This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Benchmark
OWASP WebGoat BenchmarkThe OWASP WebGoat Benchmark is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. The initial version is intended to support Static Analysis Security Tools (SAST) and Interactive Analysis Security Tools (IAST). A future release (the year hopefully) will suport Dynamic Analysis Security Tools (DAST), like OWASP ZAP. The goal is that the application is fully runable and all the vulnerabilities are actually exploitable so its a fair test for any kind of vulnerability detection tool. Future versions could support other languages, but one step at a time! Project PhilosophySecurity tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But they can drive everyone crazy with complexity, false alarms, and missed vulnerabilities. We are on a quest to see just how good these tools are at discovering and properly diagnosing security problems in applications. So the WebGoat Benchmark test suite is designed to test the abilities of these tools and hopefully help them improve. ApproachFor this Java test suite:
There are two types of tests in the current benchmark: 1) Tests written by hand. 2) Tests that are generated from code snippets that include 3 parts a) A source of taint (e.g., a web parameter) b) Propagation or data flow c) A dangerous sink There are currently over 150 test cases written by hand, and over 20,000 generated tests. Code RepoThe code for this project is hosted at the OWASP Git repository (exact location TBD). Along with the code comes a Maven pom.xml file so you can build the entire project with ease. LicensingThe OWASP WebGoat Benchmark is free to use under the TBD license. Mailing ListOWASP WebGoat Benchmark Mailing List Project LeadersRelated Projects |
Quick Download
News and Events
Classifications
|
2015 Roadmap
- [June 2015] TBD