tobyash86 / webgoat.net Goto Github PK
View Code? Open in Web Editor NEWWebGoat.NETCore - port of original WebGoat.NET to .NET Core
Home Page: https://wiki.owasp.org/index.php/Category:OWASP_WebGoat.NET
WebGoat.NETCore - port of original WebGoat.NET to .NET Core
Home Page: https://wiki.owasp.org/index.php/Category:OWASP_WebGoat.NET
For now, exercises were provided in the form of pdf documents. For sure we need to update them, but we need to consider if we want to stay with pdf documents or change the format.
Sometimes there is only one featured product displayed on the main page (instead of four).
For now, ClickJacking does not work. We need to find out if it does have any sense to bring it back (e.g. the ASP.NET Core may be secured against it). If we will drop it, we need to remove all the ClickJacking content (e.g. from About).
There is a possibility to add the same product into the cart. It does not increase the quantity, but adds separate entry to the cart instead. It causes a runtime exception during checkout.
Currently we use OWASP icon, but we should use WebGoat icon.
By the way we could update logo in website menu.
When typing to search bar for products currently you need to be case-sensitive which seems to be a bad idea. Most search bars ignore casing.
Feedback from Dave W.:
To avoid scaring people, can you eliminate most/all the compilation warnings that occur when you run: dotnet publish ...
Changing number there is not affecting cart content so user shouldn't be able to edit it.
Feedback from Dave W.:
In the readme, for both docker run commands, please add --rm to both commands so the container is removed when it is stopped. Otherwise, when you try to run it again, it will complain there is already a container with that name. Can you also add instructions on how to stop the containers (docker stop webgoat).
Feedback from Dave W.:
I was trying to enter a credit card and I keep getting "That card is not valid. Please enter a valid card."
Can you provide an explanation of what is legal? Either in a tooltip/or in the error message.
The latest OWASP Top 10 is not covered. The uncovered vulnerabilities need to be added to the codebase. Currently, the project covers version 2010.
Feedback from Dave W.:
Going to 'My Account' takes you to the login page? I would have thought it would have shown info about 'My Account'.
Feedback from Dave W.:
On the Register page, there is a User Name field in both the Account Info and Address blocks. Can you eliminate the 2nd one, or rename it to just 'Name' and list it first?
We should keep WebGoat.NET as the name of web app. We need to make sure that we use it across entire application and GitHub project.
Feedback from Dave W.:
Logout doesn't clear my cart (or do anything else?) - On purpose vuln??
We need to consider if this may be used in the context of newest Top 10. Otherwise, we need to fix it.
Feedback from Dave W.:
Whatever you can do to make it SUPER EASY to use, is always good. If you look at the root directory of my OWASP project: https://github.com/OWASP/Benchmark you'll see things like:
- URL file that points to the web app home page
- various prebuilt scripts to do common tasks
Feedback from Dave W.:
Can you add a web icon to the app, so there is an Icon for this app in the browser? Ideally some kind of WebGoatdotNET icon.
@annastuchlik please help us with summarizing the set of changes for webgoat.net 1.0. It contains set of fixes requested by OWASP team. Please focus on readme.md.
It wasn't like that in initial version. Regression.
Feedback from Dave W.:
There is an FAQ link on this page that points to: http://localhost:5000/Home/FAQ.aspx - That page does not exist.
Feedback from Dave W.:
In the readme, or somewhere, can you add the tools required to install/run it outside of Docker? I.e., exactly what .NET installer you need, and anything else. (e.g., .NET Core SDK?). And the minimum version of each would be helpful too.
Feedback from Dave W.:
For the docker stuff, I think maybe the image/container should be called webgoatdotnet to distinguish it from original webgoat (for Java)?
Feedback from Dave W.:
Can you add a 404 response handler that returns a Generic 'Not Found' page, rather than the raw: "No webpage was found for the web address: http://localhost:5000/Product/Detail"
And maybe handlers for other response codes too. You could even add some vulns to some of these pages, like XSS (for example) :-)
Merge a commit from the original WebGoat project which improves database usage.
There are some raw SQL queries in the code. We should consider using EF Core instead.
For some reason EF does not work properly in the checkout, we need to find out why and fix it.
Feedback from Dave W.:
In the products list, can you sort the list alphabetically by product name? It seems weird to have this apparently random order, which I understand is ordered by product ID.
Feedback from Dave W.:
There are a number of references on this page to specific .NET technology, which I suspect is not valid anymore. For example:
"Other Notes: When a user registers, he must enter a username and company name. His customerId will be based on CompanyName. His contact Name will be his UserName. Customer.ContactName cannot be changed once set or the link between ASP.NET's authentication and the Northwind tables will be broken."
Currently, the supported version of OWASP Top 10 is 2010. In general, we should update the WebGoat project to be compatible (contain vulnerabilities) of the newest standard.
I think we need to delay the update. Possibly a new OWASP version may be released before we will finalize the work. Also, first, we should include the vulnerabilities in the code.
Feedback from Dave W.:
Maybe update the dates on the blog posts to be 2019 instead of 2011 :-)
login to WebGOAT
create order, use credit cart and select 'Remember this credit card number for next time I check out'.
Create next order, at checkout credit card is specified - OK.
Clear credit card field and click Place order (credit card field is empty).
Instead of message 'Please provide valid card number' I get
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.