The OWASP WebGoat Benchmark is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. The initial version is intended to support Static Analysis Security Testing Tools (SAST) and Interactive Analysis Security Testing Tools (IAST). A future release will support Dynamic Analysis Security Testing Tools (DAST), like OWASP ZAP. The goal is that this test application is fully runnable and all the vulnerabilities are actually exploitable so its a fair test for any kind of vulnerability detection tool.
This initial release of the WBE has 20,983 test cases. The test case areas and quantities for the April 15, 2015 release are:
Tool Result :
+ FindBug; FindBugs has detectors for the following kinds of security issues:
— Hardcoded Database Passwords
— HTTP Response Splitting
— Path Traversal
— SQL Injection
— XSS – Cross-Site Scripting
+ FindSecurityBugs; A very useful addition to FindBugs is the FindSecurityBugs plugin.
+ OWASP ZAP; The OWASP ZAP project lead is excited to have ZAP be scored against the WBE.
+ Other Tools!