Project Information:template Securing WebGoat using ModSecurity 50 Review Second Review E
|50% REVIEW PROCESS|
Project Deliveries & Objectives
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised.
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage.
3. Please do use the right hand side column to provide advice and make work suggestions.
Embedded or as Reverse Proxy? Not quite clear what you mean. Guess you mean within the application server or within an Apache RP. Webgoat should be introduced too in this paragraph.
one line of source code. : in webgoat, that is.
The identification of the target and the introduction of a numbering scheme for stages of a lesson and its sublessons is a useful approach.
Overview of lesson results -> A table within the wiki with color codes would be very useful here.
Neat and clean project setup description. Like it.
I personally believe that you could have profitted from working on the command line with "curl" to replay the attack, until the rules are correct and then check in the browser.
"empty the cash" -> rather not my account please. :) guess it's the cache that should be emptied.
Respect. That really is a WAF approach to a business logic flaw. Cool.
I suggest you split the page in two. It's two lessons. Make it two pages, even if you repeat yourself. Right now, the text all appears under 4.5. Or did I get it wrong?
I am loosing a bit track of the lessons here. Guess it is only me.
You provide very useful comments in the rule files. I like those very much.