Difference between revisions of "Lesson Plans"

From OWASP
Jump to: navigation, search
 
Line 2: Line 2:
 
__TOC__
 
__TOC__
  
The current lesson plans included in this release of WebGoatv4 include:
+
The current lesson plans included in this release of WebGoatv5 include:
 
{| border=1
 
{| border=1
 
  || Http Basics
 
  || Http Basics
 +
|-
 +
|| HTTP Splitting and Cache Poisining
 
|-
 
|-
 
  || How to Exploit Thread Safety Problems
 
  || How to Exploit Thread Safety Problems
Line 15: Line 17:
 
|-
 
|-
 
  || How to Bypass Client Side JavaScript Validation
 
  || How to Bypass Client Side JavaScript Validation
 +
|-
 +
|| How to Force Browser Web Resources
 
|-
 
|-
 
  || How to Bypass a Role Based Access Control Scheme
 
  || How to Bypass a Role Based Access Control Scheme
 
|-
 
|-
 
  || How to Bypass a Path Based Access Control Scheme
 
  || How to Bypass a Path Based Access Control Scheme
 +
|-
 +
|| Using an Access Control Matrix
 +
|-
 +
|| How to Exploit the Forgot Password Page
 
|-
 
|-
 
  || How to Spoof an Authentication Cookie
 
  || How to Spoof an Authentication Cookie
 +
|-
 +
|| How to Hijack a Session
 
|-
 
|-
 
  || Basic Authentication
 
  || Basic Authentication
 
|-
 
|-
 
  || How to Perform Cross Site Trace Attacks
 
  || How to Perform Cross Site Trace Attacks
 +
|-
 +
|| How to Perform Stored Cross Site Scripting
 +
|-
 +
|| How to Perform Reflected Cross Site Scripting
 +
|-
 +
|| HttpOnly Test
 +
|-
 +
|| How to Perform Cross Site Trace Attacks
 
|-
 
|-
 
  || How to Perform Command Injection
 
  || How to Perform Command Injection
 
|-
 
|-
 
  || How to Perform Blind SQL Injection
 
  || How to Perform Blind SQL Injection
 +
|-
 +
|| How to Perform Numeric SQL Injection
 +
|-
 +
|| How to Perform Log Spoofing
 +
|-
 +
|| How to Perform XPATH Injection Attacks
 +
|-
 +
|| How to Perform String SQL Injection
 
|-
 
|-
 
  || How to Bypass a Fail Open Authentication Scheme
 
  || How to Bypass a Fail Open Authentication Scheme
 
|-
 
|-
  || Web Service SQL Injection
+
  || How to Peform Basic Encoding
 +
|-
 +
|| Denial of Service from Multiple Logins
 +
|-
 +
|| How to Create a SOAP Request
 +
|-
 +
|| How to Perform WSDL Scanning
 +
|-
 +
|| How to Perform Web Service SAX Injection
 +
|-
 +
|| How to Perform Web Service SQL Injection
 +
|-
 +
|| How to Perform DOM Injection Attack
 +
|-
 +
|| How to Perform XML Injection Attacks
 +
|-
 +
|| How to Add a New Lesson
 
|-
 
|-
 
  || The Challenge  
 
  || The Challenge  

Revision as of 20:15, 22 December 2006

WebGoat User Guide Table of Contents


The current lesson plans included in this release of WebGoatv5 include:

Http Basics
HTTP Splitting and Cache Poisining
How to Exploit Thread Safety Problems
How to Discover Clues in the HTML
How to Exploit Hidden Fields
How to Exploit Unchecked Email
How to Bypass Client Side JavaScript Validation
How to Force Browser Web Resources
How to Bypass a Role Based Access Control Scheme
How to Bypass a Path Based Access Control Scheme
Using an Access Control Matrix
How to Exploit the Forgot Password Page
How to Spoof an Authentication Cookie
How to Hijack a Session
Basic Authentication
How to Perform Cross Site Trace Attacks
How to Perform Stored Cross Site Scripting
How to Perform Reflected Cross Site Scripting
HttpOnly Test
How to Perform Cross Site Trace Attacks
How to Perform Command Injection
How to Perform Blind SQL Injection
How to Perform Numeric SQL Injection
How to Perform Log Spoofing
How to Perform XPATH Injection Attacks
How to Perform String SQL Injection
How to Bypass a Fail Open Authentication Scheme
How to Peform Basic Encoding
Denial of Service from Multiple Logins
How to Create a SOAP Request
How to Perform WSDL Scanning
How to Perform Web Service SAX Injection
How to Perform Web Service SQL Injection
How to Perform DOM Injection Attack
How to Perform XML Injection Attacks
How to Add a New Lesson
The Challenge

For each lesson within WebGoat, an overview and objectives are provided. These are accessed through the Show Lesson Plan button.


Figure 3: Show Lesson Plan

These lesson plans describe the operation of each aspect of the target application, the areas of interest relating to the security assessment and the type of attack that should be attempted.


WebGoat User Guide Table of Contents