Re: Next WebGoat release

["Mark Curphey" <mark () curphey com>]

I have also run the original code through the Visual Studio .NET Java to C#
converter and got a handful of things to convert before we have WebGoat.NET.
Any C# people with a few hours on their hands, please drop me a line.
----- Original Message ----- 
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
To: <webappsec () securityfocus com>
Cc: <bruce.mayhew () aspectsecurity com>
Sent: Tuesday, July 29, 2003 8:08 PM
Subject: Re: Next WebGoat release


> Ty,
>
> WebGoat is being worked.  Here is the list of lessons are currently being
> developed.  If you have any suggestions for new lessons, please let me
know.
> Please try to describe the lesson like I've done below, so that we have a
> good sense of what you're thinking and how it would work.  Better yet,
just
> implement a lesson -- the plug-in architecture makes it really really
easy.
> All you have to do is fill in a few methods and bang -- it works.
>
> 1) How to bypass client-side security checks -- a simple form with
> JavaScript checking of field values.  Student can intercept the request on
> the way back to the server and fill in bad values, or can intercept the
page
> with the form on the way to the browser and delete the scripts.
>
> 2) How to bypass authorization system -- users log on with a role and then
> are shown certain functions.  Student should explore the model and then
> attempt to access resources for which they are not authorized.
>
> 3) How to use XSS to steal cookies, steal form values, and change
content -- 
> an enhanced XSS lesson that allows students to do some serious JavaScript
> damage.
>
> 4) Encoding Basics -- finish this lesson to provide more encodings (and
> provide a reference implementation of the most common encoding functions)
>
> 5) LDAP Injection? -- create a simple LDAP simulation that allows students
> to inject queries and access more of the LDAP structure than they ought to
> be allowed to.
>
> 6) How to abuse a web email function -- a more realistic simulation of a
web
> based emailer that will allow the student to use it as a spam proxy and
> inject images and attachments.
>
> 7) Updated Challenge -- more realistic authentication problems, remove the
> SSI piece and replace with a more current injection threat, and perhaps
add
> some more stages.
>
> 8) How to steal sessions -- a lesson that chooses a slightly less than
> random session key and allows a Session ID attack.  Hopefully uses the
> capabilities of one of the Session ID tools, such as the one built in
> Exodus.
>
> 9) How to reverse engineer an applet -- a lesson demonstrating the futilty
> of attempting to hide secrets or algorithms in an applet.  Students will
> reverse an applet, extract encryption keys, and use them to decode an
> encrypted file transferred from the server.
>
> Please send your ideas!  Thanks,
>
> --Jeff
>
> Jeff Williams
> Aspect Security
> http://www.aspectsecurity.com
>
>
>
> ----- Original Message ----- 
> From: Ty Bodell
> To: webappsec () securityfocus com
> Sent: Tuesday, July 29, 2003 1:21 PM
> Subject: Next WebGoat release
>
>
> Hey all--
> Haven't heard anything about the next release of OWASPs WebGoat in a
while,
> is there a release date for version 3 or are we still developing.  What
did
> everyone think of version 2 if you tried it?  I checked the sourceforge
site
> for webgoat but it doesn't give an upcoming date :-/ Let me know if you
find
> anything.
> Thanks,
> Ty Bodell
> -- 
> __________________________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
> http://corp.mail.com/careers