OWASP WebGoat Project Roadmap
The project's overall goal is to...
Be the defacto standard web application security training environment
In the near term, we are focused on the following tactical goals...
- Demonstrate most common web application security vulnerabilities
- Add educational support for secure coding practices
- Enhance enterprise lesson tracking
- Attract more contributions of lessons
- Revisit existing lesson base to standardize lesson theme.
- Increase ease-of-use and expand user base
Here are the current tasks defined to help us achieve these goals
- Replace basic authentication with forms based authentication
- Rewrite all lessons to follow common theme using common database
- Rewrite user administration to allow better user management (non-hackable)
- Fix Logoff
- Defuse all lessons to disallow inadvertent harm to user's OS
- General security cleanup. Remove exploits that are not lesson specific
- Remove non working lessons
- Server side forward allows access to WEB-INF resources
- Account enumeration using webscarab
- SQLException lesson - could tie into overall error handling
- XML attacks - Entity recursion, ...
For more information contact Bruce Mayhew at webgoat at owasp dot org