Difference between revisions of "Category:OWASP Securing WebGoat using ModSecurity Project"

From OWASP
Jump to: navigation, search
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{OWASP Book|5082126}}
 
{{OWASP Book|5082126}}
 
[[:Category:OWASP Project|Click here to return to OWASP Projects page.]]<br>
 
[[:Project Information:template Securing WebGoat using ModSecurity|Click here to see (& edit, if wanted) the template.]]
 
 
{{:Project Information:template Securing WebGoat using ModSecurity}}
 
{{:Project Information:template Securing WebGoat using ModSecurity}}
 +
[[Category:OWASP Project|Securing WebGoat using ModSecurity Project]]
 +
[[Category:OWASP Document]]
 +
[[Category:OWASP Download]]
 +
[[Category:OWASP Beta Quality Document]]
  
 
== Welcome to the OWASP Securing WebGoat using ModSecurity Project ==
 
== Welcome to the OWASP Securing WebGoat using ModSecurity Project ==
Line 18: Line 19:
  
 
== Project News ==
 
== Project News ==
 +
 +
* 22 Jun 2009:
 +
** This project was discussed at the end of [https://www.owasp.org/index.php/Podcast_26 OWASP Podcast #26]: April 2009 News Commentary Recorded May 28 with Tom Brennan, Andre Gironda, Jim Manico, Alex Smolen and Jeff Williams (part 2).
 +
*** The WAF discussion starts at 43m49s to the end at 56m15s
 +
*** This project is mentioned from 53m08s until 54m57s (thanks for the great plug, Jeff :-)
 +
 +
* 03 May 2009:
 +
** This project is the subject of the 2nd day of a 2 day training course on writing ModSecurity rules to be given by Ryan Barnett at BlackHat USA at the end of July. The announcement is [http://sourceforge.net/mailarchive/forum.php?thread_name=8A1B4B015C52A54886DF15E9A97C7FB9F5A4A375%40MONET.utopiasystems.net&forum_name=mod-security-users here]; an excerpt of the course description is: "The 2nd day of the class will mainly be spent as a hands-on lab where we will go through the OWASP Securing WebGoat with ModSecurity project which will allow you to test out the latest, cutting-edge rules concepts such as content injection and Lua."
 +
 +
* 28 Apr 2009:
 +
** The direct link to purchase/download the book is [http://www.lulu.com/content/paperback-book/securing-webgoat-using-modsecurity/5082126 here].
 +
 +
* 12 Mar 2009:
 +
** This project was discussed in the context of virtual patching by Ryan C. Barnett in [https://www.owasp.org/index.php/Podcast_12 OWASP Podcast #12] starting at the 20 minute 22 second mark until the 26 minute 10 second mark and beyond.
 +
 +
* 01 Mar 2009:
 +
** This project was discussed (glowingly) by Ken van Wyk in [https://www.owasp.org/index.php/Podcast_10 OWASP Podcast #10] starting at the 16 minute 30 second mark.
 +
 +
* 19 Feb 2009:
 +
** Ryan Barnett of Breach Security gave a presentation based on this project, "WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity" at Black Hat DC 2009: http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html
 +
*** Whitepaper mentioning project, "WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity":
 +
https://www.blackhat.com/presentations/bh-dc-09/Barnett/BlackHat-DC-09-Barnett-WAF-Patching-Challenge-slides.pdf
 +
 +
* 10 Feb 2009:
 +
** This project in book form can be bought or downloaded (for free) at the OWASP bookstore at http://stores.lulu.com/owasp (thanks a lot to Paulo Coimbra for getting this done).
  
 
* 31 Dec 2008:
 
* 31 Dec 2008:
Line 47: Line 73:
  
 
http://denimgroup.typepad.com/denim_group/2008/11/owasp-eu-summit-in-portugal-thursday.html
 
http://denimgroup.typepad.com/denim_group/2008/11/owasp-eu-summit-in-portugal-thursday.html
 +
 +
OWASP Podcast #2 Securing Webgoat with ModSecurity
 +
 +
http://manicode.blogspot.com/2008/12/owasp-podcast-2-securing-webgoat-with.html
 +
 +
Waffing: ModSecurity applied
 +
 +
http://swende.se/index.php?/archives/26-Waffing-ModSecurity-applied.html
 +
 +
WebGoat, Lua, and ModSecurity verses Password Guessing
 +
 +
http://blog.securitymonks.com/2009/01/10/webgoat-lua-and-modsecurity-verses-password-guessing/
  
 
== Contacts ==
 
== Contacts ==
  
 
stephencraig_dot_evans_at_gmail_dot_com
 
stephencraig_dot_evans_at_gmail_dot_com
 
[[Category:OWASP Project]]
 

Latest revision as of 12:43, 9 March 2010

OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.
PROJECT IDENTIFICATION
Project Name OWASP Securing WebGoat using ModSecurity Project
Short Project Description The purpose of this project is to create custom Modsecurity rulesets that, in addition to the Core Set, will protect WebGoat 5.1 from as many of its vulnerabilities as possible (the goal is 90%) without changing one line of source code. To ensure that it will be a complete 'no touch' on WebGoat and its environment, ModSecurity will be configured on Apache server as a remote proxy server. For those vulnerabilities that cannot be prevented (partially or not at all), I will document my efforts in attempting to protect them. Business logic vulnerabilities will be particularly challenging to solve.
Project key Information Project Leader
Stephen Craig Evans
Project Contributors
(if applicable)
Mailing List
Subscribe here
Use here
License
Creative Commons Attribution Share Alike 3.0
Project Type
Documentation
Sponsors
OWASP SoC 08
Release Status Main Links Related Projects

Beta Quality
Please see here for complete information.

OWASP WebGoat Project

Contents

Welcome to the OWASP Securing WebGoat using ModSecurity Project

The purpose of the OWASP Securing WebGoat using ModSecurity Project is to use ModSecurity 2.5 to protect WebGoat 5.2 from as many of its vulnerabilities as possible (the goal is 90%).

Securing WebGoat using ModSecurity Project wiki v1.0

Mailing List

https://lists.owasp.org/mailman/listinfo/owasp-webgoat-using-modsecurity

owasp-webgoat-using-modsecurity@lists.owasp.org

Project News

  • 22 Jun 2009:
    • This project was discussed at the end of OWASP Podcast #26: April 2009 News Commentary Recorded May 28 with Tom Brennan, Andre Gironda, Jim Manico, Alex Smolen and Jeff Williams (part 2).
      • The WAF discussion starts at 43m49s to the end at 56m15s
      • This project is mentioned from 53m08s until 54m57s (thanks for the great plug, Jeff :-)
  • 03 May 2009:
    • This project is the subject of the 2nd day of a 2 day training course on writing ModSecurity rules to be given by Ryan Barnett at BlackHat USA at the end of July. The announcement is here; an excerpt of the course description is: "The 2nd day of the class will mainly be spent as a hands-on lab where we will go through the OWASP Securing WebGoat with ModSecurity project which will allow you to test out the latest, cutting-edge rules concepts such as content injection and Lua."
  • 28 Apr 2009:
    • The direct link to purchase/download the book is here.
  • 12 Mar 2009:
    • This project was discussed in the context of virtual patching by Ryan C. Barnett in OWASP Podcast #12 starting at the 20 minute 22 second mark until the 26 minute 10 second mark and beyond.
  • 01 Mar 2009:
    • This project was discussed (glowingly) by Ken van Wyk in OWASP Podcast #10 starting at the 16 minute 30 second mark.
  • 19 Feb 2009:
    • Ryan Barnett of Breach Security gave a presentation based on this project, "WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity" at Black Hat DC 2009: http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html
      • Whitepaper mentioning project, "WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity":

https://www.blackhat.com/presentations/bh-dc-09/Barnett/BlackHat-DC-09-Barnett-WAF-Patching-Challenge-slides.pdf

  • 10 Feb 2009:
    • This project in book form can be bought or downloaded (for free) at the OWASP bookstore at http://stores.lulu.com/owasp (thanks a lot to Paulo Coimbra for getting this done).
  • 31 Dec 2008:
    • This project was discussed by Arshan Dabirsiaghi, Jeff Williams, Jeremiah Grossman, and Jim Manico in OWASP Podcast #1 starting at the 58 minute mark.
    • Project member Stephen Craig Evans talks about the project as the guest of Jim Manico in OWASP Podcast #2.
  • 29 Nov 2008:
    • Added Appendix D to wiki, "Additional important stuff", which includes the wiki in a Word document (here) and some slide decks
    • Tested out the mailing list
    • Sent an email to OWASP Leaders and to Kenneth van Wyck's Secure Coding list to inform them of the project and its current state
  • 16 Nov 2008 - Added 'Section 4.4: Unfinished Business' which includes discussions about concurrent file access and Lua security.
  • 06 Nov 2008 - Gave 2 project presentations at the OWASP EU Summit in Portugal.
  • 05 Nov 2008 - Finished incorporating all reviewer comments.
  • 22 Oct 2008 - Wiki updates; project near 100% completion.
  • 14 Jul 2008 - Project wiki created and under construction.

Mentions in the Media

ModSecurity Blog

http://blog.modsecurity.org/2008/10/securing-webgoat-using-modsecurity.html

OWASP EU Summit in Portugal: Thursday

http://denimgroup.typepad.com/denim_group/2008/11/owasp-eu-summit-in-portugal-thursday.html

OWASP Podcast #2 Securing Webgoat with ModSecurity

http://manicode.blogspot.com/2008/12/owasp-podcast-2-securing-webgoat-with.html

Waffing: ModSecurity applied

http://swende.se/index.php?/archives/26-Waffing-ModSecurity-applied.html

WebGoat, Lua, and ModSecurity verses Password Guessing

http://blog.securitymonks.com/2009/01/10/webgoat-lua-and-modsecurity-verses-password-guessing/

Contacts

stephencraig_dot_evans_at_gmail_dot_com

This category currently contains no pages or media.