WebApp Sec mailing list archives
Re: Next WebGoat release
From: "Mark Curphey" <mark () curphey com>
Date: Tue, 29 Jul 2003 20:39:05 -0400
I have also run the original code through the Visual Studio .NET Java to C# converter and got a handful of things to convert before we have WebGoat.NET. Any C# people with a few hours on their hands, please drop me a line. ----- Original Message ----- From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com> To: <webappsec () securityfocus com> Cc: <bruce.mayhew () aspectsecurity com> Sent: Tuesday, July 29, 2003 8:08 PM Subject: Re: Next WebGoat release
Ty, WebGoat is being worked. Here is the list of lessons are currently being developed. If you have any suggestions for new lessons, please let me
know.
Please try to describe the lesson like I've done below, so that we have a good sense of what you're thinking and how it would work. Better yet,
just
implement a lesson -- the plug-in architecture makes it really really
easy.
All you have to do is fill in a few methods and bang -- it works. 1) How to bypass client-side security checks -- a simple form with JavaScript checking of field values. Student can intercept the request on the way back to the server and fill in bad values, or can intercept the
page
with the form on the way to the browser and delete the scripts. 2) How to bypass authorization system -- users log on with a role and then are shown certain functions. Student should explore the model and then attempt to access resources for which they are not authorized. 3) How to use XSS to steal cookies, steal form values, and change
content --
an enhanced XSS lesson that allows students to do some serious JavaScript damage. 4) Encoding Basics -- finish this lesson to provide more encodings (and provide a reference implementation of the most common encoding functions) 5) LDAP Injection? -- create a simple LDAP simulation that allows students to inject queries and access more of the LDAP structure than they ought to be allowed to. 6) How to abuse a web email function -- a more realistic simulation of a
web
based emailer that will allow the student to use it as a spam proxy and inject images and attachments. 7) Updated Challenge -- more realistic authentication problems, remove the SSI piece and replace with a more current injection threat, and perhaps
add
some more stages. 8) How to steal sessions -- a lesson that chooses a slightly less than random session key and allows a Session ID attack. Hopefully uses the capabilities of one of the Session ID tools, such as the one built in Exodus. 9) How to reverse engineer an applet -- a lesson demonstrating the futilty of attempting to hide secrets or algorithms in an applet. Students will reverse an applet, extract encryption keys, and use them to decode an encrypted file transferred from the server. Please send your ideas! Thanks, --Jeff Jeff Williams Aspect Security http://www.aspectsecurity.com ----- Original Message ----- From: Ty Bodell To: webappsec () securityfocus com Sent: Tuesday, July 29, 2003 1:21 PM Subject: Next WebGoat release Hey all-- Haven't heard anything about the next release of OWASPs WebGoat in a
while,
is there a release date for version 3 or are we still developing. What
did
everyone think of version 2 if you tried it? I checked the sourceforge
site
for webgoat but it doesn't give an upcoming date :-/ Let me know if you
find
anything. Thanks, Ty Bodell -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers
Current thread:
- Next WebGoat release Ty Bodell (Jul 29)
- Re: Next WebGoat release Jeff Williams @ Aspect (Jul 29)
- Re: Next WebGoat release Mark Curphey (Jul 29)
- <Possible follow-ups>
- RE: Next WebGoat release Hearne, Chuck (Jul 29)
- Re: Next WebGoat release Jeff Williams @ Aspect (Jul 29)