This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Section 4: Mitigating the WebGoat lessons
Project metrics
See Section 2 for the WebGoat lesson Table of Contents, and an overview of the results from doing the WebGoat lessons. Appendix A contains a zip file which is made up of the lesson plans and solutions - in HTML format - which were taken from WebGoat and can be viewed stand-alone.
Out of 51 possible lessons, the following are teaching lessons, not vulnerabilities, and therefore have no context for ModSecurity rules:
- 1.1 Http Basics
- 4.1 Password Strength
- 15.3 Bypass Client Side JavaScript Validation
- 17.1 Create a SOAP Request
Therefore there is a total number of 47 lessons to do; half is 24 so that was the goal of the first 50% of project completion. The lowest hanging fruit was taken first because considerable effort was put into: (1) setup and configuration of the environment; (2) getting familiar with WebGoat and taking all of the lessons; (3) learning ModSecurity (and Remo); (4) re-learning regular expressions; (5) learning Lua script; and (6) developing an efficient work methodology.
The total number of sublessons mitigated by ModSecurity rules: 25 - thereby achieving the goal of at least 50% of sublessons mitigated.
They are:
- Sublesson 1.2
- Sublesson 2.4
- Sublessons 4.2, 4.4, 4.5
- Sublesson 6.1
- Sublessons 8.1, 8.2, 8.4, 8.5, 8.7
- Sublesson 10.1
- Sublessons 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.8
- Sublesson 13.1
- Sublessons 15.1, 15.2
- Sublessons 17.3, 17.4
