This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Autumn of Code 2006 - Projects: Web Goat - Progress"
From OWASP
(→Week 01 - Oct 08) |
(Reverting to last version not containing links to s1.shard.jp) |
||
(43 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
[[OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat|Project Main Page]] | [[OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat|Project Main Page]] | ||
+ | |||
+ | == Lessons to be Implemented: == | ||
+ | |||
+ | * DOM Injection - '''Done''' | ||
+ | * XML Injection - '''Done''' | ||
+ | * XMLRPC Attacks - Replaced by JSON Injection - '''Done''' | ||
+ | * Silent Transactional Authorizational Attacks - '''Done''' | ||
+ | * HTTP Splitting - '''Done''' | ||
+ | * Log Spoofing - '''Done''' | ||
+ | * Cache Poising - '''Done''' | ||
+ | * Cross-Site Request Forgery (CSRF) - '''Done''' | ||
+ | * Back Doors '''Done''' | ||
+ | * XPATH Injection '''Done''' | ||
+ | * Buffer Overflow - Will be taken care of by Bruce | ||
+ | * How to Perform Parameter Injection - Replaced by How to Add a new lesson lesson - '''Done''' | ||
+ | * Forced Browsing - '''Done''' | ||
+ | |||
+ | * Manual and Installation Guide: '''Done''' | ||
== Daily Notes == | == Daily Notes == | ||
Line 9: | Line 27: | ||
* Added a skeleton for Http Splitting lesson | * Added a skeleton for Http Splitting lesson | ||
* Worked on updating the project page | * Worked on updating the project page | ||
− | * Finished working on the HTTP | + | * Finished working on the HTTP Spliting lesson and committed the code. |
* Started investigating the CSRF (Cross-Site Request Forgery) attacks. | * Started investigating the CSRF (Cross-Site Request Forgery) attacks. | ||
Line 15: | Line 33: | ||
=== Week 03 - Oct 22 === | === Week 03 - Oct 22 === | ||
+ | * Finished working on Cross-Site Request Forgery Attacks. | ||
=== Week 04 - Oct 29 === | === Week 04 - Oct 29 === | ||
+ | * Continued working on Log Spoofing lesson. | ||
+ | * Finished working on Log Spoofing lesson. | ||
+ | * Started working on Parameter Injection and Forced Browsing lessons | ||
=== Week 05 - Nov 05 === | === Week 05 - Nov 05 === | ||
+ | * Finished and submitted Log Spoofing lesson | ||
+ | * Finished and submitted Forced Browsing lesson. | ||
=== Week 06 - Nov 12 === | === Week 06 - Nov 12 === | ||
+ | - Added How to add a new lesson lesson. | ||
+ | - Started working on the AJAX-specific lessons | ||
=== Week 07 - Nov 19 === | === Week 07 - Nov 19 === | ||
+ | * Worked on XML injection attacks | ||
+ | * Started working on DOM injection attacks | ||
=== Week 08 - Nov 26 === | === Week 08 - Nov 26 === | ||
=== Week 09 - Dec 03 === | === Week 09 - Dec 03 === | ||
+ | * Started working on integrating WebGoat to OSG. | ||
+ | * Got OSG working localy. | ||
+ | * Starting working on a filter for the requests that can be enabled or disabled using the config file (web.xml). | ||
+ | * Started working on the first AJAX lesson: DOM Injection. | ||
=== Week 10 - Dec 10 === | === Week 10 - Dec 10 === | ||
+ | * Finished working on a Tomcat connetor to OSG. | ||
+ | * Finished working on DOM Injection lesson | ||
=== Week 11 - Dec 17 === | === Week 11 - Dec 17 === | ||
+ | * Worked on cache poisining | ||
+ | * Worked on XML Injections | ||
+ | * Added gratifications to HTTP Splitting | ||
=== Week 12 - Dec 24 === | === Week 12 - Dec 24 === | ||
+ | * Finished XML Injections | ||
+ | * Finished working on Cache Poisining | ||
+ | * Added a hint for the user per Jeff's comments. | ||
+ | * Working on JSON injection | ||
=== Week 13 - Dec 30 === | === Week 13 - Dec 30 === | ||
+ | - Finished SQL Backdoors attacks | ||
+ | - Finished JSON Injection |
Latest revision as of 12:50, 3 June 2009
Lessons to be Implemented:
- DOM Injection - Done
- XML Injection - Done
- XMLRPC Attacks - Replaced by JSON Injection - Done
- Silent Transactional Authorizational Attacks - Done
- HTTP Splitting - Done
- Log Spoofing - Done
- Cache Poising - Done
- Cross-Site Request Forgery (CSRF) - Done
- Back Doors Done
- XPATH Injection Done
- Buffer Overflow - Will be taken care of by Bruce
- How to Perform Parameter Injection - Replaced by How to Add a new lesson lesson - Done
- Forced Browsing - Done
- Manual and Installation Guide: Done
Daily Notes
Week 01 - Oct 08
- Checked out the source code.
- Built the project from scratch
- Got the environment ready
- Added a skeleton for Http Splitting lesson
- Worked on updating the project page
- Finished working on the HTTP Spliting lesson and committed the code.
- Started investigating the CSRF (Cross-Site Request Forgery) attacks.
Week 02 - Oct 15
Week 03 - Oct 22
- Finished working on Cross-Site Request Forgery Attacks.
Week 04 - Oct 29
- Continued working on Log Spoofing lesson.
- Finished working on Log Spoofing lesson.
- Started working on Parameter Injection and Forced Browsing lessons
Week 05 - Nov 05
- Finished and submitted Log Spoofing lesson
- Finished and submitted Forced Browsing lesson.
Week 06 - Nov 12
- Added How to add a new lesson lesson. - Started working on the AJAX-specific lessons
Week 07 - Nov 19
- Worked on XML injection attacks
- Started working on DOM injection attacks
Week 08 - Nov 26
Week 09 - Dec 03
- Started working on integrating WebGoat to OSG.
- Got OSG working localy.
- Starting working on a filter for the requests that can be enabled or disabled using the config file (web.xml).
- Started working on the first AJAX lesson: DOM Injection.
Week 10 - Dec 10
- Finished working on a Tomcat connetor to OSG.
- Finished working on DOM Injection lesson
Week 11 - Dec 17
- Worked on cache poisining
- Worked on XML Injections
- Added gratifications to HTTP Splitting
Week 12 - Dec 24
- Finished XML Injections
- Finished working on Cache Poisining
- Added a hint for the user per Jeff's comments.
- Working on JSON injection
Week 13 - Dec 30
- Finished SQL Backdoors attacks - Finished JSON Injection