This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP WebGoat Project Roadmap
From OWASP
<webgoat/>The project's overall goal is to...
Be the defacto standard web application security training environment
In the near term, we are focused on the following tactical goals...
- Demonstrate most common web application security vulnerabilities
- Increase ease-of-use and expand userbase
- Attract more contributions of lessons
- Revisit existing lesson base to standardize lesson theme.
Here are the current tasks defined to help us achieve these goals
Architectural
- Convert lessons to struts framework (Major effort)
- Rewrite all lessons to follow common theme using common database
- Rewrite user administration to allow better user management (non-hackable)
- Fix Logoff
- Defuse all lessons to disallow inadvertent harm to user's OS
General
- General security cleanup. Remove exploits that are not lesson specific
- Denial of service lesson rewrite
- Bypass client side JavaScript lesson rewrite
- Improve using an access control matrix lesson
- Improve encoding basics lesson
- Cross Site Trace (XST) only works in older browsers
- Improve CSRF lesson
New Lessons
- Server side forward allows access to WEB-INF resources
- Account enumeration using webscarab
- Buffer overflow
- SQLException lesson - could tie into overall error handling
- XML attacks - Entity recursion, ...
For more information contact Bruce Mayhew at webgoat at owasp dot org