Changelog WBE version: 1.1 :
– test name, category, real vulnerability, cwe ; XSS, SQLi, Xpath Traversal, Cryptography, Hash, LDAPi, TrustBound.
The OWASP WebGoat Benchmark is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. The initial version is intended to support Static Analysis Security Testing Tools (SAST) and Interactive Analysis Security Testing Tools (IAST). A future release will support Dynamic Analysis Security Testing Tools (DAST), like OWASP ZAP. The goal is that this test application is fully runnable and all the vulnerabilities are actually exploitable so its a fair test for any kind of vulnerability detection tool.
WBE Project Philosophy
Security tools (SAST, DAST, and IAST) are amazing when they find a complex vulnerability in your code. But they can drive everyone crazy with complexity, false alarms, and missed vulnerabilities. Using these tools without understanding their strengths and weaknesses can lead to a dangerous false sense of security.
This initial release of the WBE has 20,983 test cases. The test case areas and quantities for the April 15, 2015 release are:
Tool Result :
+ FindBug; FindBugs has detectors for the following kinds of security issues:
— Hardcoded Database Passwords
— HTTP Response Splitting
— Path Traversal
— SQL Injection
— XSS – Cross-Site Scripting
+ FindSecurityBugs; A very useful addition to FindBugs is the FindSecurityBugs plugin.
+ OWASP ZAP; The OWASP ZAP project lead is excited to have ZAP be scored against the WBE.
+ Other Tools!
Download : webgoat-benchmark-master.zip(27.2 MB) | Clone Url | Our Post Before
Source : OWASP | https://www.owasp.org/index.php/Benchmark#tab=Tool_Results