectural''' |
| − | * | + | * Replace basic authentication with forms based authentication |
| + | * Rewrite all lessons to follow common theme using common database | ||
| + | * Rewrite user administration to allow better user management (non-hackable) | ||
| + | * Fix Logoff | ||
| + | * Defuse all lessons to disallow inadvertent harm to user's OS | ||
| − | + | '''General''' | |
| + | * General security cleanup. Remove exploits that are not lesson specific | ||
| + | * Remove non working lessons | ||
| + | * | ||
| + | |||
| + | '''New Lessons''' | ||
| + | * Server side forward allows access to WEB-INF resources | ||
| + | * Account enumeration using webscarab | ||
| + | * SQLException lesson - could tie into overall error handling | ||
| + | * XML attacks - Entity recursion, ... | ||
| + | |||
| + | For more information contact Bruce Mayhew at webgoat at owasp dot org | ||
[[Category:OWASP WebGoat Project]] | [[Category:OWASP WebGoat Project]] | ||
Latest revision as of 15:50, 4 January 2011
<webgoat/>The project's overall goal is to...
Be the defacto standard web application security training environment
In the near term, we are focused on the following tactical goals...
- Demonstrate most common web application security vulnerabilities
- Add educational support for secure coding practices
- Enhance enterprise lesson tracking
- Attract more contributions of lessons
- Revisit existing lesson base to standardize lesson theme.
- Increase ease-of-use and expand user base
Here are the current tasks defined to help us achieve these goals
Architectural
- Replace basic authentication with forms based authentication
- Rewrite all lessons to follow common theme using common database
- Rewrite user administration to allow better user management (non-hackable)
- Fix Logoff
- Defuse all lessons to disallow inadvertent harm to user's OS
General
- General security cleanup. Remove exploits that are not lesson specific
- Remove non working lessons
New Lessons
- Server side forward allows access to WEB-INF resources
- Account enumeration using webscarab
- SQLException lesson - could tie into overall error handling
- XML attacks - Entity recursion, ...
For more information contact Bruce Mayhew at webgoat at owasp dot org
