This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Section 4: Mitigating the WebGoat lessons"
(TOC) |
(→Project metrics: add content) |
||
| Line 1: | Line 1: | ||
| + | === Project metrics === | ||
| + | |||
| + | See Section 2 for the WebGoat lesson Table of Contents, and an overview of the results from doing the WebGoat lessons. Appendix A has links to all of the lesson solutions which were taken from WebGoat. | ||
| + | |||
| + | Out of 51 possible lessons, the following are teaching lessons, not vulnerabilities, and therefore have no context for ModSecurity rules: | ||
| + | * 1.1 Http Basics | ||
| + | * 4.1 Password Strength | ||
| + | * 15.3 Bypass Client Side JavaScript Validation | ||
| + | * 17.1 Create a SOAP Request | ||
| + | |||
| + | Therefore there is a total number of 47 lessons to do; half is 24 so that was the goal of the first 50% of project completion. The lowest hanging fruit was taken first because considerable effort was put into: (1) setup and configuration of the environment; (2) getting familiar with WebGoat and taking all of the lessons; (3) learning ModSecurity (and Remo); (4) re-learning regular expressions; (5) learning Lua script; and (6) developing an efficient work methodology. | ||
| − | + | The total number of sublessons mitigated by ModSecurity rules: 25 - thereby achieving the goal of at least 50% of sublessons mitigated. | |
| + | |||
| + | They are: | ||
| + | * Sublesson 1.2 | ||
| + | * Sublesson 2.4 | ||
| + | * Sublessons 4.2, 4.4, 4.5 | ||
| + | * Sublesson 6.1 | ||
| + | * Sublessons 8.1, 8.2, 8.4, 8.5, 8.7 | ||
| + | * Sublesson 10.1 | ||
| + | * Sublessons 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.8 | ||
| + | * Sublesson 13.1 | ||
| + | * Sublessons 15.1, 15.2 | ||
| + | * Sublessons 17.3, 17.4 | ||
=== Overall strategy === | === Overall strategy === | ||
Revision as of 09:16, 24 July 2008
Project metrics
See Section 2 for the WebGoat lesson Table of Contents, and an overview of the results from doing the WebGoat lessons. Appendix A has links to all of the lesson solutions which were taken from WebGoat.
Out of 51 possible lessons, the following are teaching lessons, not vulnerabilities, and therefore have no context for ModSecurity rules:
- 1.1 Http Basics
- 4.1 Password Strength
- 15.3 Bypass Client Side JavaScript Validation
- 17.1 Create a SOAP Request
Therefore there is a total number of 47 lessons to do; half is 24 so that was the goal of the first 50% of project completion. The lowest hanging fruit was taken first because considerable effort was put into: (1) setup and configuration of the environment; (2) getting familiar with WebGoat and taking all of the lessons; (3) learning ModSecurity (and Remo); (4) re-learning regular expressions; (5) learning Lua script; and (6) developing an efficient work methodology.
The total number of sublessons mitigated by ModSecurity rules: 25 - thereby achieving the goal of at least 50% of sublessons mitigated.
They are:
- Sublesson 1.2
- Sublesson 2.4
- Sublessons 4.2, 4.4, 4.5
- Sublesson 6.1
- Sublessons 8.1, 8.2, 8.4, 8.5, 8.7
- Sublesson 10.1
- Sublessons 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.8
- Sublesson 13.1
- Sublessons 15.1, 15.2
- Sublessons 17.3, 17.4
