OWASP WebGoat Reboot2012

Saltar a: navegación, buscar

Leader: Abbas Naderi Afooshteh (abbas.naderi@owasp.org)



OWASP WebGoat is a deliberately insecure JSP web application with plenty of web vulnerabilities designed to increase awareness and provide practical education environment for common web security flaws. WebGoat user has to "hack" the application in various scenarios, and sometimes change the code to be resistant to hacking. Plenty of hints and descriptions are also available.

WebGoat is most famous amongst OWASP projects, with more than 750000 wiki hits and many positive feedbacks. Many instructors as well as security experts use WebGoat to provide an applicable security awareness environment.

WebGoatPHP is a port of WebGoat to PHP - most commonly used and commonly flawed web application language - and MySQL/SQLite databases. There are a few additions to WebGoatPHP that are not available in the original WebGoat:

Contest Mode : WebGoatPHP delivers contest mode, in which challenges are presented to a contestant, without hints and help, and solving each challenge opens the next and also provides some points and timing. This mode makes WebGoatPHP ideal for CTFs and many contributers will add challenges to it over the time.

Workshop Mode : In workshop mode, WebGoatPHP has centralized control system, where a lecturer controls hints, help and progress of different participants to their needs so that they can master the tricks.

Secure Coding Mode : User should change the code in a way that security flaws are no longer there.

These three modes would make WebGoatPHP much more practical and provide it with many contributers and developers.

Reboot Type

WebGoatPHP is already started but very little progress has been made, since a few developers signed up for GSoC 2012 and they were rejected. We need type 2 reboot, to increase awareness and get some community on the project. The project is amusing enough we don't need any budget for contributers. Finally a type 1 reboot is the goal.

Goals of Reboot

We plan to gather a community of at least 5 people working on WebGoatPHP's first release. Most common vulnerabilities are planned for this release. After that, community will grow larger and people will start working on this.


Approximately 3 months of summer would suffice for release of first version. Half summer would be appropriate for 50% milestone. Current WebGoat participants and leaders are suited for reviews, as well as any other OWASP people.


I can't estimate required budget, but I've listed what needs to be done, so I'd appreciate it if some expert would care to estimate a budget/plan for this course of action.