Difference between revisions of "OWASP WebGoat Project Roadmap"

From OWASP
Jump to: navigation, search
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The project's overall goal is to...
+
<webgoat/>The project's overall goal is to...
  
 
   Be the defacto standard web application security training environment
 
   Be the defacto standard web application security training environment
Line 6: Line 6:
  
 
# Demonstrate most common web application security vulnerabilities
 
# Demonstrate most common web application security vulnerabilities
# Increase ease-of-use and expand userbase
+
# Add educational support for secure coding practices
 +
# Enhance enterprise lesson tracking
 
# Attract more contributions of lessons
 
# Attract more contributions of lessons
 
# Revisit existing lesson base to standardize lesson theme.
 
# Revisit existing lesson base to standardize lesson theme.
 +
# Increase ease-of-use and expand user base
  
 
Here are the current tasks defined to help us achieve these goals
 
Here are the current tasks defined to help us achieve these goals
  
 
'''Architectural'''
 
'''Architectural'''
* Convert lessons to struts framework (Major effort)
+
* Replace basic authentication with forms based authentication
 
* Rewrite all lessons to follow common theme using common database
 
* Rewrite all lessons to follow common theme using common database
 
* Rewrite user administration to allow better user management (non-hackable)
 
* Rewrite user administration to allow better user management (non-hackable)
Line 21: Line 23:
 
'''General'''
 
'''General'''
 
* General security cleanup. Remove exploits that are not lesson specific
 
* General security cleanup. Remove exploits that are not lesson specific
* Denial of service lesson rewrite
+
* Remove non working lessons
* Bypass client side javascript lesson rewrite
+
*
* Improve using an access control matrix lesson
+
* Improve encoding basics lesson
+
* Improve thread safety lesson
+
* Cross site trace only works in older browsers
+
* Improve CSRF lesson
+
  
 
'''New Lessons'''
 
'''New Lessons'''
 
* Server side forward allows access to WEB-INF resources
 
* Server side forward allows access to WEB-INF resources
 
* Account enumeration using webscarab
 
* Account enumeration using webscarab
* Buffer overflow
 
 
* SQLException lesson - could tie into overall error handling
 
* SQLException lesson - could tie into overall error handling
 
* XML attacks - Entity recursion, ...
 
* XML attacks - Entity recursion, ...

Latest revision as of 10:50, 4 January 2011

The project's overall goal is to...

 Be the defacto standard web application security training environment

In the near term, we are focused on the following tactical goals...

  1. Demonstrate most common web application security vulnerabilities
  2. Add educational support for secure coding practices
  3. Enhance enterprise lesson tracking
  4. Attract more contributions of lessons
  5. Revisit existing lesson base to standardize lesson theme.
  6. Increase ease-of-use and expand user base

Here are the current tasks defined to help us achieve these goals

Architectural

  • Replace basic authentication with forms based authentication
  • Rewrite all lessons to follow common theme using common database
  • Rewrite user administration to allow better user management (non-hackable)
  • Fix Logoff
  • Defuse all lessons to disallow inadvertent harm to user's OS

General

  • General security cleanup. Remove exploits that are not lesson specific
  • Remove non working lessons

New Lessons

  • Server side forward allows access to WEB-INF resources
  • Account enumeration using webscarab
  • SQLException lesson - could tie into overall error handling
  • XML attacks - Entity recursion, ...

For more information contact Bruce Mayhew at webgoat at owasp dot org