OWASP Autumn of Code 2006 - Projects: Web Goat - Progress

Project Main Page

Lessons to be Implemented:

 * DOM Injection - Done
 * XML Injection - Done
 * XMLRPC Attacks - Replaced by JSON Injection - Under Construction
 * Silent Transactional Authorizational Attacks
 * HTTP Splitting - Done
 * Log Spoofing - Done
 * Cache Poising - Done
 * Cross-Site Request Forgery (CSRF) - Done(still needs some work)
 * Back Doors
 * XPATH Injection Done
 * Buffer Overflow - Will be taken care of by Bruce
 * How to Perform Parameter Injection - Replaced by How to Add a new lesson lesson - Done
 * Forced Browsing - Done


 * Manual and Installation Guide: Currently under construction.

Week 01 - Oct 08

 * Checked out the source code.
 * Built the project from scratch
 * Got the environment ready
 * Added a skeleton for Http Splitting lesson
 * Worked on updating the project page
 * Finished working on the HTTP Spliting lesson and committed the code.
 * Started investigating the CSRF (Cross-Site Request Forgery) attacks.

Week 03 - Oct 22

 * Finished working on Cross-Site Request Forgery Attacks.

Week 04 - Oct 29

 * Continued working on Log Spoofing lesson.
 * Finished working on Log Spoofing lesson.
 * Started working on Parameter Injection and Forced Browsing lessons

Week 05 - Nov 05

 * Finished and submitted Log Spoofing lesson
 * Finished and submitted Forced Browsing lesson.

Week 06 - Nov 12
- Added How to add a new lesson lesson. - Started working on the AJAX-specific lessons

Week 07 - Nov 19

 * Worked on XML injection attacks
 * Started working on DOM injection attacks

Week 09 - Dec 03

 * Started working on integrating WebGoat to OSG.
 * Got OSG working localy.
 * Starting working on a filter for the requests that can be enabled or disabled using the config file (web.xml).
 * Started working on the first AJAX lesson: DOM Injection.

Week 10 - Dec 10

 * Finished working on a Tomcat connetor to OSG.
 * Finished working on DOM Injection lesson

Week 11 - Dec 17

 * Worked on cache poisining
 * Worked on XML Injections
 * Added gratifications to HTTP Splitting

Week 12 - Dec 24

 * Finished XML Injections
 * Finished working on Cache Poisining
 * Added a hint for the user per Jeff's comments.
 * Working on JSON injection

Week 13 - Dec 30
- Working on SQL Backdoors attacks