WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

OWASP WebGoat release WebMaven v1.0

From: bill <bill () owasp org>
Date: Thu, 24 Oct 2002 14:19:14 -0700 (PST)

------------------------------------------------------

The OWASP WebGoat 'blame it on the goat'project team 
are pleased to release Version 1.0 of WebMaven. 

WebMaven is an intentionally broken web application. 
It is intended to be used in a safe legal environment 
(your own host) as a training tool, as a a basic 
benchmark platform to test web application security 
scanners and as a HoneyPot. The current incarnation 
is a simple Perl CGI from which you can add your own 
HTML front-end. 
 Example vulnerabilities include XSS, SQL injection 
and parameter tampering.

The original code was developed by David Roades 
of MavenSecurity and many thanks go to Steve Taylor 
for the extra hours he has put into the project to 
ensure that it works with Apache on both Linux and 
Win32 environment.

You can download the files in a zip or tar.gz file  
from the OWASP project page 

http://www.owasp.org/webgoat/
 
The work is not done yet though. Version 1 is really 
the proof of concept ! There are a limited set of 
vulnerabilities. 

We are immediately starting building V2 in Java or 
PHP and will look at a much more functional release 
early next year. More vulnerabilities, easier 
benchmarking results maybe even "plug and pray" holes 
{tm} ;-). If you want to join the project team and 
can offer some regular development time, please 
contact William Hau (bill () owasp org) with a quick 
note of your coding skills and time you can commit.

One key output from this project will be to 
eventually start benchmarking commercial and 
opensource app scanners on the market today.

If you use a commercial or open source tool and 
want  to share your results, send them to 
bill () owasp org so we can collate them into a 
benchmark database. We were pretty shocked 
from our own internal tests !

In the mean while enjoy and remember that it is 
an intentionally insecure application. Do not deploy 
on systems you don't want compromised !.
 
Look out for lots more OWASP development projects 
popping in http-land near you soon !

Enjoy !
 
OWASP WebGoat

-----------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: