[Owasp-leaders] Direction for WebGoat

Yiannis Pavlosoglou yiannis at owasp.org
Thu Jan 6 20:29:05 EST 2011

Hi Bruce,

It would be nice to be able to drop a jar representing a lesson to a
folder and have WebGoat pick it up and repopulate the instance once
reloaded, so that it shows as an actual lesson within the
corresponding page.

That way adding lessons will become a lot easier!

Thank you,


On 4 January 2011 16:51, webgoat webgoat <webgoat at owasp.org> wrote:
> All (sorry for the leaders list spam but I wanted wide distribution)
> I would like input and feedback on the future direction of WebGoat.  WebGoat
> has been fairly stable for the last few years and I would like to get input
> from the list on the future direction.
> I would like to see WebGoat incorporate some of the educational and training
> materials provided at OWASP.  WebGoat has been a useful tool for teaching
> "how to hack" and therefore the assumption is that one can know how to
> prevent the attack if they know what the attack is (bad assumption).
> WebGoat has some labs on adding protection against SQL injection, XSS, and
> basic input validation but I would like to see each lesson have a secure
> coding recommendation as well as an implementation of that mechanism.
> WebGoat could then be used as more of a training tool to show the attack,
> educate the user, AND show a potential mitigation strategy.
> OWASP has some good tools, guides, and training that could be leveraged by
> WebGoat and I would like to see WebGoat go in that direction.  Yes, there
> are some outstanding issues and some general cleanup of "less useful"
> lessons that need to occur but the general education direction seems like
> the right step.  (Yiannis - yes, your buffer overflow lesson is in my
> baseline)
> The main goals I see are:
> 1) Add educational content
> 2) Expand the enterprise feature, that most people don't know about, to
> track user training progress.
> 3) Create a distribution that organizations can use, not just individuals.
> I hope to present a further expansion of these ideas at the OWASP Summit or
> at least have enough information and ideas to come up with a game plan for
> the next release of WebGoat.  Please send your comments or ideas to the
> WebGoat list or directly to me at webgoat at owasp.org.  Do not reply to the
> leaders list. I will summarize the ideas I receive and send out another
> email.
> There have been over 600,000 downloads of WebGoat (according to Google and
> SourceForge) with only 5,000 in the last year.  WebGoat has become
> stagnant.  Let's fix it!
> --
> Bruce Mayhew
> OWASP WebGoat Project Lead
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Dr. Yiannis Pavlosoglou
OWASP Global Industry Committee

More information about the OWASP-Leaders mailing list