OWASP WebGoat Project Roadmap

Revision as of 08:00, 8 October 2007 by Bmayhew (talk | contribs)

Jump to: navigation, search

The project's overall goal is to...

 Be the defacto standard web application security training environment

In the near term, we are focused on the following tactical goals...

  1. Demonstrate most common web application security vulnerabilities
  2. Increase ease-of-use and expand userbase
  3. Attract more contributions of lessons
  1. Revisit existing lesson base to standardize lesson theme.

Here are the current tasks defined to help us achieve these goals


  • Convert lessons to struts framework (Major effort)
  • Rewrite all lessons to follow common theme using common database
  • Rewrite user administration to allow better user management (non-hackable)
  • Fix Logoff
  • Defuse all lessons to disallow inadvertent harm to user's OS


  • General security cleanup. Remove exploits that are not lesson specific
  • Denial of service lesson rewrite
  • Bypass client side javascript lesson rewrite
  • Improve using an access control matrix lesson
  • Improve encoding basics lesson
  • Improve thread safety lesson
  • Cross site trace only works in older browsers
  • Improve CSRF lesson

New Lessons

  • Server side forward allows access to WEB-INF resources
  • Account enumeration using webscarab
  • Buffer overflow
  • SQLException lesson - could tie into overall error handling
  • XML attacks - Entity recursion, ...

For more information contact Bruce Mayhew at webgoat at owasp dot org