tobyash86 / webgoat.net Goto Github PK

For now, exercises were provided in the form of pdf documents. For sure we need to update them, but we need to consider if we want to stay with pdf documents or change the format.

Currently it looks like this:

all the columns with numbers should be justified to the right to improve readability.

Sometimes there is only one featured product displayed on the main page (instead of four).

For now, ClickJacking does not work. We need to find out if it does have any sense to bring it back (e.g. the ASP.NET Core may be secured against it). If we will drop it, we need to remove all the ClickJacking content (e.g. from About).

There is a possibility to add the same product into the cart. It does not increase the quantity, but adds separate entry to the cart instead. It causes a runtime exception during checkout.

Currently we use OWASP icon, but we should use WebGoat icon.
By the way we could update logo in website menu.

When typing to search bar for products currently you need to be case-sensitive which seems to be a bad idea. Most search bars ignore casing.

Right now this page looks

Feedback from Dave W.:

To avoid scaring people, can you eliminate most/all the compilation warnings that occur when you run: dotnet publish ...

Changing number there is not affecting cart content so user shouldn't be able to edit it.

Feedback from Dave W.:

In the readme, for both docker run commands, please add --rm to both commands so the container is removed when it is stopped. Otherwise, when you try to run it again, it will complain there is already a container with that name. Can you also add instructions on how to stop the containers (docker stop webgoat).

Feedback from Dave W.:

I was trying to enter a credit card and I keep getting "That card is not valid. Please enter a valid card."

Can you provide an explanation of what is legal? Either in a tooltip/or in the error message.

The latest OWASP Top 10 is not covered. The uncovered vulnerabilities need to be added to the codebase. Currently, the project covers version 2010.

Feedback from Dave W.:

Going to 'My Account' takes you to the login page? I would have thought it would have shown info about 'My Account'.

Feedback from Dave W.:

On the Register page, there is a User Name field in both the Account Info and Address blocks. Can you eliminate the 2nd one, or rename it to just 'Name' and list it first?

We should keep WebGoat.NET as the name of web app. We need to make sure that we use it across entire application and GitHub project.

Feedback from Dave W.:

Logout doesn't clear my cart (or do anything else?) - On purpose vuln??

We need to consider if this may be used in the context of newest Top 10. Otherwise, we need to fix it.

Feedback from Dave W.:

Whatever you can do to make it SUPER EASY to use, is always good. If you look at the root directory of my OWASP project: https://github.com/OWASP/Benchmark you'll see things like:

• URL file that points to the web app home page
• various prebuilt scripts to do common tasks

Feedback from Dave W.:

Can you add a web icon to the app, so there is an Icon for this app in the browser? Ideally some kind of WebGoatdotNET icon.

@annastuchlik please help us with summarizing the set of changes for webgoat.net 1.0. It contains set of fixes requested by OWASP team. Please focus on readme.md.

It wasn't like that in initial version. Regression.

when user adds a negative quantity of product, shipping cost is also a negative number and order looks like :

Feedback from Dave W.:

There is an FAQ link on this page that points to: http://localhost:5000/Home/FAQ.aspx - That page does not exist.

Feedback from Dave W.:

In the readme, or somewhere, can you add the tools required to install/run it outside of Docker? I.e., exactly what .NET installer you need, and anything else. (e.g., .NET Core SDK?). And the minimum version of each would be helpful too.

Feedback from Dave W.:

For the docker stuff, I think maybe the image/container should be called webgoatdotnet to distinguish it from original webgoat (for Java)?

Feedback from Dave W.:

Can you add a 404 response handler that returns a Generic 'Not Found' page, rather than the raw: "No webpage was found for the web address: http://localhost:5000/Product/Detail"

And maybe handlers for other response codes too. You could even add some vulns to some of these pages, like XSS (for example) :-)

Merge a commit from the original WebGoat project which improves database usage.

There are some raw SQL queries in the code. We should consider using EF Core instead.
For some reason EF does not work properly in the checkout, we need to find out why and fix it.

Feedback from Dave W.:

In the products list, can you sort the list alphabetically by product name? It seems weird to have this apparently random order, which I understand is ordered by product ID.

We need to make it similar to how it looks on receipt/cart. Currently it looks like that:

Feedback from Dave W.:

There are a number of references on this page to specific .NET technology, which I suspect is not valid anymore. For example:
"Other Notes: When a user registers, he must enter a username and company name. His customerId will be based on CompanyName. His contact Name will be his UserName. Customer.ContactName cannot be changed once set or the link between ASP.NET's authentication and the Northwind tables will be broken."

Currently, the supported version of OWASP Top 10 is 2010. In general, we should update the WebGoat project to be compatible (contain vulnerabilities) of the newest standard.

I think we need to delay the update. Possibly a new OWASP version may be released before we will finalize the work. Also, first, we should include the vulnerabilities in the code.

Feedback from Dave W.:

Maybe update the dates on the blog posts to be 2019 instead of 2011 :-)

login to WebGOAT
create order, use credit cart and select 'Remember this credit card number for next time I check out'.
Create next order, at checkout credit card is specified - OK.
Clear credit card field and click Place order (credit card field is empty).
Instead of message 'Please provide valid card number' I get

On Package Tracking page:

On My orders page: