This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Securing WebGoat using ModSecurity Project"

From OWASP
Jump to: navigation, search
(Introduction)
m
 
(30 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Introduction==
+
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_1_Introduction Introduction] ===
  
 
1.1  Background
 
1.1  Background
Line 5: Line 5:
 
1.2  Purpose
 
1.2  Purpose
  
1.3  Talks and deliverables
+
1.3  Tasks and deliverables
  
1.4  Future development and long-term vision
+
1.4  Project member comments at 100%
  
1.5  Contributors
+
1.5  Future development and long-term vision
  
==WebGoat==
+
1.6  Contributors
 +
 
 +
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_2_WebGoat WebGoat] ===
  
 
2.1  Overview
 
2.1  Overview
Line 21: Line 23:
 
2.4  Overview of lesson results
 
2.4  Overview of lesson results
  
==ModSecurity protecting WebGoat at 50% project completion==
+
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_3_ModSecurity_WebGoat_at_50_percent ModSecurity protecting WebGoat] ===
  
 
3.1  Project Setup and Environment  
 
3.1  Project Setup and Environment  
Line 27: Line 29:
 
3.2  Doing the WebGoat lessons - tips and tricks
 
3.2  Doing the WebGoat lessons - tips and tricks
  
3.3  Project organization
+
3.3 Testing ModSecurity rules - tips and tricks
 +
 
 +
3.4 Project organization
 +
 
 +
3.4.1  ModSecurity rules
 +
 
 +
3.4.2  SecDirData directory
 +
 
 +
3.4.3  Error pages
 +
 
 +
3.4.4  Informational and debug messages
 +
 
 +
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_4_Mitigating_the_WebGoat_Lessons Mitigating the WebGoat lessons] ===
 +
 
 +
4.1  Project metrics at 50% completion
 +
 
 +
4.2  Project metrics at 100% completion
 +
 
 +
4.3  Sublessons that do not count or were not solved (and why)
 +
 
 +
4.4  Unfinished business
 +
 
 +
4.4.1 Concurrent file access
 +
 
 +
4.4.2 Lua security in ModSecurity
  
3.3.1 ModSecurity rules
+
4.5 Overall strategy
  
3.3.2 SecDirData directory
+
4.6 Reviewer comments
  
3.3.3 Error pages
+
4.7 Using the Lua scripting language
  
3.3.4 Informational and debug messages
+
4.8 Using Javascript 'prepend' and 'append'
  
==Mitigating the WebGoat lessons==
+
4.9  Structure of mitigating a lesson
  
4.1 Project metrics
+
4.10 The mitigating solutions
  
4.2  Overall strategy
+
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Appendix_A_WebGoat_Lesson_Plans_and_Solutions Appendix A: WebGoat lesson plans and solutions] ===
  
4.3  Using the Lua scripting language
+
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Appendix_B_Project_Solution_Files Appendix B: Project solution files] ===
  
4.4  Structure of mitigating a lesson
+
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Appendix_C_Building_Lua Appendix C: Building the Lua library and standalone executable] ===
  
4.5  The mitigating solutions
+
=== [http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Appendix_D_Additional_Important_Stuff Appendix D: Additional important stuff (e.g. wiki in Word doc, fixes)] ===
  
==To do for project completion==
+
D.1  This wiki in a Word doc
  
==Future considerations==
+
D.2  Other material
  
==Appendix A: The WebGoat solutions (borrowed from the OWASP WebGoat project)==
+
D.3  Fixes/enhancements

Latest revision as of 10:50, 31 December 2008

Introduction

1.1 Background

1.2 Purpose

1.3 Tasks and deliverables

1.4 Project member comments at 100%

1.5 Future development and long-term vision

1.6 Contributors

WebGoat

2.1 Overview

2.2 How it works

2.3 Lesson Table Of Contents

2.4 Overview of lesson results

ModSecurity protecting WebGoat

3.1 Project Setup and Environment

3.2 Doing the WebGoat lessons - tips and tricks

3.3 Testing ModSecurity rules - tips and tricks

3.4 Project organization

3.4.1 ModSecurity rules

3.4.2 SecDirData directory

3.4.3 Error pages

3.4.4 Informational and debug messages

Mitigating the WebGoat lessons

4.1 Project metrics at 50% completion

4.2 Project metrics at 100% completion

4.3 Sublessons that do not count or were not solved (and why)

4.4 Unfinished business

4.4.1 Concurrent file access

4.4.2 Lua security in ModSecurity

4.5 Overall strategy

4.6 Reviewer comments

4.7 Using the Lua scripting language

4.8 Using Javascript 'prepend' and 'append'

4.9 Structure of mitigating a lesson

4.10 The mitigating solutions

Appendix A: WebGoat lesson plans and solutions

Appendix B: Project solution files

Appendix C: Building the Lua library and standalone executable

Appendix D: Additional important stuff (e.g. wiki in Word doc, fixes)

D.1 This wiki in a Word doc

D.2 Other material

D.3 Fixes/enhancements