Thursday, June 1, 2017

OWASP iGoat Tool Project - Restart

Project Leader: Swaroop Yermalkar (@swaroopsy)

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
The lessons are laid out in the following steps:
  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.
*Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.

iGoat Version 3.0 Release

  1. Updated SQLCipher to latest version
  2. Removed project specific compilation warnings
  3. Removed crashing code for server side exercises.
  4. Updated project details in project github page.
  5. Added multiple exercises including:
    • Broken Cryptography
    • Insecure Storage in Plist
    • Insecure Storage in NSUserDefaults
    • Side Channel Data Leaks via Device Logs
    • Cross Site Scripting

To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. Best thing about iGoat is you can run it on iOS Simulator and also on iPhone / iPad / iPod.

Call for contributors:
We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well! To contribute to iGoat project, please contact Swaroop ( or @swaroopsy )

How to contribute?

  • You can add new exercises (Oauth Attacks, Crypto Attacks, Third Party Library Issues etc)
  • Testing iGoat on iPhone, iPad and checking if any issues
  • Remove compilation warnings
  • Suggest us new attacks
  • Writing blogs / article about iGoat
  • Spreading iGoat :)


  1. Broken Cryptography

In this exercise, you're going to identify insecure mechanism for storing sensitive data locally. You will observe encryption key hard coded in code using which you can decrypt sensitive data into plain text. For more information, Refer: (

Please provide feedback to Swaroop Yermalker or use the contact us form.

Labels: , , ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home