- notageek.it di Mirko Iodice - http://www.notageek.it -

OWASP WebGoat Project

WebGoat [1] è una applicazione web "insicura" disegnata da OWASP con lo scopo di insegnare (tramite lezioni) gli aspetti principali legati alla sicurezza di questa tipologia di prodotti.

Lo scopo principale del progetto WebGoat è quello di creare un ambiente didattico interattivo per insegnare la sicurezza web, o meglio: l'INsicurezza web.

Tratto dalla homepage del prodotto:

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

[...]

WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:

* Cross Site Scripting
* Access Control
* Thread Safety
* Hidden Form Field Manipulation
* Parameter Manipulation
* Weak Session Cookies
* Blind SQL Injection
* Numeric SQL Injection
* String SQL Injection
* Web Services
* Fail Open Authentication
* Dangers of HTML Comments
* ... and many more!

E' bello notare come il team di sviluppo consigli in maniera ironica anche ai programmatori di farsi un giro con WebGoat.

Per iniziare ad utilizzarlo vi invito a visitare la guida all'intallazione [2] ed ovviamente ad approfondirne tutti gli aspetti principali sulla homepage del progetto [1].

Webgoat-xss_lesson.jpg [3]
Webgoat-BasicAuth_lesson.jpg [4]


Autore

Mirko Iodice
mirko -at- notageek (.dot) it