This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP WebGoat Project Roadmap"
From OWASP
| Line 8: | Line 8: | ||
# Increase ease-of-use and expand userbase | # Increase ease-of-use and expand userbase | ||
# Attract more contributions of lessons | # Attract more contributions of lessons | ||
| + | |||
| + | # Revisit existing lesson base to standardize lesson theme. | ||
Here are the current tasks defined to help us achieve these goals | Here are the current tasks defined to help us achieve these goals | ||
| − | * | + | '''Architectural''' |
| − | * | + | * Convert lessons to struts framework (Major effort) |
| + | * Rewrite all lessons to follow common theme using common database | ||
| + | * Rewrite user administration to allow better user management (non-hackable) | ||
| + | * Fix Logoff | ||
| + | * Defuse all lessons to disallow inadvertent harm to user's OS | ||
| + | |||
| + | '''General''' | ||
| + | * General security cleanup. Remove exploits that are not lesson specific | ||
| + | * Denial of service lesson rewrite | ||
| + | * Bypass client side javascript lesson rewrite | ||
| + | * Improve using an access control matrix lesson | ||
| + | * Improve encoding basics lesson | ||
| + | * Improve thread safety lesson | ||
| + | * Cross site trace only works in older browsers | ||
| + | * Improve CSRF lesson | ||
| + | |||
| + | '''New Lessons''' | ||
| + | * Server side forward allows access to WEB-INF resources | ||
| + | * Account enumeration using webscarab | ||
| + | * Buffer overflow | ||
| + | * SQLException lesson - could tie into overall error handling | ||
| + | * XML attacks - Entity recursion, ... | ||
| − | + | For more information contact Bruce Mayhew at webgoat at owasp dot org | |
[[Category:OWASP WebGoat Project]] | [[Category:OWASP WebGoat Project]] | ||
Revision as of 14:00, 8 October 2007
The project's overall goal is to...
Be the defacto standard web application security training environment
In the near term, we are focused on the following tactical goals...
- Demonstrate most common web application security vulnerabilities
- Increase ease-of-use and expand userbase
- Attract more contributions of lessons
- Revisit existing lesson base to standardize lesson theme.
Here are the current tasks defined to help us achieve these goals
Architectural
- Convert lessons to struts framework (Major effort)
- Rewrite all lessons to follow common theme using common database
- Rewrite user administration to allow better user management (non-hackable)
- Fix Logoff
- Defuse all lessons to disallow inadvertent harm to user's OS
General
- General security cleanup. Remove exploits that are not lesson specific
- Denial of service lesson rewrite
- Bypass client side javascript lesson rewrite
- Improve using an access control matrix lesson
- Improve encoding basics lesson
- Improve thread safety lesson
- Cross site trace only works in older browsers
- Improve CSRF lesson
New Lessons
- Server side forward allows access to WEB-INF resources
- Account enumeration using webscarab
- Buffer overflow
- SQLException lesson - could tie into overall error handling
- XML attacks - Entity recursion, ...
For more information contact Bruce Mayhew at webgoat at owasp dot org
