Project Information:template Securing WebGoat using ModSecurity 50 Review Second Review E

From OWASP
Revision as of 03:25, 12 September 2008 by Dune73 (Talk | contribs)

Jump to: navigation, search

Click here to return to the previous page.

50% REVIEW PROCESS

Project Deliveries & Objectives

OWASP Securing WebGoat using ModSecurity Project's Deliveries & Objectives

QUESTIONS ANSWERS

1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised.

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage.

3. Please do use the right hand side column to provide advice and make work suggestions.

http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_1_Introduction

Background:

 Embedded or as Reverse Proxy? Not quite clear what you mean.                                                                           
 Guess you mean within the application server or within an Apache RP.                                                                   
 Webgoat should be introduced too in this paragraph.                                                                                                        

Purpose:

 one line of source code. : in webgoat, that is.                                                                                       

http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_2_WebGoat

  The identification of the target and the introduction of a numbering scheme for stages of a lesson and its sublessons is a useful approach.                                                                         
  Overview of lesson results                                     
   -> A table within the wiki with color codes would be very useful here.                                                                 

http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_3_ModSecurity_WebGoat_at_50_percent

   Neat and clean project setup description. Like it.                                                                                      
   I personally believe that you could have profitted from working on the command line with "curl" to replay the attack, until the rules are correct and then check in the browser.                                                                                                          
   "empty the cash" -> rather not my account please. :)                                                                                    
       guess it's the cache that should be emptied.                                                                                 

http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_04.2

 Respect. That really is a WAF approach to a business logic flaw. Cool.                                                                  

http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_04.4_04.5

  I suggest you split the page in two. It's two lessons. Make it two pages, even if you repeat yourself. Right now, the text all appears under 4.5. Or did I get it wrong?                                                                                                                           

http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_08.2_08.4_08.5_08.7

  I am loosing a bit track of the lessons here. Guess it is only me.                                                                      

You provide very useful comments in the rule files. I like those very much.