Category:OWASP Securing WebGoat using ModSecurity Project
From OWASP
Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.
| PROJECT IDENTIFICATION | ||||||
|---|---|---|---|---|---|---|
| Project Name | OWASP Securing WebGoat using ModSecurity Project | |||||
| Short Project Description | The purpose of this project is to create custom Modsecurity rulesets that, in addition to the Core Set, will protect WebGoat 5.1 from as many of its vulnerabilities as possible (the goal is 90%) without changing one line of source code. To ensure that it will be a complete 'no touch' on WebGoat and its environment, ModSecurity will be configured on Apache server as a remote proxy server. For those vulnerabilities that cannot be prevented (partially or not at all), I will document my efforts in attempting to protect them. Business logic vulnerabilities will be particularly challenging to solve. | |||||
| Email Contacts | Project Leader Stephen Evans | Project Contributors (if applicable) Name&Email | Mailing List/Subscribe Mailing List/Use | First Reviewer Ivan Ristic & Breach Group | Second Reviewer Christian Folini | OWASP Board Member X |
| PROJECT MAIN LINKS | |||||
|---|---|---|---|---|---|
| RELATED PROJECTS | |||||
|---|---|---|---|---|---|
| SPONSORS & GUIDELINES | |||||
|---|---|---|---|---|---|
| Sponsor - OWASP Summer of Code 2008 | Sponsored Project/Guidelines/Roadmap | ||||
| ASSESSMENT AND REVIEW PROCESS | ||||
|---|---|---|---|---|
| Review/Reviewer | Author's Self Evaluation (applicable for Alpha Quality & further) | First Reviewer (applicable for Alpha Quality & further) | Second Reviewer (applicable for Beta Quality & further) | OWASP Board Member (applicable just for Release Quality) |
| 50% Review | Objectives & Deliveries reached? Yes --------- See&Edit:50% Review/Self-Evaluation (A) | Objectives & Deliveries reached? Yes --------- See&Edit: 50% Review/1st Reviewer (C) | Objectives & Deliveries reached? Yes --------- See&Edit: 50%Review/2nd Reviewer (E) | X |
| Final Review | Objectives & Deliveries reached? Yes --------- Which status has been reached? Beta Quality --------- See&Edit: Final Review/SelfEvaluation (B) | Objectives & Deliveries reached? Yes --------- Which status has been reached? Beta Quality --------- See&Edit: Final Review/1st Reviewer (D) | Objectives & Deliveries reached? Yes --------- Which status has been reached? Beta Quality --------- See&Edit: Final Review/2nd Reviewer (F) | X |
Contents |
Welcome to the OWASP Securing WebGoat using ModSecurity Project
The purpose of the OWASP Securing WebGoat using ModSecurity Project is to use ModSecurity 2.5 to protect WebGoat 5.2 from as many of its vulnerabilities as possible (the goal is 90%).
Securing WebGoat using ModSecurity Project wiki v0.7
Mailing List
https://lists.owasp.org/mailman/listinfo/owasp-webgoat-using-modsecurity
owasp-webgoat-using-modsecurity@lists.owasp.org
Project News
- 14 Jul 2008 - Project wiki created and under construction.
- 22 Oct 2008 - Wiki updates; project near 100% completion.
- 05 Nov 2008 - Finished incorporating all reviewer comments.
- 06 Nov 2008 - Gave 2 project presentations at the OWASP EU Summit in Portugal.
- 16 Nov 2008 - Added 'Section 4.4: Unfinished Business' which includes discussions about concurrent file access and Lua security.
- 29 Nov 2008:
- Added Appendix D to wiki, "Additional important stuff", which includes the wiki in a Word document and some slide decks
- Tested out the mailing list
- Sent an email to OWASP Leaders to inform them of the project and its current state
Mentions in the Media
ModSecurity Blog
http://blog.modsecurity.org/2008/10/securing-webgoat-using-modsecurity.html
OWASP EU Summit in Portugal: Thursday
http://denimgroup.typepad.com/denim_group/2008/11/owasp-eu-summit-in-portugal-thursday.html
Contacts
stephencraig_dot_evans_at_gmail_dot_com
This category currently contains no articles or media.
