Project Information:template Securing WebGoat using ModSecurity 50 Review Second Review E

Jump to: navigation, search

Click here to return to the previous page.


Project Deliveries & Objectives

OWASP Securing WebGoat using ModSecurity Project's Deliveries & Objectives


1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised.

The project set out to protect the vulnerable webgoat application without touching a line of code. Facing an unstable (and partially buggy) Webgoat version the project leader and sole contributor had to find a pragmatic approach to deal with this issue. On top of that it quickly turned out, that expermiental features of ModSecurity had to be used.

Stephen Evans managed to cope with these troubles and actually continued in a systematic and well documented way. This is crucial for this project as it will be used by new and intermediate users of ModSecurity in the future as a case study for their own work.

There are still a few challenges ahead, but looking at the results so far, Stephen is well set to tackle those as well. The rules speak for themselves: they are of a very high quality in my eyes.

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage.

Well over 50%. Including some tricky lessons.

3. Please do use the right hand side column to provide advice and make work suggestions.

- Embedded or as Reverse Proxy? Not quite clear what you mean.
- I guess you mean within the application server or within an Apache RP.
- Webgoat should be introduced too in this paragraph.

one line of source code. : in webgoat, that is.

The identification of the target and the introduction of a numbering scheme
for stages of a lesson and its sublessons is a useful approach.

Overview of lesson results
-> A table within the wiki with color codes would be very useful here.

Neat and clean project setup description. Like it.

I personally believe that you could have profitted from working on the command line with "curl"
to replay the attack, until the rules are correct and then check in the browser.

"empty the cash" -> rather not my account please. :)
guess it's the cache that should be emptied.

Respect. That really is a WAF approach to a business logic flaw. Cool.

I suggest you split the page in two. It's two lessons.
Make it two pages, even if you repeat yourself.
Right now, the text all appears under 4.5. Or did I get it wrong?

I am loosing a bit track of the lessons here. Guess it is only me.

You provide very useful comments in the rule files. I like those very much.