Hosting Provided By

Re: Next WebGoat release

From: Jeff Williams (at) Aspect <(at)>
Date: Tue Jul 29 2003 - 20:08:06 EDT

Ty,

WebGoat is being worked. Here is the list of lessons are currently being developed. If you have any suggestions for new lessons, please let me know. Please try to describe the lesson like I've done below, so that we have a good sense of what you're thinking and how it would work. Better yet, just implement a lesson -- the plug-in architecture makes it really really easy. All you have to do is fill in a few methods and bang -- it works.

How to bypass client-side security checks -- a simple form with JavaScript checking of field values. Student can intercept the request on

the way back to the server and fill in bad values, or can intercept the page with the form on the way to the browser and delete the scripts.

How to bypass authorization system -- users log on with a role and then are shown certain functions. Student should explore the model and then attempt to access resources for which they are not authorized.

How to use XSS to steal cookies, steal form values, and change content -- an enhanced XSS lesson that allows students to do some serious JavaScript damage.
Encoding Basics -- finish this lesson to provide more encodings (and provide a reference implementation of the most common encoding functions)
LDAP Injection? -- create a simple LDAP simulation that allows students to inject queries and access more of the LDAP structure than they ought to be allowed to.
How to abuse a web email function -- a more realistic simulation of a web based emailer that will allow the student to use it as a spam proxy and inject images and attachments.
Updated Challenge -- more realistic authentication problems, remove the SSI piece and replace with a more current injection threat, and perhaps add some more stages.
How to steal sessions -- a lesson that chooses a slightly less than random session key and allows a Session ID attack. Hopefully uses the capabilities of one of the Session ID tools, such as the one built in Exodus.
How to reverse engineer an applet -- a lesson demonstrating the futilty of attempting to hide secrets or algorithms in an applet. Students will reverse an applet, extract encryption keys, and use them to decode an encrypted file transferred from the server.
Please send your ideas! Thanks,
--Jeff
Jeff Williams
Aspect Security
http://www.aspectsecurity.com
- Original Message ----- From: Ty Bodell To: webappsec@securityfocus.com Sent: Tuesday, July 29, 2003 1:21 PM Subject: Next WebGoat release

Hey all--
Haven't heard anything about the next release of OWASPs WebGoat in a while, is there a release date for version 3 or are we still developing. What did everyone think of version 2 if you tried it? I checked the sourceforge site for webgoat but it doesn't give an upcoming date :-/ Let me know if you find anything.
Thanks,
Ty Bodell
--

Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers Received on Tue Jul 29 20:25:23 2003

This message: [ Message body ]
Next message: rawdata: "[ANNOUNCE] IISShield v1.0"
Previous message: Ingo Struck: "Re: HTML entity bignums"
In reply to: Ty Bodell: "Next WebGoat release"
Next in thread: Mark Curphey: "Re: Next WebGoat release"
Reply: Mark Curphey: "Re: Next WebGoat release"
Reply: Hearne, Chuck: "RE: Next WebGoat release"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT

Do you need help?