OWASP iGoat v%@
Welcome to the OWASP iGoat learning tool; a security learning environment for iOS developers. iGoat was inspired by and loosely modeled after the OWASP WebGoat project. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of exercises that each teach a single (but vital) security lesson.
The exercises are laid out in the following steps:
- Brief introduction to the problem.
- Verify the problem by exploiting it or observing how an exploit works.
- Brief description of available remediations to the problem.
- Fix the problem by correcting and rebuilding the iGoat program.
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.
Menu Buttons
Each iGoat exercise contains (at a minimum) the following informational menu buttons:
- Exercise Plan: Selecting this button provides you with background information on each exercise. The information describes the basic vulnerability you'll be exploiting in general terms. Next, it tells you the specifics and objectives of what you will need to do to exploit the vulnerability in the context of the exercise.
- Hints: The hints button can be used to get some clues on how to proceed with exploiting the vulnerability in each exercise. Each time it is selected, it will give you additional information, but won't quite solve the problem for you.
- Remediations: After you successfully exploit the vulnerability in each exercise, a Remediations button will appear. When selected, it will give you some basic information on how to correct the problem in the iGoat source code.
- Solution: When selected, the Solution button gives you complete information on how to exploit and remediate each vulnerability in each exercise.
If you are working through iGoat in a self-study way, we suggest you first read each exercise's Exercise Plan, but you refrain from using the hints button unless you get stuck. Similarly, once you've exploited the vulnerability in each exercise, read through the Remediations information, but refrain from selecting the Solution button unless you really need it. You can, of course, refer to the Solution button information to verify that you fixed the problem in the same way we did in writing iGoat.