This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Autumn of Code 2006 - Projects: Web Goat - Progress"

From OWASP
Jump to: navigation, search
(Lessons to be Implemented:)
(Reverting to last version not containing links to s1.shard.jp)
 
(14 intermediate revisions by 4 users not shown)
Line 5: Line 5:
 
* DOM Injection - '''Done'''
 
* DOM Injection - '''Done'''
 
* XML Injection - '''Done'''
 
* XML Injection - '''Done'''
* XMLRPC Attacks - Replaced by JSON Injection - Under Construction
+
* XMLRPC Attacks - Replaced by JSON Injection - '''Done'''
* Silent Transactional Authorizational Attacks  
+
* Silent Transactional Authorizational Attacks - '''Done'''
 
* HTTP Splitting - '''Done'''
 
* HTTP Splitting - '''Done'''
* Log Spoofing  - '''Done'''(Jeff: add a hint to add a link)
+
* Log Spoofing  - '''Done'''
 
* Cache Poising - '''Done'''
 
* Cache Poising - '''Done'''
* Cross-Site Request Forgery (CSRF) - '''Done'''(still needs some work)
+
* Cross-Site Request Forgery (CSRF) - '''Done'''
* Back Doors  
+
* Back Doors '''Done'''
 
* XPATH Injection '''Done'''
 
* XPATH Injection '''Done'''
 
* Buffer Overflow - Will be taken care of by Bruce
 
* Buffer Overflow - Will be taken care of by Bruce
 
* How to Perform Parameter Injection - Replaced by How to Add a new lesson lesson - '''Done'''
 
* How to Perform Parameter Injection - Replaced by How to Add a new lesson lesson - '''Done'''
 
* Forced Browsing - '''Done'''
 
* Forced Browsing - '''Done'''
 +
 +
* Manual and Installation Guide: '''Done'''
  
 
== Daily Notes ==
 
== Daily Notes ==
Line 69: Line 71:
 
=== Week 12 - Dec 24 ===
 
=== Week 12 - Dec 24 ===
 
* Finished XML Injections
 
* Finished XML Injections
* Finished workingon Cache Poisining  
+
* Finished working on Cache Poisining  
 +
* Added a hint for the user per Jeff's comments.
 
* Working on JSON injection
 
* Working on JSON injection
  
 
=== Week 13 - Dec 30 ===
 
=== Week 13 - Dec 30 ===
 +
- Finished SQL Backdoors attacks
 +
- Finished JSON Injection

Latest revision as of 12:50, 3 June 2009

Project Main Page

Lessons to be Implemented:

  • DOM Injection - Done
  • XML Injection - Done
  • XMLRPC Attacks - Replaced by JSON Injection - Done
  • Silent Transactional Authorizational Attacks - Done
  • HTTP Splitting - Done
  • Log Spoofing - Done
  • Cache Poising - Done
  • Cross-Site Request Forgery (CSRF) - Done
  • Back Doors Done
  • XPATH Injection Done
  • Buffer Overflow - Will be taken care of by Bruce
  • How to Perform Parameter Injection - Replaced by How to Add a new lesson lesson - Done
  • Forced Browsing - Done
  • Manual and Installation Guide: Done

Daily Notes

Week 01 - Oct 08

  • Checked out the source code.
  • Built the project from scratch
  • Got the environment ready
  • Added a skeleton for Http Splitting lesson
  • Worked on updating the project page
  • Finished working on the HTTP Spliting lesson and committed the code.
  • Started investigating the CSRF (Cross-Site Request Forgery) attacks.

Week 02 - Oct 15

Week 03 - Oct 22

  • Finished working on Cross-Site Request Forgery Attacks.

Week 04 - Oct 29

  • Continued working on Log Spoofing lesson.
  • Finished working on Log Spoofing lesson.
  • Started working on Parameter Injection and Forced Browsing lessons

Week 05 - Nov 05

  • Finished and submitted Log Spoofing lesson
  • Finished and submitted Forced Browsing lesson.

Week 06 - Nov 12

- Added How to add a new lesson lesson. - Started working on the AJAX-specific lessons

Week 07 - Nov 19

  • Worked on XML injection attacks
  • Started working on DOM injection attacks

Week 08 - Nov 26

Week 09 - Dec 03

  • Started working on integrating WebGoat to OSG.
  • Got OSG working localy.
  • Starting working on a filter for the requests that can be enabled or disabled using the config file (web.xml).
  • Started working on the first AJAX lesson: DOM Injection.

Week 10 - Dec 10

  • Finished working on a Tomcat connetor to OSG.
  • Finished working on DOM Injection lesson

Week 11 - Dec 17

  • Worked on cache poisining
  • Worked on XML Injections
  • Added gratifications to HTTP Splitting

Week 12 - Dec 24

  • Finished XML Injections
  • Finished working on Cache Poisining
  • Added a hint for the user per Jeff's comments.
  • Working on JSON injection

Week 13 - Dec 30

- Finished SQL Backdoors attacks - Finished JSON Injection