Category:OWASP Securing WebGoat using ModSecurity Project
| This project has produced a book that can be downloaded or purchased.|
Feel free to browse the full catalog of available OWASP books.
|Project Name||OWASP Securing WebGoat using ModSecurity Project|
|Short Project Description||The purpose of this project is to create custom Modsecurity rulesets that, in addition to the Core Set, will protect WebGoat 5.1 from as many of its vulnerabilities as possible (the goal is 90%) without changing one line of source code. To ensure that it will be a complete 'no touch' on WebGoat and its environment, ModSecurity will be configured on Apache server as a remote proxy server. For those vulnerabilities that cannot be prevented (partially or not at all), I will document my efforts in attempting to protect them. Business logic vulnerabilities will be particularly challenging to solve.|
|Project key Information||Project Leader
Stephen Craig Evans
Creative Commons Attribution Share Alike 3.0
OWASP SoC 08
|Release Status||Main Links||Related Projects|
Welcome to the OWASP Securing WebGoat using ModSecurity Project
The purpose of the OWASP Securing WebGoat using ModSecurity Project is to use ModSecurity 2.5 to protect WebGoat 5.2 from as many of its vulnerabilities as possible (the goal is 90%).
- 19 Feb 2009:
- Ryan Barnett of Breach Security gave a presentation based on this project, "WAF Virtual Patching Challenge: Securing WebGoat with ModSecurity" at Black Hat DC 2009: http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html
- 10 Feb 2009:
- This project in book form can be bought or downloaded (for free) at the OWASP bookstore at
http://stores.lulu.com/owasp (thanks a lot to Paulo Coimbra for getting this done).
- 31 Dec 2008:
- 29 Nov 2008:
- Added Appendix D to wiki, "Additional important stuff", which includes the wiki in a Word document (here) and some slide decks
- Tested out the mailing list
- Sent an email to OWASP Leaders and to Kenneth van Wyck's Secure Coding list to inform them of the project and its current state
- 16 Nov 2008 - Added 'Section 4.4: Unfinished Business' which includes discussions about concurrent file access and Lua security.
- 06 Nov 2008 - Gave 2 project presentations at the OWASP EU Summit in Portugal.
- 05 Nov 2008 - Finished incorporating all reviewer comments.
- 22 Oct 2008 - Wiki updates; project near 100% completion.
- 14 Jul 2008 - Project wiki created and under construction.
Mentions in the Media
OWASP EU Summit in Portugal: Thursday
OWASP Podcast #2 Securing Webgoat with ModSecurity
Waffing: ModSecurity applied
WebGoat, Lua, and ModSecurity verses Password Guessing
This category currently contains no pages or media.