OWASP - User contributions [en]

WebGoatPHP

2018-06-13T21:52:39Z

Abbas Naderi: /* Project Leader */ added Shivam name to the leaders list.

<div style="width:100%;height:200px;border:0,margin:0;overflow: hidden;">[[Image:OWASP_Project_Header.jpg]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/OWASP/OWASPWebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

==Contribute==
To contribute, fork the code on [https://github.com/shivamdixit/WebGoatPHP GitHub] and send a pull request.
Join the discussion on our [https://lists.owasp.org/mailman/listinfo/owasp_webgoatphp mailing list]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Shivam_Dixit|Shivam Dixit]]
*[[User:Johanna_Curiel|Johanna Curiel]]
*[[User:Azzeddine_RAMRAMI|Azzeddine]]

| valign="top" style="padding-left:25px;width:200px;" |

==Project Leader==

*[[User:Abbas_Naderi|Abbas Naderi]]
*[[User:Shivam_Dixit|Shivam Dixit]]

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== News and Events ==
* Post issues in CodeBounty.com for fixing
*Project adoption and kick off February 2016

==Classifications==
{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]

WebGoatPHP

2018-05-09T20:33:05Z

Abbas Naderi: Updated project leader and contributor list

<div style="width:100%;height:200px;border:0,margin:0;overflow: hidden;">[[Image:OWASP_Project_Header.jpg]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/OWASP/OWASPWebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

==Contribute==
To contribute, fork the code on [https://github.com/shivamdixit/WebGoatPHP GitHub] and send a pull request.
Join the discussion on our [https://lists.owasp.org/mailman/listinfo/owasp_webgoatphp mailing list]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Shivam_Dixit|Shivam Dixit]]
*[[User:Johanna_Curiel|Johanna Curiel]]
*[[User:Azzeddine_RAMRAMI|Azzeddine]]

| valign="top" style="padding-left:25px;width:200px;" |

==Project Leader==

*[[User:Abbas_Naderi|Abbas Naderi]]

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== News and Events ==
* Post issues in CodeBounty.com for fixing
*Project adoption and kick off February 2016

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

GSoC2015 Ideas

2015-02-10T02:10:17Z

Abbas Naderi: added 5 new candidates, WebGoatPHP, PHP Widgets, RBAC Project, PHP Framework and PureCaptcha

=OWASP Project Requests=

== OWASP Hackademic Challenges ==
=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

'''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Source Code testing environment ===

'''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Challenge Sandbox ===

Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

''' *Administrator's point of view* '''

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.
The student is expected to provide configuration scripts that do the above

''' *Coder's Way* '''

This is better explained with an example:
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

''' * Your solution here * '''

The above solutions are by no way complete,their intention is to start you thinking.
This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.

''' Expected results '''

You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge
== OWASP Hackademic Challenges ==
=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

'''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

== OWASP WebGoat .NET - Vulnerable Website ==

'''Brief Explanation:'''

The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview

'''Expected Results:'''

We want to add more modules such as
*WebSockets
*CSRF challenge
*Finalise testing an upgrade to the .NET framework 4.5
*Retest and clean up actual modules

'''Knowledge Prerequisites:'''

Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders

==OWASP WebGoatPHP==
===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.

'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

==OWASP PureCaptcha==
===OWASP CSRF Guard===
'''Description:'''
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.

'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.

'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns

==OWASP PHP Framework==
===OWASP PHP Framework===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.

'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.

'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary

'''Skill Level:''' Advanced

==OWASP RBAC Project==
===OWASP RBAC Project===
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.

'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.

'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

==OWASP PHP Widgets==
===OWASP PHP Widgets===
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).

'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.

'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

OWASP PureCaptcha

2014-11-12T17:43:55Z

Abbas Naderi: updated reop links to OWASP github

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

Welcome to OWASP Pure Captcha project page!
==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/OWASP/PureCaptcha Download]

[https://github.com/OWASP/PureCaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

[[CSRFProtector Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
First version released!

|}
= Documentation =

There are basically three operations needed to properly utilize CAPTCHAs:

* Generating A Captcha
This can be done by the '''show''' method of PureCaptcha. It will terminate the current request and return an image to the client.
* Persisting The Captcha Value
The '''show''' method also returns a string equal to the Captcha contents. You need to persist it on the session for the user (preferably for a limited amount of time). The example code shows how this can be done simply in your programming language, but any other persistence layer would be fine.
Keep in mind that for every Captcha used inside your application (e.g one for login page, one for password reset page, one for remove user page) you should persist the Captcha separately, so that a user can simultaneously use all your applications functionalities without one Captcha overriding the expected value for the other.
* Validating The Captcha
'''It is very important to remove the Captcha from persistence after its validated, whether its wrong or right.''' If you leave a Captcha persisting after validation, attackers can bypass your Captcha by inspecting it once and then using the same Captcha over and over to send requests to your application. See the example usages for more details.

=FAQs=

==How Can I Use PureCaptcha?==
Just include the source code file in your project, and visit the sample usage files to learn how to properly use a captcha.

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==



The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
Any programming language you like, you can either port PureCaptcha to or improve the existing code!
===Localization===
Are you fluent in another language? Can you help translate the text strings and documents into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list: TBA
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:56:06Z

Abbas Naderi: /* Related Projects */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

[[CSRFProtector Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
First version released!

|}
= Documentation =

There are basically three operations needed to properly utilize CAPTCHAs:

* Generating A Captcha
This can be done by the '''show''' method of PureCaptcha. It will terminate the current request and return an image to the client.
* Persisting The Captcha Value
The '''show''' method also returns a string equal to the Captcha contents. You need to persist it on the session for the user (preferably for a limited amount of time). The example code shows how this can be done simply in your programming language, but any other persistence layer would be fine.
Keep in mind that for every Captcha used inside your application (e.g one for login page, one for password reset page, one for remove user page) you should persist the Captcha separately, so that a user can simultaneously use all your applications functionalities without one Captcha overriding the expected value for the other.
* Validating The Captcha
'''It is very important to remove the Captcha from persistence after its validated, whether its wrong or right.''' If you leave a Captcha persisting after validation, attackers can bypass your Captcha by inspecting it once and then using the same Captcha over and over to send requests to your application. See the example usages for more details.

=FAQs=

==How Can I Use PureCaptcha?==
Just include the source code file in your project, and visit the sample usage files to learn how to properly use a captcha.

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==



The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
Any programming language you like, you can either port PureCaptcha to or improve the existing code!
===Localization===
Are you fluent in another language? Can you help translate the text strings and documents into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list: TBA
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:55:45Z

Abbas Naderi: /* Related Projects */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

[[OWASP CSRFProtector Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
First version released!

|}
= Documentation =

There are basically three operations needed to properly utilize CAPTCHAs:

* Generating A Captcha
This can be done by the '''show''' method of PureCaptcha. It will terminate the current request and return an image to the client.
* Persisting The Captcha Value
The '''show''' method also returns a string equal to the Captcha contents. You need to persist it on the session for the user (preferably for a limited amount of time). The example code shows how this can be done simply in your programming language, but any other persistence layer would be fine.
Keep in mind that for every Captcha used inside your application (e.g one for login page, one for password reset page, one for remove user page) you should persist the Captcha separately, so that a user can simultaneously use all your applications functionalities without one Captcha overriding the expected value for the other.
* Validating The Captcha
'''It is very important to remove the Captcha from persistence after its validated, whether its wrong or right.''' If you leave a Captcha persisting after validation, attackers can bypass your Captcha by inspecting it once and then using the same Captcha over and over to send requests to your application. See the example usages for more details.

=FAQs=

==How Can I Use PureCaptcha?==
Just include the source code file in your project, and visit the sample usage files to learn how to properly use a captcha.

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==



The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
Any programming language you like, you can either port PureCaptcha to or improve the existing code!
===Localization===
Are you fluent in another language? Can you help translate the text strings and documents into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list: TBA
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:53:38Z

Abbas Naderi: /* Documentation */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
First version released!

|}
= Documentation =

There are basically three operations needed to properly utilize CAPTCHAs:

* Generating A Captcha
This can be done by the '''show''' method of PureCaptcha. It will terminate the current request and return an image to the client.
* Persisting The Captcha Value
The '''show''' method also returns a string equal to the Captcha contents. You need to persist it on the session for the user (preferably for a limited amount of time). The example code shows how this can be done simply in your programming language, but any other persistence layer would be fine.
Keep in mind that for every Captcha used inside your application (e.g one for login page, one for password reset page, one for remove user page) you should persist the Captcha separately, so that a user can simultaneously use all your applications functionalities without one Captcha overriding the expected value for the other.
* Validating The Captcha
'''It is very important to remove the Captcha from persistence after its validated, whether its wrong or right.''' If you leave a Captcha persisting after validation, attackers can bypass your Captcha by inspecting it once and then using the same Captcha over and over to send requests to your application. See the example usages for more details.

=FAQs=

==How Can I Use PureCaptcha?==
Just include the source code file in your project, and visit the sample usage files to learn how to properly use a captcha.

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==



The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
Any programming language you like, you can either port PureCaptcha to or improve the existing code!
===Localization===
Are you fluent in another language? Can you help translate the text strings and documents into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list: TBA
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:48:17Z

Abbas Naderi: added documentation tab

OWASP PureCaptcha

2014-11-11T01:47:29Z

Abbas Naderi: /* Project About */

OWASP PureCaptcha

2014-11-11T01:46:51Z

Abbas Naderi: /* Minimum Viable Product */

OWASP PureCaptcha

2014-11-11T01:46:25Z

Abbas Naderi: /* Road Map and Getting Involved */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
First version released!

|}

=FAQs=

==How Can I Use PureCaptcha?==
Just include the source code file in your project, and visit the sample usage files to learn how to properly use a captcha.

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
Any programming language you like, you can either port PureCaptcha to or improve the existing code!
===Localization===
Are you fluent in another language? Can you help translate the text strings and documents into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list: TBA
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:45:20Z

Abbas Naderi: /* FAQs */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
First version released!

|}

=FAQs=

==How Can I Use PureCaptcha?==
Just include the source code file in your project, and visit the sample usage files to learn how to properly use a captcha.

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:44:23Z

Abbas Naderi: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
First version released!

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:44:00Z

Abbas Naderi: /* Licensing */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
<span style="color:#ff0000">
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
</span>

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:43:44Z

Abbas Naderi: /* OWASP PureCaptcha */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
<span style="color:#ff0000">
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
</span>

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:43:27Z

Abbas Naderi: instructions removed

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no require libraries and nothing to install. Just include a single small source-code file to have fully functional CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
<span style="color:#ff0000">
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
</span>

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:42:57Z

Abbas Naderi: /* Related Projects */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<span style="color:#ff0000">
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
</span>

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no require libraries and nothing to install. Just include a single small source-code file to have fully functional CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[[OWASP PHP Security Project]]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
<span style="color:#ff0000">
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
</span>

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:42:17Z

Abbas Naderi: /* Related Projects */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<span style="color:#ff0000">
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
</span>

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no require libraries and nothing to install. Just include a single small source-code file to have fully functional CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
[OWASP_PHP_Security_Project]

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
<span style="color:#ff0000">
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
</span>

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:41:50Z

Abbas Naderi: /* Project Resources */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<span style="color:#ff0000">
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
</span>

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no require libraries and nothing to install. Just include a single small source-code file to have fully functional CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]

[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
<span style="color:#ff0000">
This is where you can link to other OWASP Projects that are similar to yours.
</span>

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
<span style="color:#ff0000">
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
</span>

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

OWASP PureCaptcha

2014-11-11T01:41:34Z

Abbas Naderi: /* Project Resources */ download links

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

<span style="color:#ff0000">
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
</span>

==OWASP PureCaptcha ==
Use CAPTCHAs in your application without any dependencies, no require libraries and nothing to install. Just include a single small source-code file to have fully functional CAPTCHAs in your project.

==Description==
CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming.
Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed.
This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies.
PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.
==Licensing==
Creative Commons Attribution ShareAlike 3.0 License

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==
<span style="color:#ff0000">
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.
</span>

[https://github.com/abiusx/PHP/tree/master/purecaptcha Download]
[https://github.com/abiusx/PHP/tree/master/purecaptcha Source Code]

== Project Leader ==
[mailto:abiasx@owasp.org Abbas Naderi]

== Related Projects ==
<span style="color:#ff0000">
This is where you can link to other OWASP Projects that are similar to yours.
</span>

==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==
<span style="color:#ff0000">
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.
</span>

|}

=FAQs=

<span style="color:#ff0000">
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
</span>

==How can I participate in your project?==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

= Acknowledgements =
==Volunteers==


<span style="color:#ff0000">
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
</span>

The first contributors to the project were:

* [[User:Abbas_Naderi|Abbas Naderi]]

= Road Map and Getting Involved =


<span style="color:#ff0000">
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.
</span>
==Roadmap==
Currently PHP library is available and tested. Porting to all major programming languages is the next step.
Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

==Getting Involved==
Involvement in the development and promotion is actively encouraged!
You do not have to be a security expert or a programmer to contribute.
Some of the ways you can help are as follows:

===Coding===
===Localization===
Are you fluent in another language? Can you help translate the text strings into that language?
===Testing===
Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.
===Feedback===
mailing list
<ul>
<li>What do like?</li>
<li>What don't you like?</li>
<li>What features would you like to see prioritized on the roadmap?</li>
</ul>

=Minimum Viable Product=
<span style="color:#ff0000">
This page is where you should indicate what is the minimum set of functionality that is required to make this a useful product that addresses your core security concern.
Defining this information helps the project leader to think about what is the critical functionality that a user needs for this project to be useful, thereby helping determine what the priorities should be on the roadmap. And it also helps reviewers who are evaluating the project to determine if the functionality sufficiently provides the critical functionality to determine if the project should be promoted to the next project category.
</span>

=Project About=

<span style="color:#ff0000">
This page is where you need to place your legacy project template page if your project was created before October 2013. To edit this page you will need to edit your project information template. You can typically find this page by following this address and substituting your project name where it says "OWASP_Example_Project". When in doubt, ask the OWASP Projects Manager.
Example template page: https://www.owasp.org/index.php/Projects/OWASP_Example_Project
</span>

{{:Projects/OWASP_Example_Project_About_Page}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Code]]

Access Control Cheat Sheet

2014-05-12T17:42:06Z

Abbas Naderi: /* Role Based Access Control (RBAC) */ added link to RBAC Project

= DRAFT CHEAT SHEET - WORK IN PROGRESS =
=Introduction=

This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications.

==What is Access Control / Authorization?==

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their defininitions are frequently confused.

Access Control is the method or mechanism of authorization to enfore that requests to a system resource or functionality should be granted.

== Role Based Access Control (RBAC) ==
In Role-Based Access Control (RBAC), access decisions are based on an individual's roles and responsibilities within the organization or user base. The process of defining roles is usually based on analyzing the fundamental goals and structure of an organization and is usually linked to the security policy. For instance, in a medical organization, the different roles of users may include those such as doctor, nurse, attendant, nurse, patients, etc. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy and any relevant regulations (HIPAA, Gramm-Leach-Bliley, etc.).

An RBAC access control framework should provide web application security administrators with the ability to determine who can perform what actions, when, from where, in what order, and in some cases under what relational circumstances. http://csrc.nist.gov/rbac/ provides some great resources for RBAC implementation. The following aspects exhibit RBAC attributes to an access control model.
*Roles are assigned based on organizational structure with emphasis on the organizational security policy
*Roles are assigned by the administrator based on relative relationships within the organization or user base. For instance, a manager would have certain authorized transactions over his employees. An administrator would have certain authorized transactions over his specific realm of duties (backup, account creation, etc.)
*Each role is designated a profile that includes all authorized commands, transactions, and allowable information access.
*Roles are granted permissions based on the principle of least privilege.
*Roles are determined with a separation of duties in mind so that a developer Role should not overlap a QA tester Role.
*Roles are activated statically and dynamically as appropriate to certain relational triggers (help desk queue, security alert, initiation of a new project, etc.)
*Roles can be only be transferred or delegated using strict sign-offs and procedures.
*Roles are managed centrally by a security administrator or project leader

OWASP has a role based access control implementation project, [[OWASP_PHPRBAC_Project|OWASP RBAC Project]].

== Discretionary Access Control (DAC)' ==

Discretionary Access Control (DAC) is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (user name, password, hardware/software token, etc.). In most typical DAC models, the owner of information or any resource is able to change its permissions at his discretion (thus the name). DAC has the drawback of the administrators not being able to centrally manage these permissions on files/information stored on the web server. A DAC access control model often exhibits one or more of the following attributes.
*Data Owners can transfer ownership of information to other users
*Data Owners can determine the type of access given to other users (read, write, copy, etc.)
*Repetitive authorization failures to access the same resource or object generates an alarm and/or restricts the user's access
*Special add-on or plug-in software required to apply to an HTTP client to prevent indiscriminate copying by users ("cutting and pasting" of information)
*Users who do not have access to information should not be able to determine its characteristics (file size, file name, directory path, etc.)
*Access to information is determined based on authorizations to access control lists based on user identifier and group membership.

== Mandatory Access Control (MAC) ==

Mandatory Access Control (MAC) ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at. In general, MAC access control mechanisms are more secure than DAC yet have trade offs in performance and convenience to users. MAC mechanisms assign a security level to all information, assign a security clearance to each user, and ensure that all users only have access to that data for which they have a clearance. MAC is usually appropriate for extremely secure systems including multilevel secure military applications or mission critical data applications. A MAC access control model often exhibits one or more of the following attributes.
*Only administrators, not data owners, make changes to a resource's security label.
*All data is assigned security level that reflects its relative sensitivity, confidentiality, and protection value.
*All users can read from a lower classification than the one they are granted (A "secret" user can read an unclassified document).
*All users can write to a higher classification (A "secret" user can post information to a Top Secret resource).
*All users are given read/write access to objects only of the same classification (a "secret" user can only read/write to a secret document).
*Access is authorized or restricted to objects based on the time of day depending on the labeling on the resource and the user's credentials (driven by policy).
*Access is authorized or restricted to objects based on the security characteristics of the HTTP client (e.g. SSL bit length, version information, originating IP address or domain, etc.)

== Attribute Based Access Control (ABAC) ==

[http://csrc.nist.gov/publications/drafts/800-162/sp800_162_draft.pdf NIST Special Publication (SP) 800-162 (Draft)]

=Attacks on Access Control=

Vertical Access Control Attacks - A standard user accessing administration functionality

Horizontal Access Control attacks - Same role, but accessing another user's private data

Business Logic Access Control Attacks - Abuse of one or more linked activities that collectively realize a business objective

=Access Control Issues=
*Many applications used the "All or Nothing" approach - Once authenticated, all users have equal privileges

*Authorization Logic often relies on Security by Obscurity (STO) by assuming:
**Users will not find unlinked or hidden paths or functionality
**Users will not find and tamper with "obscured" client side parameters (i.e. "hidden" form fields, cookies, etc.)

*Applications with multiple permission levels/roles often increases the possibility of conflicting permission sets resulting in unanticipated privileges

*Many administrative interfaces require only a password for authentication
*Shared accounts combined with a lack of auditing and logging make it extremely difficult to differentiate between malicious and honest administrators
*Administrative interfaces are often not designed as “secure” as user-level interfaces given the assumption that administrators are trusted users
*Authorization/Access Control relies on client-side information (e.g., hidden fields)
*Web and application server processes run as root, Administrator, LOCALSYSTEM or other privileged accounts
*Some web applications access the database via sa or other administrative account (or more privileges than required)
*Some applications implement authorization controls by including a file or web control or code snippet on every page in the application

<input type="text" name="fname" value="Derek">
<input type="text" name="lname" value="Jeter">
<input type="hidden" name="usertype" value="admin">

=Access Control Anti-Patterns=

*Hard-coded role checks in application code
*Lack of centralized access control logic
*Untrusted data driving access control decisions
*Access control that is "open by default"
*Lack of addressing horizontal access control in a standardized way (if at all)
*Access control logic that needs to be manually added to every endpoint in code
*non-anonymous entry point DO NOT have an access control check
*No authorization check at or near the beginning of code implementing sensitive activities

==Hard Coded Roles==

if (user.isManager() ||
user.isAdministrator() ||
user.isEditor() ||
user.isUser()) {
//execute action
}

'''Hard Codes Roles can create several issues including:'''

*Making the policy of an application difficult to "prove" for audit or Q/A purposes
*Causing new code to be pushed each time an access control policy needs to be changed.
*They are fragile and easy to make mistakes

==Order Specific Operations==

Imagine the following parameters

http://example.com/buy?action=chooseDataPackage
http://example.com/buy?action=customizePackage
http://example.com/buy?action=makePayment
http://example.com/buy?action=downloadData

'''Can an attacker control the sequence?'''

'''Can an attacker abuse this with concurency?'''

==Never Depend on Untrusted Data==

*Never trust user data for access control decisions
*Never make access control decisions in JavaScript
*Never depend on the order of values sent from the client
*Never make authorization decisions based solely on
**hidden fields
**cookie values
**form parameters
**URL parameters
**anything else from the request

=Attacking Access Controls=

*Elevation of privileges
*Disclosure of confidential data - Compromising admin-level accounts often result in access to a user's confidential data
*Data tampering - Privilege levels do not distinguish users who can only view data and users permitted to modify data

=Testing for Broken Access Control=

*Attempt to access administrative components or functions as an anonymous or regular user
**Scour HTML source for “interesting” hidden form fields
**Test web accessible directory structure for names like admin, administrator, manager, etc (i.e. attempt to directly browse to “restricted” areas)
*Determine how administrators are authenticated. Ensure that adequate authentication is used and enforced
*For each user role, ensure that only the appropriate pages or components are accessible for that role.
*Login as a low-level user, browse history for a higher level user’s cache, load the page to see if the original authorization is passed to a previous session.
*If able to compromise administrator-level account, test for all other common web application vulnerabilities (poor input validation, privileged database access, etc)

=Defenses Against Access Control Attacks=

*Implement role based access control to assign permissions to application users for vertical access control requirements
*Implement data-contextual access control to assign permissions to application users in the context of specific data items for horizontal access control requirements
*Avoid assigning permissions on a per-user basis
*Perform consistent authorization checking routines on all application pages
*Where applicable, apply DENY privileges last, issue ALLOW privileges on a case-by-case basis
*Where possible restrict administrator access to machines located on the local area network (i.e. it’s best to avoid remote administrator access from public facing access points)
*Log all failed access authorization requests to a secure location for review by administrators
*Perform reviews of failed login attempts on a periodic basis
*Utilize the strengths and functionality provided by the SSO solution you chose

'''Java'''

<pre>

if ( authenticated ) {

request.getSession(true).setValue(“AUTHLEVEL”) = X_USER;

}

</pre>

'''.NET (C#)'''

<pre>

if ( authenticated ) {

Session[“AUTHLEVEL”] = X_USER;

}

</pre>

'''PHP'''

<pre>

if ( authenticated ) {

$_SESSION[‘authlevel’] = X_USER; // X_USER is defined elsewhere as meaning, the user is authorized

}

</pre>

=Best Practices=

==Best Practice: Code to the Activity==

if (AC.hasAccess(ARTICLE_EDIT)) {
//execute activity
}
*Code it once, never needs to change again
*Implies policy is persisted/centralized in some way
*Avoid assigning permissions on a per-user basis
*Requires more design/work up front to get right

==Best Practice: Centralized ACL Controller==

*Define a centralized access controller
ACLService.isAuthorized(ACTION_CONSTANT)
ACLService.assertAuthorized(ACTION_CONSTANT)
*Access control decisions go through these simple API’s
*Centralized logic to drive policy behavior and persistence
*May contain data-driven access control policy information
*Policy language needs to support ability to express both access rights and prohibitions

==Best Practice: Using a Centralized Access Controller==

*In Presentation Layer

if (isAuthorized(VIEW_LOG_PANEL))
{
Here are the logs
<%=getLogs();%/>
}

*In Controller

try (assertAuthorized(DELETE_USER))
{
deleteUser();
}

==Best Practice: Verifying policy server-side==

*Keep user identity verification in session
*Load entitlements server side from trusted sources
*Force authorization checks on ALL requests
**JS file, image, AJAX and FLASH requests as well!
**Force this check using a filter if possible

=SQL Integrated Access Control=

'''Example Feature'''

http://mail.example.com/viewMessage?msgid=2356342

'''This SQL would be vulnerable to tampering'''

select * from messages where messageid = 2356342

'''Ensure the owner is referenced in the query!'''

select * from messages where messageid = 2356342 AND messages.message_owner =

=Access Control Positive Patterns=

*Code to the activity, not the role
*Centralize access control logic
*Design access control as a filter
*Deny by default, fail securely
*Build centralized access control mechanism
*Apply same core logic to presentation and server-side access control decisions
*Determine access control through Server-side trusted data

=Data Contextual Access Control=

'''Data Contextual / Horizontal Access Control API examples'''

ACLService.isAuthorized(EDIT_ORG, 142)
ACLService.assertAuthorized(VIEW_ORG, 900)

Long Form

isAuthorized(user, EDIT_ORG, Organization.class, 14)

*Essentially checking if the user has the right role in the context of a specific object
*Centralize access control logic
*Protecting data at the lowest level!

=Authors and Primary Editors=

Jim Manico - jim [at] owasp dot org<br/>
Fred Donovan - fred.donovan [at] owasp dot org<br/>
Mennouchi Islam Azeddine - azeddine.mennouchi [at] owasp.org

== Other Cheatsheets ==
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

GSoC2014 Ideas

2014-02-27T19:03:44Z

Abbas Naderi: added status of last year PHPSEC

==OWASP Project Requests==

=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

'''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Source Code testing environment ===

'''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Challenge Sandbox ===

Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

''' *Administrator's point of view* '''

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.
The student is expected to provide configuration scripts that do the above

''' *Coder's Way* '''

This is better explained with an example:
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

''' * Your solution here * '''

The above solutions are by no way complete,their intention is to start you thinking.
This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.

''' Expected results '''

You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge

=== OWASP Hackademic Challenges - CMS improvements ===

'''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:

* ''' Template''' *

Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love.
It would be good if we had a new template with proper ui design.

* '''Questionaire creation plugin''' *

We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams.
The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Gamification of the user's progress''' *

A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.

'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP CSRF Guard===
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].

'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.

'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

Last year, we got GSoC people working on OWASP PHPSEC, and we were the most active OWASP project. A lot of the libraries are in place, and this year, we will mostly work on the framework.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary , Johanna Curiel

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

=== OWASP OWTF - Zest support ===

'''Brief explanation:'''

The Mozilla foundation has done great work with the Zest iniciative, this provides a great automated mechanism to replicate exploitation of security vulnerabilities in a format that makes tool communication easier: For example, ZAP supports Zest, so if OWTF can create a Zest script for a vulnerability in an automated fashion, this may in turn be easier to import into ZAP and other tools.

[https://developer.mozilla.org/en-US/docs/Zest More information on Zest can be found here]

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Some previous exposure to security concepts, penetration testing, Python and development in general is important for this project.

=== OWASP OWTF - Improved Plug-n-Hack support ===

'''Brief explanation:'''

The Mozilla foundation has done great work with the Plug-n-Hack standard, this provides greatly improved interaction with the web browser.
Although OWTF already supports Plug-n-Hack for MiTM purposes, there are many other features that could be implemented to leaverage Plug-n-Hack.
The aim of this project would be to try to cover as much as possible from the Plug-n-Hack standard as relevant to OWTF.

[https://www.youtube.com/watch?v=pYFtLA2yTR8 Please see this demo to see the newest Plug-n-Hack additions]

[https://blog.mozilla.org/security/2013/08/22/plug-n-hack/ For more information about plug and hack please see this]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Stateful Browser with configurable authentication ===

'''Brief explanation:'''

The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:

1) OWTF parameters

2) Configuration files

What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:
* Basic authentication [https://github.com/7a/owtf/issues/9 Already implemented here]
* Cookie based authentication
* Form-based authentication

Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy feature (already implemented).

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - SQL database ===

'''Brief explanation:'''

OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.
* Keep the current text file format as an option
* Add a database storage option using the sqlalchemy library

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability: Both with the sql database option and the text file options.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, sqlalchemy experience would be beneficial for this

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Unit Test Framework ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Python version upgrade and compatibility ===

'''Brief explanation:'''

Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

===OWASP PCI TOOLKIT===
[[File:Pci-toolkit-items-small.gif]]<br> OWASP PCI toolkit is an Open Source project built using Google Engine App, that will help organizations scope the PCI-DSS requirements for their System Components. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

In order to comply with this standard, organizations need to understand the PCI-DSS requirements. Many of these requirements use OWASP guidelines as their baseline.

The OWASP PCI toolkit is a project focused on helping organization understand how OWASP guidelines apply to the PCI-DSS requirements.

'''Expected results:'''

4 complete modules built as a Google App Engine:
http://pci-toolkit.appspot.com/

'''Knowledge Prerequisite:'''

Skill Level: Easy-Medium
Python, HTML, CSS, Google App Engine.

Affinity with financial institutions, Web security and credit card-online transactions

'''OWASP project page:'''

https://www.owasp.org/index.php/Category:OWASP_PCI_Project

Mentor: Johanna Curiel - emai: firstname.lastname@owasp.org

=== OWASP iGoat ===

'''Brief explanation:'''

Right now OWASP iGoat works fine as a full universal iOS app on iPhone and iPads up to iOS 6.x and Xcode 4.x. It needs to be updated to properly function under iOS 7.x and Xcode 5.x, which will require some code maintenance, GUI changes, and so on.

Although it is primarily maintenance items that need the updating, the student will gain an intimate familiarity with how the iGoat platform works, including how to write and plug-in new exercise modules. Writing additional exercises, with all due credit, will also be encouraged in an optional second phase of this project.

For background on OWASP iGoat please see: https://www.owasp.org/index.php/OWASP_iGoat_Project

'''Expected results:'''

* iGoat functions properly in all current aspects under iOS 7.x, compiled under Xcode 5.x.
* All GUI, buttons, and other presentation layer aspects of iGoat are compliant with iOS 7.x look and feel.
* (Optionally) write one or more new iGoat exercise modules, based on existing design descriptions to be provided by the project mentor.

'''Knowledge Prerequisite:'''

iOS app development in Xcode using Objective C will be quite necessary. Familiarity with iOS 7.x user interface updates additionally helpful.

'''Mentor: Ken van Wyk - OWASP iGoat Project Leader - Contact: ken@krvw.com'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - Advanced access control testing ===

'''Brief explanation:'''

Access control testing is typically difficult for security tools to automate. However previous Google Summer of Code projects have added session, authentication, user and role handling to ZAP, which provide an ideal basis for advanced access control testing.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

This development would allow (semi) automated access control testing by:
* Maintaining and displaying different site trees (application maps) for different users/roles
* Providing tools which access all of the content accessible via one user/role which should not be accessible via another user/role
* Ideally allow resources to be tied to users/roles to allow enable horizontal privilege testing

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - Scripted Add-ons ===

'''Brief explanation:'''

ZAP supports all JSR 223 scripting languages, but only for a limited number of purposes. This development would allow 'full' add-ons to be written in any JSR 223 language.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

* Users will be able to 'full' add-ons in any JSR 233 scripting language
* A set of example add-ons demonstrating as much functionality as possible should be developed in at least Java Script, Jython and Jruby.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - AMF Support ===

'''Brief explanation:'''

ZAP has only very limited support for AMF and does not provide an effective graphical representation of it.
This development will add full support for AMF.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

* De-serialise and display AMF messages in ZAP graphically (based on existing POC code)
* Expose the AMF data as parameters so that ZAP can scan them
* Add new AMF specific scan rules as required
* Implement in a way that makes it easier for ZAP to support other technologies (such as Java applets, Silverlight)

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Colm O'Flaherty - OWASP ZAP Core team'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - Web Service (SOAP) scanning ===

'''Brief explanation:'''

ZAP has only very limited support for web service scanning and has no understanding of WSDL.
This development will add full support for exploring and scanning SOAP based web services.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

The development will allow ZAP to parse WSDL and populate the Sites tree with all of the end points defined. It should also enhance the ZAP scanning capabilities to specifically attack the end points for as wide a range of vulnerabilities. Test cases should be written in [http://code.google.com/p/wavsep/ wavsep] format and contributed back to that project.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - As a long running service ===

'''Brief explanation:'''

ZAP started out as a GUI only desktop tool. It now supports a headless 'daemon' mode but it is still not suitable for running as a long running service. This will require much heavier use of the database, and ideally will allow different databases to be used.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

ZAP able to run as a (very) long running service. There must be no memory leaks code and ideally there should still be very little latency while proxying through ZAP.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ZAP OWASP ZAP] - GUI unit test framework ===

'''Brief explanation:'''

While ZAP does have some low level unit tests it doesnt have any unit tests for the UI. This means that sometimes changes can break the UI without being immediately apparent.

ZAP is the [https://www.ohloh.net/orgs/OWASP most active OWASP project] and was voted the [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ most popular security tool of 2013] by ToolsWatch.org reeaders.

'''Expected results:'''

A unit test framework which will allow the GUI to be easily tested. A set of unit tests which test the main GUI features and can be easily extended.

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - OWASP ZAP Project Leader'''

=== [https://www.owasp.org/index.php/ESAPI OWASP ESAPI] 2.x - Security Configuration ===

'''Brief explanation:'''
There are currently more than a half-dozen of open Google Issues in ESAPI regarding the security configuration component (e.g., see [http://code.google.com/p/owasp-esapi-java/issues/list?q=component%3DSecurityConfiguration ESAPI Security Configuration Issues]).

The ESAPI interface for its configuration (SecurityConfiguration) is overly complicated; it has a 'getter' method specific to almost every ESAPI configuration property. The rules for how and where the ESAPI.properties file is found are overly complicated making questions about it one of the most frequently asked questions on forums such as Stack Exchange and the ESAPI mailing lists. This complication leads to a unduly intricate, non-modular reference implementation (DefaultSecurityConfiguration) that makes it difficult to extend in terms of new functionality.

A new, simpler security configuration interface and implementation is needed. Such an implementation would not only be useful for ESAPI 2.x, but could very well be used to build the configurator needed by ESAPI 3.

As part of this GSoC project, expectations would not only to address as many of the open security configuration issues as possible, but to also go beyond this to allow a framework for additional extensions in terms of functionality.

'''Expected results:'''
1) An improved, but simpler API for the security configuration part of ESAPI.
2) Alternate configuration stores other than Java properties files (e.g., XML, database), to be supported.
3) The ability to split the ESAPI configuration data into smaller, more manageable chunks to result in more maintainibility and allow for better enforcement of corporate security policies.
4) Continued backward compatibility with ESAPI 2.1.x or an extremely simple migration path forward.

'''Knowledge Prequisite:'''

Since the ESAPI 2.x project is written in Java, a good knowledge of Java is essential. A strong knowledge of JUnit will also be helpful in creating unit test cases. A working knowledge of XML or JDBC may also prove helpful.

'''Mentor: [https://www.owasp.org/index.php/User:Kevin_W._Wall Kevin W. Wall] - OWASP ESAPI for Java Project Leader'''

=== [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid Project] ===

'''Brief explanation:'''
OWASP Seraphimdroid is relatively new OWASP project regarding Android security. Seraphimdroid Android application should become mobile device safeguard, while on the other hand it should also provide user information and knowledge about security risks on his phone (in personalized way). The idea of security guard is based solely on heuristics, that most of the risks costing money and damaging user's privacy can be stopped without huge online database with signatures, and huge malware analysis lab. As part of this GSoC project, focus will be on finding way to stop as many risks that can cost money (premium calls, sms, ussd...) or harm user privacy as possible and to enhance UX of mobile application.

'''Expected results:'''
* Building features for stopping threats that can cost money originating from third party applications (continue where it was stopped)
* Build and propose features that can stop third party application damage user's privacy by sending user's data out of the mobile device (using internet)
* Enhance UI/UX

'''Knowledge Prequisite:'''

Since the OWASP Seraphimdroid project is written in Java and Android SDK, a good knowledge of Java, Android OS and SDK are essential. Good knowledge of XML and IP protocol can be useful.

'''Mentor: [https://www.owasp.org/index.php/User:Nikola_Milosevic Nikola Milosevic] - OWASP Seraphimdroid Project Leader'''

=== OWASP ModSecurity Core Rule Set (CRS) - Create "Sniffer-Mode" ===

'''Brief explanation:'''

The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. Possible solutions could be:
* Create a ModSecurity "plugin" for the Snort IDS.
* Create a ModSecurity "plugin" for the Suricata IDS.
* Add libpcap sniffer wrapper to standalone ModSecurity code to directly pull data off the wire.

'''Expected results:'''

This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity Core Rule Set (CRS) - Implement DoS Prevention Code ===

'''Brief explanation:''' https://github.com/SpiderLabs/ModSecurity/issues/416

Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create a Positive Learning/Profile Engine ===

'''Brief explanation:''' See this academic/research paper for ideas of the type of learning we are looking for - http://www.cs.ucsb.edu/~vigna/publications/2003_kruegel_vigna_ccs03.pdf

ModSecurity needs a profiling engine that implements the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.

'''Expected results:'''

The new engine will implement more detection points to detect abnormal request attributes.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity Core Rule Set (CRS) - Create an Engine to Detect Application Flow Anomalies ===

'''Brief explanation:'''

Need an engine that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.

Example - let's say an application has a multi-step checkout process to purchase an item. This new engine would be able to profile/learn which URLs are accessed in what order and identify if clients skip steps or jump directly to other URLs in the flow.

'''Expected results:'''

The engine will be able to alert on anomalous application flows.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Felipe Zimmerle Costa and Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

GSoC2014 Ideas

2014-02-05T23:42:12Z

Abbas Naderi: added my 4 projects

==OWASP Project Requests==

=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

''''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Source Code testing environment ===

''''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - CMS improvements ===

''''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:

* '''Plugin api and plugin actions interface'''

An easy way for users to code their own plugins which will modify the appearance of hackademic or add to the functionality.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.

'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP CSRF Guard===
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].

'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.

'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

Edu

2013-11-19T19:36:03Z

Abbas Naderi: redirect to EDU

#REDIRECT [[EDU]]

OWASP PHP Security Project

2013-11-12T17:32:09Z

Abbas Naderi: /* Project leader */ link to the leaders page, for contact

= Main =
[[File:Phpsec-logo.gif]]
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP PHP Security Project==
OWASP PHP Security Project is an effort by a group of PHP developers in securing PHP web applications, using a collection of decoupled flexible secure PHP libraries, as well as a collection of PHP tools.

[https://github.com/owasp/phpsec/ GitHub Repo]

==What is PHPSEC?==
On top of a collcetion of libraries and tools, PHPSEC contains a sample framework to demonstrate proper usage of the tools and libraries, as well as guidelining new PHP projects. It can also be easily merged with existing PHP code, because it is both decoupled and flexible. Proper usage of PHPSEC will result in the target system being much more secure.

==Why PHPSEC?==
PHPSEC is suitable for three group of developers:

* Framework Developers can use the libraries and tools to strengthen their framework security
* PHP Application Developers can use the library and tools to enhance their application security
* New PHP Developers can use the tools and libraries to create secure applications from scratch

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Major Contributors==
*Rahul Chaudhary
*Abhishek Das
*Shivam Dixit
*Achim
*Zakia Ahmad
*AV Minhaz
*Paulo Guerreiro

==Libraries Offered==
* Basic Password Library
* Advance Password Library
* User Library and Management
* Crypto Library
* Password Library
* Database Library
* Download Manager Library
* HTTP Library
* Tainted Library
* Logs Library
* Session Library
* Core Library
* Scanner Tool

==Tools Offered==
* XSS Resolver
* SQL Injection Detector
* Taint Tracker

==Damages Mitigated==
* Brute Force Attacks
* Cross-site Scripting(XSS) Attacks
* SQL Injection Attacks
* Session Fixation, Session Hijacking, Session Guessing
* Encrypting sensitive information in configuration files
* Replacement of native PHP's faulty functions
* A secure PRNG (Pseudorandom number generator)
* Secure implementation of "remember-me" and "temporary password" features
* Capability to mark/disallow suspicious strings

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* [http://github.com/OWASP/phpsec/archive/master.zip OWASP PHPSec project]

== Website ==

http://phpsec.owasp.org/

== News and Events ==
[http://appsecusa2013.sched.org/event/4a0421d19aad48a7fbe35ec97899936c#.UoI2Jfmfhv8 Visit us at OWASP APPSEC conference November 2013]
==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

= Project About =
{{:Projects/OWASP_PHP_Security_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

CRV2 CSRFIssues

2013-10-18T19:37:30Z

Abbas Naderi: simple CSRF protection for PHP

Having CSRF-proof forms and actions is a complex task, and very prone to human-error. The most effective means of mitigating it is incorporating it into a widget library, for example OWASP PHP Security Widget library, which automaticlaly uses CSRF protection.

CSRF Protection for GET and COOKIE elements is hard and not recommended, therefore all operations that change the state of the application in someway should be implemented using HTTP Post (or other HTTP state changing requests).

Generally, CSRF protection is achieved by generating cryptographically secure, '''required''' parameters into HTML forms, and checking them back when they are submitted. If they are submitted and valid, they should get expired.

CRV2 RevCodeReflectedAntiPatternPHP

2013-10-18T19:33:21Z

Abbas Naderi: reflected XSS attacks

To mitigate reflected XSS attacks fully, a PHP code should never output variables using echo, print and other output generating functions. If the output needs to be complex (for example a HTML list of variables) the HTML part should be outside PHP tags, and the rest should be inside and using safe output functions (available in OWASP PHP Security Project Core Library). For example:

<nowiki>
foreach ($list as $item)
{
?>
<li><?php phpsec\exho($item);?></li>
<?php
}
</nowiki>

Or

<nowiki>
foreach ($list as $item)
{
phpsec\printf("<li>%s</li>\n",$item);
}
</nowiki>

CRV2 RevCodePersistentAntiPatternPHP

2013-10-18T19:26:57Z

Abbas Naderi: Persistent XSS mitigation

It is pretty easy to remove all persistent XSS attacks from PHP, just remove all instances of output functions (such as echo and print) with their safe counterparts from OWASP PHP Security Core Library, and then whenever you need HTML elements to be outputted, used the appropriate functions or PHP tags. There's a scanner in PHP Security Project that scans for this and can replace it effectively as well.

CRV2 ClientSideCodeJScript

2013-10-18T18:56:38Z

Abbas Naderi: JScript security

Three points of validity are required for Javascript codes:
# Have all the logic server-side, Javascript is only the butler
# Check for all sorts of XSS DOM Attacks
# Check for insecure Javascript libraries and update them frequently.

Javascript uses strings to create DOM elements. This can lead to XSS attacks. All input should be sanitized before being converted to DOM objects.

Javascript libraries are not prone to attack. Most of them have flaws in them, recent jQuery flaw (evaluating the document.location.hash, allowing XSS to be embedded after # in location) caused Drupal (which is generally a safe system) to allow admin user creation for attackers!

CRV2 SessionHandling

2013-10-18T18:08:00Z

Abbas Naderi: session fixation and elevation covered

==General Considerations==
# If the system is critical, Session IDs should be cryptographically secure (i.e non determinable)
# In big systems, sessions should not be stored in files (default PHP behavior). They should be stored in memory or in databases, to prevent DOS attacks on new sessions.
# As soon as a confidential or higher session is formed for a user, they should have all their traffic transmitted through SSL. SessionID is almost as important as passwords.
# A policy should be defined and forced on an application, to define the number of sessions a user can have. (One, Many, etc.) If this is left vague, it usually leads to security flaws.
# Sessions '''require''' a general timeout, which happens at a certain time after creation (usually a week), and an idle timeout, which happens after a certain time of the session being idle (usually 30 minutes).
# The idle timeout can be changed depending on the nature of the application (smaller for banking applications, larger for email composing clients)
# The idle timeout doesn't have to be precise. The application can check for it every 2 minutes, and flush all timed-out idle sessions.
# Sessions should be rolled when they are elevated. Rolling means that the session-id should be changed, and the session information should be transferred to the new id.
# Sessions need to be cleared out on logout. It is a good idea to dispose of the session-id on logout as well.

==Session Attacks==
Generally three sorts of session attacks are possible:
# Session Hijacking: stealing someone's session-id, and using it to impersonate that user.
# Session Fixation: setting someone's session-id to a predefined value, and impersonating them using that known value
# Session Elevation: when the importance of a session is changed, but its ID is not.

===Session Hijacking===

# Mostly done via XSS attacks, mostly can be prevented by HTTP-Only session cookies (unless Javascript code requires access to them).
# It's generally a good idea for Javascript not to need access to session cookies, as preventing all flavors of XSS is usually the toughest part of hardening a system.
# Session-ids should be placed inside cookies, and not in URLs. URL informations are stored in browser's history, and HTTP Referrers, and can be accessed by attackers.
# Geographical location checking can help detect simple hijacking scenarios. Advanced hijackers use the same IP (or range) of the victim.
# An active session should be warned when it is accessed from another location.
# An active users should be warned when s/he has an active session somewhere else (if the policy allows multiple sessions for a single user).

===Session Fixation===
# If the application sees a new session-id that is not present in the pool, it should be rejected and a new session-id should be advertised. This is the sole method to prevent fixation.
# All the session-ids should be generated by the application, and then stored in a pool to be checked later for. Application is the sole authority for session generation.

===Session Elevation===
# Whenever a session is elevated (login, logout, certain authorization), it should be rolled.
# Many applications create sessions for visitors as well (and not just authenticated users). They should definitely roll the session on elevation, because the user expects the application to treat them securely after they login.
# When a down-elevation occurs, the session information regarding the higher level should be flushed.

CRV2 SessionHandling

2013-10-18T17:52:45Z

Abbas Naderi: initial contents for session handling, needs to add checklists for other two types of attacks

CRV2 CheckAuthzEachRequest

2013-10-18T17:40:19Z

Abbas Naderi: authorization code review

Authorization is as important as authentication. Every ''functionality'' as well as every ''data access'' should be authorized. For data access authorization, application logic should check if the data belongs to the authenticated user, or if the user should be able to access that data.

Functionality authorization can be achieved through access control lists on small systems (such as an embedded system such as a router), but not via ACLs in an enterprise application. The complexity of an authorization model can not be implemented by ACLs, and will definitely lead to human-errors that put the integrity of the system at risk.

===Role Based Access Control for Functionality===
RBAC means assigning users to roles, and then roles to permissions. This is a more logical modeling of actual system authorization. On top of that, allows administrators to fine-grain and re-check role-permission assignments, and make sure that every role has exactly the permissions it is supposed to have (and nothing more or less). Then assigning users to roles will yield minimal human-error.

There are 4 levels of RBAC standardized by NIST, level 3 and 4 are almost never found. Level 2 introduces role hierarchy on top of level 1 (the simple RBAC), and has a better matching to enterprise model. Extended level 2 introduces hierarchical permissions as well, as one permission per functionality is required in a system, and in big systems, the number of available permissions soon introduce human-errors. Depending on the size of the application, usage of different levels of RBAC systems is strongly advised.

'''Unfortunately''' There are not many fast enough implementations of the RBAC model, since it is very complex within. OWASP RBAC project introduces a very fast NIST Level 2 Extended RBAC implementation.

===Authorization Checklist===
# Every entry point should be authorized. Every functionality that an application performs, is a function, and should be authorized. Authorization should be check for every dynamic (generated) application access.
# Every function should be authorized. Changing password, logging out, editing a certain record, and etc. are sample functions. Everything should be authorized.
# Authorization checks should be fast and easy. Requiring multiple lines of complicated code for a single authorization is not recommended.
# Authorization can be forced, or checked (depending on tolerance of application). For example:

if ($RBAC->hasAuthority($CurrentUser,"/users/passwords/change")) ShowChangePasswordLink(); //checked authority for visual manipulation in a view

$RBAC->authorize("/users/passwords/change"); //force authorization on a user management model
ChangePassword(...);

In case that a forced authorization fails, a HTTP 403 not authorized page can be shown. If the user is not logged in yet, a login page with not authorized error is more appropriate.

CRV2 ForgotPassword

2013-10-18T17:28:16Z

Abbas Naderi: /* AntiPatterns: Forget password. */ user listing

==Overview==
If your web site needs to have user authentication then most likely it will require user name and password to authenticate user accesses. However as computer system have increased in complexity, so has authenticating users has also increased. As a result the code reviewer needs to be aware of the benefits and drawbacks of user authentication referred to as “Direct Authentication” pattern in this section. This section is going to emphasis design patterns for when users forget user id and or password and what the code reviewer needs to consider when reviewing how user id and passwords can be retrieved when forgotten by the user and how to do this in a secure manner.

==General considerations==

Notified user by (phone sms, email) an email where the user has to click a link in the email that takes them to your site and ask the user to enter a new password.

Ask user to enter login credentials they already have (Facebook, Twitter, Google, Microsoft Live, OpenID etc) to validate user before allowing user to change password.

Send notification to user to confirm register and or forgot password.

Send notifications that account information has been changed for registered email.
Set appropriate time out value. I.e. If user does not respond to email within 48 hours then user will be frozen out of system until user re-affirms password change.

===General Considerations===
# The identity and shared secret/password must be transferred using encryption to provide data confidentiality. HTTPS should also be used but in itself should not be the only mechanism used for data confidentiality.
# A shared secret can never be stored in clear text format, even if only for a short time in a message queue.
# A shared secret must always be stored in hashed or encrypted format in a database.
# The organization storing the encrypted shared secret does not need the ability to view or decrypt users passwords. User password must never be sent back to a user.
# If the client must cache the username and password for presentation for subsequent calls to a Web service then a secure cache mechanism needs to be in place to protect user name and password.
# When reporting an invalid entry back to a user, the username and or password should no be identified as being invalid. User feed back/error message must consider both user name and password as one item “user credential”. I.e. “The username or password you entered is incorrect.”

===AntiPatterns: Forget password.===
# Validate all fields have been completed correctly
## Avoid password fields being wiped out.
## Retain user’s email address between log-in and “Forgotten password” page.
# CAPTCHA should be used aa last resort or not all. CAPTCHA can be hacked.
# OpenID does have security implications (e.i. if a hacker gains access to your OpenID, the hacker now potentially have access to all the sites you use with that OpenID.
# Make sure security questions don’t ask for information that can easily be found on social sites like Facebook. E.I. “Mother’s maiden name”.
# Do not mask user input of password. Show character until next character is typed in. Masking every character only provides security if someone is standing directly over you.
# Do not send a onetime password to allow user to reset his/her password. This password would be stored even if for a short time in clear text and email storage is not the place to store passwords.
# Do not have an error message saying account does not exists for this email address. This could be used to find out if user has an account for a porn or another site if hacker knows users email address.
# '''Important''': Do not allow listing of users. The password reset tokens should be uniquely generated, and be cryptographically secure random. Otherwise a listing of users can be generated from forget password feature.

User:Abbas Naderi

2013-08-23T13:27:14Z

Abbas Naderi: /* Contribution */

==Contribution==
I spend considerable time in OWASP and deem myself one of the people who is pushing OWASP forward in every direction.

I am also currently chapter leader of Iran in OWASP and have participated in OWASP Projects for more than 5 years :
* OWASP ASVS
* OWASP ESAPI
* OWASP WebGoat
* OWASP TOP 10
* ...

I'm leading OWASP PHP Security Project, OWASP RBAC Project and a handful of others and have plans for a lot more to come!

On top of that I take part in other open source communities, trying to improve the security aspects of every software.

==Personal==
Check out my cv : https://abiusx.com/cv
My full name is Abbas Naderi Afooshteh

==Projects==
I'm also leading the

* PHP Security Cheat Sheet
* OWASP WebGoatPHP
* OWASP PHPRBAC
* OWASP RBAC
* OWASP PHP CSRF Guard
* OWASP PHP Security Project

and working on numerous other pages in OWASP. Check out OWASP Iran page.

==Contact==

[mailto:abiusx@owasp.org abiusx@owasp.org]

[mailto:abbas.naderi@owasp.org abbas.naderi@owasp.org]

2013 Board Elections

2013-08-22T19:04:29Z

Abbas Naderi: /* 2013 Board Candidates */ changed the Abbas Naderi description text

[[File:2013 Board ELECTION-BANNER2.jpg]]

= Candidate Submission Link =
'''[http://www.tfaforms.com/284825 Board Candidate Submission Form]'''

= 2013 OWASP International Board of Directors Election =

The OWASP Foundation was established in 2001 as an open community and software security resource. Since then, OWASP has grown to be globally recognized as a credible source for application security standards (see industry citations). Individuals typically find OWASP when searching the internet for information about software security - and they are happy to find a reliable source of knowledge built by an extremely open and passionate community. OWASP is open to anyone. Anyone can attend OWASP's vendor agnostic local chapter meetings, participate in regional and global conferences, and contribute to the many OWASP projects. And anyone can start a new project, form a new chapter, or lend their expertise to help an OWASP Global Committee.

The OWASP Foundation Board of Directors consists of six elected volunteers. These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community. OWASP conducts democratic elections of its Board Members to enable bottom-up advancement of its mission.

=== Learn about OWASP ===

* Read the OWASP Foundation bylaws - [https://www.owasp.org/images/0/05/OWASP_Foundation_ByLaws.pdf Click Here] - Review the Monthly Board meetings, voting history and topics - [https://www.owasp.org/index.php/OWASP_Board_Meetings Click Here]

Watch a current video about OWASP:<br>

*[http://www.vimeo.com/23889097 Click here] to watch an interview with Tom Brennan, OWASP Board Member 2007-Current

*[http://www.vimeo.com/25335824 Click here] to watch an interview with Jeff Williams, OWASP Board Member 2004-2011

Or to see OWASP from the beginning, visit [http://waybackmachine.org/jsp/Interstitial.jsp?seconds=5&date=1009278073000&url=http%3A%2F%2Fwww.owasp.org%2Fabout_owasp%2Forgchart.shtml&target=http%3A%2F%2Freplay.waybackmachine.org%2F20011225110113%2Fhttp%3A%2F%2Fwww.owasp.org%2Fabout_owasp%2Forgchart.shtml the WayBack Machine.]

=== International Board of Directors Primary Responsibilities ===

Seated members of the Board of Directors attend and contribute to monthly meetings. [https://www.owasp.org/index.php/OWASP_Board_Meetings See Archive]. Additionally, they:<br>

#Create and review a statement of mission and purpose that articulates the organization's goals, means, and primary constituents served globally. They then support that mission and purpose.
#Support all employees. The Board should ensure that the employees have the moral and professional support needed to further the goals of the organization.<br>
#Ensure effective planning. The Board must actively participate in the overall planning process for the organization and assist in implementing and monitoring the organization's goals.
#Monitor and strengthen programs and services. The Board's responsibility is to determine which programs are consistent with the organization's mission and monitor their effectiveness.
#Ensure adequate financial resources. One of the Board's foremost responsibilities is to secure adequate resources for the organization to fulfill its mission.
#Protect assets and provide proper financial oversight. The Board must assist in developing the annual budget and ensuring that proper financial controls are in place.
#Build a competent Board. The Board has a responsibility to articulate prerequisites for candidates, orient new members, and periodically and comprehensively evaluate their own performance.
#Ensure legal and ethical integrity. The Board is ultimately responsible for adherence to legal standards and ethical norms.<br>
#Enhance the organization's public standing. The Board should clearly articulate the organization's mission, accomplishments, and goals to the public and garner support from the community.<br>

Additional Responsibilities that the International Board of Directors must adhere to can be found here [https://docs.google.com/a/owasp.org/document/d/sP5OOETtzriv6bC6L6zzr6g/headless/print#heading=h.hgfxswibcczn Board of Directors]

=== Eligibility Requirements for Board Candidates ===

You need to be an OWASP member. '''NOT''' just paid members, but an active project and chapter contributors are eligible. All candidates must be in good standing for a twelve (12) month period of time prior to '''30-September 2013'''. Candidates are required to submit a bio, current membership number and note if you are a paid or honorary member. You will be contacted shortly after your response for an audio interview/podcast.
If you are interesting in running for the board then please submit your intention along with the requirements listed above to: [http://www.tfaforms.com/284825 Call for Candidates]

===2013 Board Candidates===

{| border="1" cellpadding="2"
! scope="col" align="center" width="200" | Candidate
! scope="col" align="center" width="120" | Membership Status
! scope="col" align="center" width="600" | Bio
! scope="col" align="center" width="800" | Why Me?
! scope="col" align="center" width="800" | Country Of Residence
|-
|align="center"| Abbas Naderi Afooshteh||align="center"|Honorary Member||align="center"|Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI.
Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.
More can be found at https://abiusx.com/cv
|align="center"|I have watched OWASP evolve in many years, and inspected how greatly it has impacted the world of web security. Security has grown rapidly these years, and people look up to OWASP to feed them what they need.
On top of that, OWASP has been my open source haven. The way it operates, people contributing without wanting back, everyone sharing and decisions made in public; I have never seen a community more selfless and more productive in any of the open source communities I've worked in.
Unfortunately in recent years (specially last year), this trend was changed somehow. Many decisions were made at the board level, that leaders and active members greatly dislike. Many things were done that were not transparent at all. This trend has unmotivated a great many of OWASP participants, and I hate to see that happen any further.
The board is there to take the load on OWASP, not to take the spirit away. It is solely there to make decisions when everybody else is busy doing actual worthy stuff, so I strongly believe that when the board works on a decision that will impact everybody in the community, and is not sure that (almost) everybody will like it, it has an obligation to ask and make sure before making that decision.
I'm also strongly against the board members empowering their respective chapters, and leaving others behind. The rapid growth of OWASP is bound to introduction of new chapters, and supporting them. I see a lot of chapter with a handful of enthusiastics and they just need a kick-start to add a hundred new active members to our community, yet small influential chapters are taking all the credit and juice to them. The board are the elective body of the community, not their chapters.
So on top of making the board activities much more transparent, and supportive other chapters, I plan to involve other influential bodies in the infosec world (namely companies and universities) and get them to financially and academically support new and bright OWASP projects so that they can prosper more rapidly. If we're going to stick what we had 5 years ago as our projects, people will turn away in time. We have a lot of potential and we ought to make it happen.
|align="center"|USA
|-
|align="center"| Kelvin Arcelay||align="center"|Current Paid Member ||align="center"|Transformational Information Technology and IT Risk Management executive with extensive expertise in the payments processing and manufacturing industries including operating regulations, supply chain and vertical integration management, discrete and process manufacturing, payment processing platforms and, domestic and international deployments. Core competencies include:
* Strategy
* Implementation Scope and Plan
* Project Management
* Capacity Planning
* Security and Risk Management
* Internal Controls
* M&A Due Diligence
* Multi-Nationals
* Business Continuity Planning
* Disaster Recovery
|align="center"|Performance-focused executive with more than 25 years of successes managing reliable and secure IT operations. Offers Fortune 100 experience, consistent record of realizing multimillion-dollar cost savings, proven blend of business and technical expertise. Hands-on approach to leadership and change management including ensuring compliance, maintaining quality assurance, optimizing processes, and driving strategic alignment.
Experienced in advisory services for clients with international and domestic operations, collaboration efforts with external auditors, optimization of governance processes and delivering significant optimization programs capable of netting his clients several million dollars in cost savings.
Highly analytic, adaptable style of decision-making and problem solving management style proven in the corporate realm, delivering IT services management in global enterprises, M&A portfolio integration management, consolidation of business operations and services, turning around â€œrunawayâ€ ERP initiatives, and, establishing industry standards capable of achieving highly integrated management processes and financial data accuracy.
|align="center"|USA
|-
|-
|align="center"|Ezendu Ariwa||align="center"|Current Paid Member||align="center"|Professor Ezendu Ariwa, FBCS, CITP, SMIEEE, FHEA
Chair, IEEE Consumer Electronics & Broadcast Technology Chapter, UKRI
Visiting Professor, Gulf University, Bahrain
Visiting Professor, University of Lagos, Nigeria
Professor of Business Enterprise Consultancy/Non-Executive Director, ELITSER IT SOLUTIONS INDIA PVT LTD
Research Professor for Enterprise Projects/Director - Technical, Sun Bio IT Solutions Pvt. Ltd, India
London Metropolitan University, UK
Ezendu holds the position of Visiting Professor, Gulf University, Bahrain, Visiting Professor, University of Lagos, Nigeria and Visiting Professor, Kano State Polytechnics, Nigeria as well as Visiting Affiliate of the Green IT Observatory, RIMT University, Australia and Visiting Affiliate of ICT University, USA. He also holds the position of Director - Technical and Non-Executive Director and Research Professor for Enterprise Projects at Sun Bio IT Solutions Pvt. Ltd, India; and Non-Executive Director and Professor of Business Enterprise Consultancy of ELITSER IT SOLUTIONS INDIA PVT LTD, Hyderabad â€“ 500 038 Andhra Pradesh INDIA. He is also the Chair for the IEEE Consumer Electronics Chapter, United Kingdom & Republic of Ireland (UKRI) and Chair for the IEEE Broadcast Technology Chapter, UKRI. He is a Senior Member of Institute of Electrical & Electronic Engineers (SMIEE); Chartered FELLOW of the British Computer Society (CITP, FBCS), Fellow of the Institute of Information Technology Training (FIITT) and Fellow of the Higher Education Academy (FHEA).
He is also a Fellow of the Higher Education Academy of United Kingdom (FHEA), member of the Elite Group of The British Computer Society (BCS), member of British Institute of Facilities Management and Fellow of Global Strategic Management, Inc., Michigan, USA and Member of the UK Council for Health Informatics Professions and Fellow of the Higher Education Academy. He is also the Co-ordinator of the Digital Enterprise Research Group (DERG), African Research in Business Group (ARBG) and working with the team to achieve African Business and Enterprise Research Observatory (ABERO) at the London Metropolitan Business School. The ABERO achieved good collaboration with multicultural SMEs in the United Kingdom, with respect to mentoring and working on joint professional development enterprise programmes. He has experience of doctoral research supervision as well as doctoral external examiner for various Universities both in the UK and internationally.
He has a good research profile and the Founding Editor-in-Chief of the International Journal of Green Computing (IJGC), Editor-in-Chief of the International Journal of Computing and Digital Systems (IJCDS), Journal of E-Technology, and the Associate Editor of the International Journal of E-Politics and the Associate Editor of International Journal of Distributed Systems and Technologies (IJDST). He is a member of Policy Co-ordination Committee of the International Research Foundation for Development (A Corporation of NGO in special Consultative status with the Economic and Social Council of the United Nations). His research interest includes: Green Technology and Corporate Sustainability, Strategic Information Systems, E-Learning and Knowledge Management, Consumer Electronics and Broadcast Technology, ICT for Development and Facilities Management, Knowledge Transfer in Developing Economy, Open Learning and Social Enterprise, Green Communications and Corporate Social Responsibility, Renewable Energy and Climate Change, Social Media and Energy Management Systems.
|align="center"|If elected to the Global OWASP Foundation Board of Directors, I will use various international networks including Universities, Colleges, Institutions of Higher Education, Industrial Sectors, Business Sectors, Governmental and Non-governmental outlets to promote and engage with the good work.
I will work with the board of Directors and members closely through regular communication in generate new ideas and collaborations for the positive work of the Global OWASP objectives and mission.
In addition, the Global OWASP will be promoted through various conferences, Symposium and web-based publications of events and possible special issues with Guest Editors as part of promoting the Global OWASP and collaborative research projects and workshops
With my experience in working with various executive board. editorial board, this will complement forum for promoting the Global OWASP internationally and putting it on the apex of professional organisation for excellence.
I have the expertise and experience from University teaching, research and enterprise partnerships in the field of Strategic Information Systems and Knowledge Management; and other Enterprise Systems to working with Business and industrial sectors as well as community groups, on collaborative projects and widening Participation as well as Business Enterprise partnerships using Information and Community Technology (ICT).
I am one of the Co-Founders, and Co-ordinator of various positive initiatives such as LMBS African Research in Business Group (ARBG) and the Digital Enterprise Research Group (DERG) which received support from the IEEE URI â€“ Consumer Electronics Chapter for events organised.
I also served in voluntary capacity as Council Member of the UK Council of Healthcare Informatics Professionals, Chair for the IEEE UKRI Consumer Electronics Chapter, Chair for the IEEE UKRI Broadcast Technology Chapter, Chair of the Society of Digital Information & Wireless Communications (SDIWC), President/Chair of the Nigerian ICT Professionals in the UK, Former Member of Haringey Council Inspection and Registration Advisory Committee, Former member of the Board of Governor of Homerton University Teaching Hospital, London; Former member of the Board of Governor of Royal National College of the Blind, Hereford.
My work experience and involvement ranged from University, Business Sectors, local authority, community groups partnerships within Further Education (FE) and Higher Education (HE); Business and Enterprise Sectors and Industries as well as United Nations Representative on behalf of the International Research Foundation Development (IRFD).
At the National and International levels, I have active interest in partnerships and collaborative research with the businesses, industries and Universities. I have organised and chaired various international, national and regional conferences, symposium, forum and focus groups, and sharing information, knowledge and communication framework tailored towards digital enterprise and widening participation agenda. This model was geared towards knowledge dissemination through publications, improving performance and ensuring that service levels are improved using cost effective and benefit models in order to achieve best practice.
I have developed both national and international network through publications and contributions through meetings where briefing and positive agenda were discussed. I am an efficient and effective person in terms of completing customer satisfaction reports, feedback and time management at cost savings facet within the faculty and the university levels. These factors were used to address gaps in service delivery and provisions with reference to my Green Computing and Energy Savings research in 2008 which focused on the Tower Building (Technology Tower) with positive results in terms of energy savings of Â£18, 000 per year using the Carbon Trust indicators.
I have positive drive and competence that I am always sharing with team members for the advancement of work and developmental target. I am a good listener and active member of a team, and value contribution from reflective team members.
I have very good communication skills, both written and oral. I have experience in presentation, reports, and representation using various interface mechanisms. I am skilful in dealing with impartiality, integrity and objectivity, as I am focused on developing positive business enterprise, collaborative research, KTP agenda, and Income Generation. I respect equal opportunity, and wider participation in business and work. In the nutshell, I have in-depth knowledge in the business applications and hope to provide a balance to competitive benchmarking and quality assurance.
I have good record of Consultancy and practical achievement at professional, business, industrial and institutional levels. I successfully completed the following consultancy programmes:
Design and Development (KTP) with Hug Engineering UK and Austria
Working on the GreenTrac â€“ Energy Savings proposals (with UK Company)
The British Council Knowledge Management projects for Developing Economies on the following:
Record Management Systems for Nigerian Universities and Polytechnics
E-Learning Programmes for USA University (Collaborative work)
Business Process RE-Engineering & Management for University in Bangladesh
ICT Archiving Systems for Iraqi Parliament (In discussion) with the ICT Minister
In summary, my experience from University collaborative partnership, community involvement, widening participation and network development programmes; and University research potentials using information systems and financial services expertise will complement my practical orientation and act as valuable asset towards effective Leadership service delivery and customer relationship management .
I serve in academic, business and community forum groups for University Diversity Directorate; and I hold the following Visiting Professorship and Editorial positions: Visiting Professor University of Lagos, Nigeria; Visiting Professor Gulf University, Bahrain; Visiting Professor [European School of Economics, London Campus], Editorial Advisory Board Member and Executive Peer Reviewer for Educational Technology & Society responsible for the review of Journal of International Forum of Educational Technology & Society and IEEE Learning Technology Task Force, Reviewer of Computing Reviews/ACM Journals and Assistant Editor of The International Journal of Applied Human Resource Management.
I am currently a member of Policy Co-ordination Committee of the International Research Foundation for Development (A Corporation of NGO in SPECIAL Consultative status with the Economic and Social Council of the United Nations). I was member of Homerton University Hospital NHS Trust Board, UK and currently member of the UK Council for Healthcare Informatics Professionals (UKCHIP) and Committee member of the British Computer Society (BCS) â€“ Information Security Specialist Group (ISSG).
These skills will bring valuable experience and expertise dissemination in the position of member of the Global OWASP Foundation Board of Directors
|align="center"|Nigeria
|-
|align="center"| Sergei Belokamen||align="center"|Not a Member, Melbourne Chapter Leader ||align="center"|Sergei has over 10 years of experience in providing Application Security, Information Security and IT services to high profile and prominent companies in Australia and internationally. He's recognised within the industry as someone with impeccable reputation, who has helped his clients establish leading strategies around Information Security. In his current role, Sergei is a CTO and a founder of Bugcrowd - Crowdsourced Security Testing. Bugcrowd runs managed bug bounty programs.â€¨
Some of my past achievements include:
- Current chapter lead for OWASP Melbourne, Australia.
- OWASP PHP Project lead. Though the project is now defunct.
- Working on large scale secure software development lifecycle methodology and processes; development and deployment.
- Developing Information Security strategy, controls and low level APIs for online user behaviour monitoring, malicious activity monitoring and ecommerce fraud minimisation.
- Bugcrowd being accepted into 2013 intake of the Startmate Tech Accelerator program.
â€¨Sergei has also worked on a number of short, medium and long term security consulting engagements, providing application security, ethical hacking, application security architecture, source code security review for a wide range of clients across most industries; contributed and been recognised within Google's security bounty programme; and long standing involvement with OWASP.
|align="center"|I have been involved with OWASP for the last eight years. From attending chapter meetings and events to leading a project and chapter lead for the Melbourne OWASP chapter. â€¨The friends I made through OWASP have helped me grow both personally and professionally and have ultimately influenced and assisted my career transition to focus exclusively on application security.
â€¨I feel that OWASP has a lot of potential and I would like to play a role in influencing making OWASP a single, most recognised, global resource for application security. I would like to leverage my experience and network to improve the visibility of application security and contribute to it's evolution.
Some of the areas I would like to influence are:
- Improving the quality and adoption of OWASP standards through tighter integration with standards bodies such as ISO, NIST and PCI.
- Improving the project management office within OWASP to boost the quality of materials, response times and streamlining the overall process.
- Establish 'OWASP reputation' for high quality and high volume contributors, where individuals can apply for funding to move along research or development.
- Establish a funding mechanism that allows OWASP to pay key contributors like Linux Foundation
- Establishing a review project for all materials on the OWASP website.
- Work on making OWASP a more inclusive 'application security' resource with less focus on 'web application' security exclusively to mirror the evolution of the industry and ensure that OWASP remains the preeminent and relevant body for application security. For example mobile application, APIs, etc.
|align="center"|Australia
|-
|align="center"| Fabio Cerullo||align="center"|Current Paid Member, Ireland-Dublin Chapter Leader||align="center"|Fabio has over 12 years of experience in the information security field gained across a diverse range of industries. As CEO & Founder of Cycubix, he helps customers around the globe by assessing the security of applications developed in-house or by third parties, defining policies and standards, implementing risk management initiatives, as well as providing training on the subject to developers, auditors, executives and security professionals.
As a member of the OWASP Foundation, Fabio is usually involved in raising application security awareness among businesses, governments and educational institutions. He organised the OWASP AppSec Europe 2011 conference in Dublin, the OWASP Latam & European Tours, and is part of the OWASP Ireland Chapter Board since early 2010. He also represents OWASP in the Google Summer of Code since 2012 making sure students and mentors alike could collaborate and work together in OWASP projects.
He holds a Msc in Computer Engineering from UCA and has been granted the CISSP & CSSLP certificates by (ISC)2.
|align="center"|My main motivations to join the Global OWASP Foundation Board of Directors could be summarised as follows:
- Increase OWASP presence in emerging regions.
- Promote development of new/existing OWASP projects.
- Build relationships with industry, government, and educational institutions.
- Support the overall OWASP community and its various activities.
|align="center"|Ireland
|-
|align="center"| Michael Coates||align="center"|Honorary Member||align="center"|Michael Coates is the Director of Security Assurance at Mozilla. In this role, Michael sets the strategy for security across Mozilla and leads security operational initiatives. Michael leads a team of talented security experts from around the world that focus on securing Mozillaâ€™s technologies including: Firefox, Firefox OS, Web applications, services and the infrastructure and systems that power Mozilla. Michael was recently featured as one of SC Magazineâ€™s 2012 Influential IT security minds and often speaks on Web security at open source conferences and security events throughout the world. Michael holds a M.S. in Computer, Information and Network Security from DePaul University and a B.S in Computer Science from the University of Illinois.
From 2011-2013 Michael was elected to the OWASP global board and served as the chair of the board. Michael is also the founder of the OWASP AppSensor project which is now featured by the Department of Homeland Security as a core approach to building resilient software and was the subject of an article within the Department of Defense Cross Talk magazine.
|align="center"|Over the first term on the global board I worked to bring maturity and structure to our growing organization. We established OWASP as a platform for security experimentation and growth. This included experimenting with new outreach channels such as the Security 101 mailing list and the 2012 monthly security blitz. In addition, I helped advance the OWASP foundation with a strong focus on budget planning and fiscal responsibility. We formalized board meetings with clear agendas and recorded archives and also created an Executive Director full time position to adapt to the growing size and needs of OWASP.
Throughout these two years I was also a public advocate for OWASP which included OWASP specific talks at RSA 2012, the Department of Defense and at Oracle. I also conducted interviews for CNN and SCMagazine related to OWASP topics and security. Throughout my tenure I've always tried to bring a positive and community oriented spirit to OWASP discussions.
If the OWASP community would like to see me continue on the OWASP board I will focus on the following items in 2013-2015:
- Expansion of OWASP to Technology Startups - Numerous technology startups are looking for guidance on how to build the framework and foundation of the security programs. Through my consultation with them I wish to work with the OWASP community to build an OWASP program focused on their needs. This will bring new organizations to OWASP and spread our mission to new technologies at the birth of their design.
- Growth of OWASP within Government - Now more then ever the issue of security is in the spotlight of legislation. OWASP can provide independent guidance and resources to help educate key policy makers and tools and projects that can be used by implementors.
- OWASP Community Platform: I've been working with our operations team to introduce recognition programs to our community. This would be in the form of digital badges, promotion of key activities by OWASP volunteers, creation of a central OWASP directory software to promote and build the OWASP community and more.
I believe the OWASP community is the true power of OWASP. I'm committed to continuing to build a structure at OWASP that empowers individuals to take risks, experiment and learn. OWASP is a platform for security research and an independent voice of reason in the growingly complex field of security.
|align="center"|USA
|-
|align="center"| Bil Corry||align="center"|Current Paid Member||
|align="center"|OWASP has grown and will continue to grow, ad-hoc processes do not scale well. I plan to focus on maturing the organization - clarifying the bylaws, documenting ad-hoc processes, creating guidelines in various areas of contention, improving the general web experience, and other much needed refining.
|align="center"|USA
|-
|align="center"| Tobias Gondrom||align="center"|Current Paid Member, Germany Chapter Leader||align="center"|Running Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany.
About 15 yrs of experience in software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector.
My background is in the industry and corporate side of web application security.
Over the years, have run a coprorate info sec team and trained and advised dozens of CISOs and senior information security leaders around the globe.
And in addition to my technical background, also have a management degree from London Business School, which helps with the governance and financial bit and pieces. And over the years gained some governance experience in a few global organisations and boards.
OWASP related:
Have volunteered for a few projects and chapter leadership roles since 2007.
- Currently, as a member of the OWASP London chapter board
and visiting a number of OWASP chapters in Asia as a guest speaker.
- project lead for the OWASP CISO Report and Survey project and contributor to some other bits and pieces.
- and given some CISO training days at our AppSec conferences.
previously:
- chapter lead OWASP Germany for a couple of months (until I moved to London).
- volunteered for the Global Industry Committee.
Beyond OWASP:
- Since 2003, the chair of working groups of the IETF (www.ietf.org), a member of the IETF security directorate, and since 2010 chair of the web security WG at the IETF.
- written some security RFCs and co-authored books on â€žSecure Electronic Archivingâ€œ and a frequent presenter at conferences and publication of articles (e.g. AppSec, IETF, ISSE, ...).
- Board member of the CSA Hong Kong and Macau chapter.
- ISC2 CSSLP and CISSP Instructor.
|align="center"|I feel very passionate about our mission and our goals for an open community to advance web and application security globally.
In the past that has inspired me to help with some ground work here and there, but not so much seeking a board election. However, in the last year, there were a few board decisions and activities, where I felt they were executed not in the best way for our community. And as a consequence, I gave myself the challenge to either shut up and accept things as they are or spend the time and effort and try to do it better. So am now trying the latter and volunteering for the board. ;-)
There are a few things that I would like to look at on the board:
1. Increase reach out to developers and industry: I like to extend our OWASP reach much more towards industry and developers. (so to speak "where the rubber meets the road")
We have so much expertise and knowledge in our community with all our great security experts and projects, but we need to get it out there and bring this more into the developer community and industry who actually build the applications in the first place, to increase our impact and help reduce the most common vulnerabilities. E.g. I find it is a shame that we are still looking at so many (too many) basic vulnerabilities, like e.g. SQL injection vulns, which could with some basic developer training be avoided.
2. Membership: I also like to extend corporate memberships towards industry and "consuming" companies as well. Today most of our corporate members are consulting and pen testing companies, I would like to also work to gain more industry corporate members.
3. Governance: advance the maturity of OWASP as an open community organisation. E.g. review some of the oversight and governance questions: I think we can be more transparent and open in how we do things, and even if it's just to be open and document processes how we make decisions.
4. Revisit the transition away from the global committees. I fear that a few things fell in the cracks when we shut down the committees and were not picked up yet.
|align="center"|Hong Kong
|-
|align="center"| Tahir Khan||align="center"|Current Paid Member||align="center"|My name is Tahir Khan, and I am a highly talented leader with over fifteen years of experience in efficiently managing, securing, designing, deploying and fine tuning enterprise network infrastructures for large-scale governments and businesses. As well as leading and and management fraud and incident response teams in large organizations.
I am currently an adjunct professor at George Mason University for Counter Forensics and Penetration Testing courses at the Masters level.
I graduated with a Masters in Computer forensics from George Mason University in 2011.
|align="center"|I feel I will be a valuable additional to the OWASP Foundation Board of directors as I will bring current knowledge and skills to the organization. I have extensive experience leading and managing teams with focus on Web Security as well as developing standards and policies for these teams.
I am driven and have a passion for my field, and will strive to improve the organization, drive membership at the University level and help grow OWASP if elected.
Sincerely,
Tahir Khan
|align="center"|USA
|-
|align="center"| Timur kHrotko||align="center"|Not a Member, Hungary Chapter Leader||align="center"|I am a 43 yrs old Russian born in Budapest, Hungary. I am resident in Hungary, but I try to short visit Russia 4x a year. My English is quite fluent. It is 10 years now that my professional activity focuses on information security. First years me and my company we developed our own innovative enterprise IAM solutions. The key of innovation was to look at security not as a technical but business/organizational matter. While being quite a tech-savvy in security (from hardening a bsd server to teaching about password internals, advising financial institutions on secure architecture and being regular listener of pauldotcom) I still am a person who looks at problems in organizational perspective (management is my academic topic). I understand well the legal language having my 20 years practice in negotiations and contracting. I understand the managerial decision making not only as software vendor and consultant but as a researcher in organizational studies. All this is important, since I believe we must provide a whole vertical solution in application security: from secure coding guidelines up to corporate appsec policy and down the contractual templates. And we, OWASP have to cover these non-technological areas as good as we did with the development field.
Some years backwards and achievement highlights:
2013 Hungary chapter leader
2012 Hungary chapter founder (one of the founders)
2011 cloudbreaker.co AppSec/EH company started, partner/business relations
2010 Defended PhD at Corvinus University of Budapest (more publications still needed to have the title)
2010 My PhD dissertation is published in English as a book
2008 ITEuropa IT Excellence Award to our innovative Identity Management solution (AZD idED)
2007 Hungarian (IT business) innovation award to our Identity Management solution
2006 GE Money Hungary deploys the Identity Management solution (idED) made on mainly my concept
2003 GE Money Hungary deploys an Access Management solution made with my business-process centric concept
2000 MSc, Finance, Budapest University of Economic Sciences (BKÃE, BUES)
1993 MSc, Business IT Management, Budapest University of Economic Sciences (BKE, BUES)
|align="center"|We have extraordinary security expertise, projects and tools, but a lot of security aware effort brakes on managerial/business and contractual negligence regarding application security. In order to be more successful in our efforts we must package the security aware approach into practices more easily adoptable by profit-oriented business organizations and bureaucratic institutions, practices more accessible for managerial decision making, and requirements controllable by legal instruments. As a Board member I would like to take care of non technological (non development/code/tool related) but rather business management related projects, best practices and vision of application security.
For example application security must be blessed on corporate governance level, implemented on the level of procurement and contracting, and application security must be an aspect in vendor management. As OWASP we already have an authority of the global best practice provider, so using our existing patterns of projects we can provide the solutions for obstacles faced by our mainstream efforts. And there are already existing projects in OWASP regarding the aspect I advocate, so we can move forward fast.
Being resident in Eastern Europe and being in my major part Russian I would like to extend the global spirit of the organization, and I would try to make the OWASP "device" more accessible in Russia next year.
|align="center"|Hungary
|-
|align="center"| Martin Knobloch||align="center"|Current Paid Member||align="center"|Martin has been a Java Developer and Software Architect, until he focused on Software security in 2005. In that year, he set-up an security task force at his former employer and after attending the 2nd OWASP AppSec-Eu conference in 2006, Martin got hooked by OWASP.
Since 2007 Martin has been an active board member in the Netherlands Chapter. He has been involved in several projects and volunteers at AppSec-conferences. Further, he has been an active participator at the OWASP summits in 2008 and 2011 as well as chair of the OWASP Education Committee. Martin has represented OWASP and been a speaker at several OWASP, Developer, Testing and Hacker events in the Netherlands and International.
Since February 2011, Martin is a self-employed security consultant and trainer.
|align="center"|With my experience of the OWASP organization, I will help the foundation to continue to grow the organization size and relevance to the wider community whilst maintaining independence and increasing openness towards the community.
Next to that, I will focus on the following:
- Increasing the awareness of OWASP outside the security community
- Fostering the growing African community
- Cultivate the initiatives of OWASP at educational institution as Universities
|align="center"|Netherlands
|-
|align="center"| Gregory Disney-Leugers||align="center"|Honorary Member ||align="center"|Gregory is the project leader of OWASP Mantra-OS, and the Owner of Seccomp.
|align="center"|I believe OWASP is the web standard of web security and has some of the best and the brightest volunteers, of any Open source project. With the constant growth of technology, OWASP needs to grow with these changes and be current with security threats. If I was to be elected I would bring my passion and dedication to OWASP, and do everything in my power to help grow OWASP with the every constant changes.
|align="center"|USA
|-
|align="center"| Jason Li||align="center"|Current Paid Member||align="center"|I am a long time OWASP contributor having served actively on the OWASP Global Projects CommitteeI from the birth of the global committees through their disbanding. I am one of the original co-authors of the AntiSamy Java project and the Code of Conduct for Certifying Bodies (the "Red" book). I was part of the core planning committee for the 2011 OWASP Summit along with Lorna Alamri and Sarah Baso. I've also worked behind the scenes supporting OWASP staff by creating the expense reimbursement workflow and new project forms that are still in use. I'm one of the resident OWASP wiki ninjas having created/pioneered many of the wiki templates used in OWASP projects and ultimately copied in other aspects of the wiki. During the day, I work as a Managing Consultant for Aspect Security performing a variety of application security consulting services. In my spare time, I am a social ballroom dancer, indoor rock climber, amateur trapeze artist, Star Trek fan, world traveler, and general adventurer. ||align="center"|I believe I will bring a sense of balance and vision to the Board. Having been involved in the organization for many years, I'm keenly aware of our history and of initiatives that have been successful and those that have failed. I would like those experiences and lessons learned to have a voice on the Board. I also believe in taking pragmatic action as opposed to pontificating about ideals. I have history of taking thoughtful action on behalf of OWASP - sometimes I've succeeded, sometimes I've failed - but I believe at some point the endless debate must end and something must simply be done with the best of intentions.
|align="center"|USA
|-
|align="center"| Yiannis Pavlosoglou||align="center"|Current Paid Member||align="center"|There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Yiannis. Currently, he is spending a lot of time in the area of IT risk management and risk control within the finance industry.
Starting from the world of professional penetration testing, Yiannis did focus his career evolution on assisting teams write secure code and implementing an SDLC for large scale projects.
For OWASP, Yiannis was the project leader for JBroFuzz and used to chair the Global Industry Committee, having contributed to a number of projects and initiatives listed here:
https://www.owasp.org/index.php/User:Yiannis
He is on the Application Security Advisory Board of (ISC)2, holds a PhD in information security, is a certified Scrum Master and is also CISSP certified.
|align="center"|"It's not what OWASP can do for you, but it's what you can do being a WASP!"
Despite the above starting as a joke post BlackHat on the leaders mailing list, I think we as an organisation have a small reversal of roles when it comes to way we treat OWASP.
I see a lot of people angry on the leaders mailing list, why is that? Do we need to perhaps clear to define the governance on this and other lists? For starters, I haven't been a project or chapter leader for a number of years, yet I am still on it.
If I was elected on the board, I would continue building on the foundations of a good governance we have had from previous board members, with the intention of adding more structure to the organisation. Let's be clear this would not be an attempt to challenge the "O" in OWASP, instead provide the right forum for the right level of communication to take place. Experience in other organisations has shown me that you achieve a lot more that way.
Vendors, logos, images, agendas, what is going on there? Definitely some work would need to take place to re-affirm the necessary neutrality that OWASP should have when it comes to such matters. An iterative process of re-affirming the level of neutrality required would be a proposal I would put forward for wider adoption.
Having being a project leader, I recall the motivation of been granted money to write code, it was so exciting! We need more of that, but in the form of stakeholder management: Let's not kid ourselves there are well known ways to write good software and this industry has but a few good examples of that. Requirements, testing, stakeholder decisions on roadmaps would be on the table to manage and help fund projects. This would also help warrant maturity levels on projects and well, address the motivation behind the sad fact that everybody wants to be a project leader, without always carrying the responsibility.
With the work that has been happening on the OWASP main site, I think it's time we started looking at how to clean up the content that is out there. Again, this is not necessarily in the form of archiving, but instead in the form of attempting to make the site simple to navigate. Everything from input validation filters for Java to people's itinerary information is on there. I mean, come on! I would tie this work into the governance piece stated above.
Finally, I would invest a lot of time in terms of making sure that our permanent members of staff have a healthy environment of work to operate in. How? By means of establishing run-books, escalation paths and targeting the relevant communication to the right people. This after all would show how healthy we are in terms of processes and structure as an organisation.
But before any of this, I would actually sit and listen, collecting feedback from the community on how they see we should change and how we should achieve getting there.
|align="center"|United Kingdom
|-
|align="center"| Ludovic Petit||align="center"|Honorary Member, France Chapter Leader||align="center"|Chief Security Officer with 20 years international experience of Security management within the Telecommunications industry, following 10 years in Information Technology, with a strong balance of business acumen and technical skills gained from working in global and multicultural professional environments. I am a Certified Information Systems Security Professional (CISSP) and Certified Telecommunications Fraud Specialist (CTFS) serving as a trusted leader at board-level.
I am working at Group level with a proven ability of managing global projects and cross-functional teams, and successfully achieving strategic level objectives. I am a relationship builder who enjoys working with others, with the ability to adapt to rapidly changing environments and different cultures.
I have both a Technical and a Law Enforcement (Legal & Regulation) background.
Chapter Leader and Founding Member OWASP France (2004) I'm also Global Connections Committee Member.
A few contributions to OWASP Projects:
OWASP 2013 Strategic Goals (with Samantha Groves & Sarah Baso, for the Board)
OWASP 2013 Marketing Initiave (with Samantha Groves & Sarah Baso)
Translator of the OWASP Top Ten in French (All versions)
Application Security Guide For CISOs (with Marco Morana)
OWASP Mobile Security Project (with Jack Mannino)
OWASP Cloud Top10 Project (with Vinay Bensal)
OWASP Secure Coding Practices - Quick Reference Guide (with Keith Turpin)
Public LinkedIn profile: linkedin.com/in/lpetit/
|align="center"|I'm member of the OWASP since 2004. I'm actively contributing to the OWASP Top Ten Project as French translator since the first version of 2004, as well as other stuff mentioned above.
As Chapter Leader OWASP France and Global Connections Committee Member, I'd like to modestly propose my profile to continue helping the Foundation spread the Voice of OWASP.
I'm convinced the mix of profiles & backgrounds from Board Members could enrich and enhance the way in which things could be done for the Community.
My modest wish is trying to bring the great value-added of the knowledge from the Board to local Chapters ecosystems, to streamline knowledge, processes and awareness as much as I could.
I have no other wish but to serve the Community. I am transparent... and modest.
|align="center"|France
|-
|align="center"| Josh Sokol||align="center"|Current Paid Member, Austin Chapter Leader||align="center"|Josh Sokol began his involvement with the OWASP Foundation over six and a half years ago. At the time, he was a newly hired Web Systems Engineer, working at National Instruments, and one of his teammates encouraged him to attend an OWASP meeting due to his active interests around Information Security. After just a single meeting, Josh was hooked. Soon, thereafter, Josh began helping the OWASP Austin Chapter Leader with scheduling and facilitating the meetings at National Instruments. His friend ended up taking over as President of the chapter and Josh became his VP. Several years later his friend was looking for someone to take over as President of the chapter and Josh was the natural choice. After fulfilling his obligations as Treasurer of the Capital of Texas ISSA Chapter, Josh took on the role of President of OWASP Austin. Josh installed a strong leadership team around him and worked with them to grow the chapter from a meeting average of 10-15 people to a consistent 40+, created monthly sponsored happy hours to help the community network, began weekly study groups to aide members in learning different topics, and co-founded the Lonestar Application Security Conference (LASCON) in order to make the OWASP Austin Chapter entirely self-sustaining as well as one of the largest financial contributors to the OWASP Foundation. After two years of serving as the OWASP Austin President, Josh handed the reigns over to another member of his leadership team and joined the OWASP Global Chapter Committee. Within two months of joining, the committee appointed Josh as the Chair. While serving on this committee, Josh fought for the rights of the Chapters. He helped to re-write the Chapter Handbook and created several new initiatives with the goal of helping maximize the potential of all OWASP chapters. Josh served as the Chair of the Global Chapter Committee until the committee structure was eliminated by the OWASP Board in late 2012. Josh continues to be an active member of the OWASP Austin leadership team.
In his professional life, Josh has spent the past three and a half years employed as the Information Security Program Owner at National Instruments where he handles all vulnerability management, risk management, security architecture, security training, and security policies (among many other things) for the company. He has presented on security topics at BlackHat, OWASP AppSec USA, BSides Las Vegas, MISTI InfoSecWorld, and many more and is currently developing a free and open source risk management tool. Josh lives in Austin, TX with his wife and four daughters.
|align="center"|With two exceptions, the current OWASP Board of Directors consists of people who sell security products and services as their day job. But with one of the OWASP Core Values being "vendor neutrality", this presents a very significant conflict of interest. One which I, personally, have witnessed issues with and raised my concerns to the current Board. While I am most definitely a security professional by trade, my company does not currently make any products or sell any services in the security space. I am truly a security practitioner and have no hidden agendas or biases.
Also, with few exceptions, many of the current Board members have no idea what it takes to run a successful OWASP chapter. Recently, they held a vote to remove the 60/40 membership fee split in order to correct a perceived issue with what they refer to as "rich chapters". The problem being, this proposal would have had little effect on those chapters and would effectively wipe out the ability for many of our smaller chapters to make money. Formerly, we had the Chapters Committee to stand up for the rights of our chapters and its leaders, but with the elimination of that committee structure, we have nothing. I frequently monitor the Board list as well as the Governance list and have, on several occasions, engaged the Board on issues that I felt warranted some "chapter leader" intervention, but officially I have no vote in these matters. Since the majority of our members are affiliated with a chapter, I am hoping that you will support me in being your voice.
I love OWASP and have been passionate about it from the beginning. I am unbiased in my opinions and unafraid to stand up for what I believe is right. I would sincerely appreciate your vote to put me on the OWASP Board of Directors.
|align="center"|USA
|-
|}

=== Honorary Membership ===

Honorary Membership will be granted to the following for the 2013 election:
*Chapter Leaders
*Project Leaders

'''**NOTE**''' Chapters and Projects must be active. Your leadership position must be on file prior to 30-September 2013 in order to be eligible for 2013 honorary membership. '''ALL''' qualified individuals '''MUST''' apply for Honorary Membership in order to vote by completing the [http://www.tfaforms.com/284826 Honorary Membership Self Nomination Form]

=== Who Can Vote? ===

OWASP Paid Individual Members, Paid Corporate Members and Honorary Members registered as of 30-September 2013 have one (1) vote per seat (there are 3 seats up for election).

*Note - this will include all chapter leaders and project leaders on file effective 30-September 2013, you can check the current [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdElHZnp5VnozSXFfR0c3UkF1WHh5dVE&hl=en#gid=0 Member Look Up]If you are not a member yet you are encouraged to do so.

<center>'''[[Image:Join_Now_BlueIcon.JPG|100px|link=https://www.owasp.org/index.php/Membership_Map]]'''</center>

===Election Timeline===
# '''May 7 - Call for Candidates [http://www.tfaforms.com/284825 Candidate Submission Form]'''<br>
#* [http://lists.owasp.org/pipermail/owasp-leaders/2013-May/009311.html Leaders List Announcement], [http://owasp.blogspot.com/2013/05/2013-board-election-call-for-candidates.html Blog Post Announcement], [https://twitter.com/owasp/status/334836154195128320 Twitter Announcement]
# August 11 - Call for Candidates Reminder<br>
#*[http://lists.owasp.org/pipermail/owasp-leaders/2013-August/009938.html Leaders List Reminder], [http://owasp.blogspot.com/2013/08/last-call-for-2013-election-board-of.html Blog Post Reminder], [https://twitter.com/owasp/statuses/366630187854598144 Twitter Announcement], [http://www.linkedin.com/groups/Last-Call-2013-Election-Board-36874.S.264990813?qid=7110e493-81e4-4a3d-86b5-a956c43ee5bb&goback=%2Enpv_101664190_*1_*1_name_6z5f_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS*5memb*4pic+_*1%2Egmp_36874 LinkedIn Reminder]
# August 16 - Deadline for Call for Candidates<br>
# August 22 - Candidates announced LIVE at AppSecEU 2013 as well as on all social media, in the connector and email to leaders list.
# August 25 - Deadline for questions to be submitted for use during interviews. [https://www.google.com/moderator/#16/e=20f717 2013 Election Questions]
# September 6 - Deadline for interview recordings to be completed<br>
# September 30 - Paid & Honorary membership application deadline [http://www.tfaforms.com/284826 Honorary Membership Self Nomination Form]<br>
# October 14 - Voting process begins<br>
# October 25 - Voting process ends<br>
# October 29 - Election result announcement<br>

=== Have additional questions about OWASP Membership? ===
Read the Membershhip FAQ [https://www.owasp.org/index.php/Membership#OWASP_Membership_Frequently_Asked_Questions_.28FAQ.29 CLICK HERE]

=== Election Frequently Asked Questions<br>===
If you have a question about the current election please [http://owasp4.owasp.org/contactus.html click here].

====Where can I find communication to the OWASP Community about the upcoming election?====
Answer:
We will try to publish announcements and key milestone reminders to as many communication channels as possible, including the OWASP Blog, OWASP Connector, OWASP Leader's List and this Wiki Page. Please feel free to help us communicate the message, by re-posting, re-tweeting, or sharing with the OWASP Chapter, Project, or Initiatives you may be involved with.
*[http://owasp.blogspot.com/2013/05/owasp-connector-may-7-2013.html May 7 OWASP Connector Announcement]
*[https://docs.google.com/file/d/0B5Z9zE0hx0LNUkxnVUMwc215UnM/edit?usp=sharing May 9 Webinar Slides]
*[http://owasp.blogspot.com/2013/05/2013-board-election-call-for-candidates.html May 15 Blog Post]
*[http://lists.owasp.org/pipermail/owasp-leaders/2013-May/009311.html May 15 Email to OWASP Leaders List]
* June 20 OWASP Connector [http://owasp.blogspot.com/2013/06/owasp-connector-june-20-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-June/000178.html Email to OWASP-all]
* July 4 OWASP Connector [http://owasp.blogspot.com/2013/07/owasp-connector-july-4-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-July/000179.html Email to OWASP-all]
*[https://twitter.com/appsecusa/statuses/35492802439269580 July 10 Tweet]
July 16 OWASP Connector [http://owasp.blogspot.com/2013/07/owasp-connector-july-16-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-July/000180.html Email to OWASP-all]
*[https://twitter.com/owasp/statuses/358693550680064000 July 20 Twitter Reminder]
* August 1 OWASP Connector [http://owasp.blogspot.com/2013/08/owasp-global-connector-august-1-2013.html posted to Blog] and [http://lists.owasp.org/pipermail/owasp-all/2013-August/000181.html Email to OWASP-all]
*[http://lists.owasp.org/pipermail/owasp-leaders/2013-August/009938.html August 11 Leaders List Reminder]
*[http://owasp.blogspot.com/2013/08/last-call-for-2013-election-board-of.html August 11 Blog Post Reminder]
*[https://twitter.com/owasp/statuses/366630187854598144 August 11 Twitter Announcement]
*[http://www.linkedin.com/groups/Last-Call-2013-Election-Board-36874.S.264990813?qid=7110e493-81e4-4a3d-86b5-a956c43ee5bb&goback=%2Enpv_101664190_*1_*1_name_6z5f_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_NUS*5memb*4pic+_*1%2Egmp_36874 August 11 LinkedIn Post to Global OWASP Foundation Group]

[[Category:Board Elections]]

Projects/OWASP PHP Security Project

2013-07-04T21:38:31Z

Abbas Naderi: fixed author email address

{{Template:Project About
| project_name =OWASP PHP Security Project
| project_home_page =OWASP PHP Security Project
| project_description =OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.
| project_license =Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
| leader_name1 =Abbas Naderi
| leader_email1 =abbas.naderi@owasp.org
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_PHP_Security_Project/Roadmap
}}

OWASP PHP Security Project

2013-06-24T09:53:39Z

Abbas Naderi: /* Main */ added github repo

=Main=
[https://github.com/owasp/phpsec/ GitHub Repo]

=Project About=
{{:Projects/OWASP_PHP_Security_Project}}

[[Category:OWASP Project]]

Phpsec

2013-06-24T09:52:13Z

Abbas Naderi: fixed redirect text

#Redirect [[OWASP_PHP_Security_Project]]

Phpsec

2013-06-24T09:51:15Z

Abbas Naderi: redirect to php security project

[Redirect:OWASP_PHP_Security_Project]

User:Abbas Naderi

2013-04-13T14:41:31Z

Abbas Naderi: added my emails for contact

==Contribution==
I am currently chapter leader of Iran in OWASP and have participated in OWASP Projects for more than 5 years :
* OWASP ASVS
* OWASP ESAPI
* OWASP WebGoat
* OWASP TOP 10
* ...

==Personal==
Check out my cv : https://abiusx.com/cv
My full name is Abbas Naderi Afooshteh

==Projects==
I'm also leading the

* PHP Security Cheat Sheet
* OWASP WebGoatPHP
* OWASP PHPRBAC
* OWASP RBAC
* OWASP PHP CSRF Guard
* OWASP PHP Security Project

and working on numerous other pages in OWASP. Check out OWASP Iran page.

==Contact==

[mailto:abiusx@owasp.org abiusx@owasp.org]

[mailto:abbas.naderi@owasp.org abbas.naderi@owasp.org]

GSoC2013 Ideas

2013-04-13T14:38:58Z

Abbas Naderi: /* OWASP Project Requests */ added two projects, CSRF Guard and WebGoatPHP

==OWASP Project Requests==
===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.

'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP CSRF Guard===
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].

'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.

'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

===OWASP XSSer Project===

XSSer has a correct engine implementation to search/exploit XSS vulnerabilities, but it is necessary to work on some different fields to obtain better results. Some of them are: to fight against "false positive" results, to implemenet a better human-readable output results and to develop some new features (like; CSSer, Code checks user inputs, etc...). Also, it will be nice to update the tool with more valid XSS vectors (DOM, DCP, reflected, etc...) and some "anti-anti-XSS" systems for more common browsers.

There is a roadmap on a pdf file with all tasks required to advance to next release of 'XSSer' (v1.7b - Total Swarm!)

Download: http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf

'''Brief explanation:'''

Below is shown a structure of phases and milestones code areas.

Milestones:
• Phase 1: Core:
+ Bugfixing:
- False positives
- Fix “swarm” results
- Fix 'maximize' screen (bug reported)
- Add auto-update revision
- Fix multithreading (review)
- Research 'glibc' corruption

+ Add crawlering for POST+GET (auto test 'whole' page forms)
+ Update XSS payloads (vectors.py / DOM.py / DCP.py / etc...)
+ Advance Statistics results (show more detailed outputs)
+ Advance Exporting methods (create 'whitehat' reports (xml/json))
+ Advance “WebSockets” technology on XSSer 'fortune' option
+ Update Interface (GTK+)

• Phase 2: New features:
+ Add 'code pre-check' option: Users can set which code will return target's website, to try to evade false positive results.
+ Add 'CSSer' option: Payloads for CSS injections.
+ Research/Search anti-IDS/NIDS/IPS... codes to evade XSS filters.
+ BurpXSSer: Create a Burp plugin (with Jython libs)
+ ZAPXSSer: Create a ZAP plugin (with Jython libs)

'''Expected results:'''

* To deploy a new stable version of XSSer with GTk+/Web/Shell main features working propertly,

The code should be:

* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

XSSer is written in Python, so a good knowledge of this language is recommended, as is knowledge of HTML and Javascript. Also, is necessary to have some knowledge of application security and more in concret about XSS techniques.

'''Skill Level:''' Medium

'''Mentor: epsylon (psy) - OWASP XSSer Project Leader'''

===OWASP ZAP: Dynamically Configurable actions===

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP: Enhanced HTTP Session Handling===

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

===OWASP ZAP: Exploring Advanced reporting using BIRT===

'''Brief explanation:'''

BIRT (Business Intelligence and Reporting Tools) is an open source development framework used for report development. The objective of the project is to explore the development of advance reports in OWASP ZAP using the BIRT Report Designer, which is a an Eclipse plug-in that utilizes BIRT technologies.

Reports can be designed using the BIRT Report Designer; however a complete integration within OWASP ZAP is the ideal solution. This can be achieve integrating BIRT with OWASP ZAP since the reporting application does not require the BIRT Report Designer user interface to generate a report.
The org.eclipse.birt.report.engine.api package contains the classes and interfaces that an application uses to generate reports. The main classes and interfaces are ReportEngine, EngineConfig, IReportRunnable, IRenderOption and its descendants, and IEngineTask and its descendants.

'''Expected results:'''

*Installed and Configured BIRT Environment into the Eclipse OWASP ZAP project ( this can be delivered as an independent project)
*Analysis report of the pros-and cons of using BIRT within OWASP ZAP as reporting tool
*Be able to Generate reports from the application using the BIRT report engine API.
*Creation of prototype reports regarding the results output of the Sessions & attacks such as: Alerts, History, Search etc.
*A new user interface for generating reports which is easy to use and provides the user with a wide range of options.

The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Johanna Curiel'''

===OWASP ZAP - SAML 2.0 Support===

'''Brief explanation:'''

SAML 2.0 is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). SAML specifications support many ways, called profiles and bindings, to generate and transport assertions between trusted entities The Web Browser SSO profile is of particular interest here since it enables web applications from 2 separate domains to leverage SSO easily by exchanging assertions via a web browser session.

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. This project will enhance those capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.

The scope of this project is limited to the following SAML bindings, profiles and protocols:

Profiles :
* Web Browser SSO

Bindings:
* HTTP POST
* HTTP Redirect

Protocols:
* Authentication Request Protocol

'''Expected results:'''

This component would enable ZAP to:
* Detect SAML Assertions in HTTP requests and responses
* Decode SAML Assertions
* Fuzz various entities and attributes within a SAML assertion
* Re-encode the assertion and send it forward
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

Users would have a choice either to fuzz the attributes within an assertion or just add/remove arbitrary attribute (to check for XML and SAML Schema Conformance).

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and SAML 2.0 Protocol. Some knowledge of application security would be useful, but not essential. Understanding of SSO and Federated SSO is preferred.

'''Mentor: Prasad N. Shenoy'''

===OWASP ZAP: SOCKS support===

This project is to extend ZAP to act as an intercepting proxy for SOCKS 4 and 5.

'''Brief explanation:'''

Suggested phases include:

* Identifying suitable Java SOCKS libraries
* Evaluating the SOCKS support other security tools provide (eg Mallory and Burp)
* Enhance ZAP to provide an option to use SOCKS for all outgoing connections
* Enhance ZAP to act as invisible SOCKS proxy
* Display the SOCKS data in ZAP
* Support searching of SOCKS data
* Support breaking and changing the data manually
* Support fuzzing SOCKS data
* Support SOCKS authentication

The ZAP WebSockets addon should be used as an indication of how this could be achieved both technically and visually, but should not limit the implementation.

Each phase should be tested against 3rd party tools which use SOCKS and include stand alone unit tests.

'''Expected results:'''

ZAP will be able to act as a SOCKS proxy, displaying the data sent and allowing it to be intercepted and changed.

The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP Security Research and Development Framework ===

'''Brief explanation:'''

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Targeted Applications:

* Packet Analysis Tools (Personal Firewalls, HIDS/HIPS, WAF, Network Analysis, Network Capture)
* Malware Analysis Tools (Static, Dynamic, Behavioral)
* Antivirus and Virus Removal Tools (Signature-based, Behavioral-based)

'''Expected results:'''

* Implement XRAY Tool, Recursive Disassembler Tool (based on our disassembler)
* Improve Pokas Emulator and its disassembler engine
* Improve The Kernel-Mode Part and more beta-testing
* Integrate SRDF in python using SWIG

'''Knowledge Prerequisite:'''

We need variety of skills in different languages and platforms. We need a good knowledge in C++ in windows. We need a python developer for integrating SRDF in python. We need C++ developers have a good knowledge in Assembly (for working in disassembling part) and we need C++ developers have a knowledge in Kernel-Mode(for Kernel-Mode improvement and beta-testing)

'''Mentor: Amr Thabet - OWASP Security Research and Development Framework Project Leader'''

=== OWASP ModSecurity CRS - Create "Sniffer-Mode" ===

'''Brief explanation:'''

The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. One possible solution would be create a ModSecurity "plugin" for the Snort IDS.

'''Expected results:'''

This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Port to Java ===

'''Brief explanation:'''

The goal is to have a ModSecurity version that can be used within Java servers (e.g. Tomcat). There may be methods to use JNI to call the standalone code from a filter in Tomcat.

'''Expected results:'''

This new version allow organizations to run ModSecurity/OWASP ModSecurity CRS in Java web servers.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement libinjection Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-327

libinjection (https://github.com/client9/libinjection) is a C library that detects SQLi attacks in user input. It is designed to be embedded in existing or new applications:

*Fast > 100k inspections per second
*No memory allocation
*No threads
*Stable memory usage (approximately 500 bytes on stack)
*500 lines of C code (plus a few kiobytes of data)

It is based on lexical analysis of SQL and SQLi attempts and does not use regular expressions.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new SQL Injection detection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement DoS Prevention Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-265

Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create a Positive Learning/Profile Engine ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-193

ModSecurity needs a profiling engine that implements the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.

'''Expected results:'''

The new engine will implement more detection points to detect abnormal request attributes.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create an Engine to Detect Application Flow Anomalies ===

'''Brief explanation:'''

Need an engine that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.

'''Expected results:'''

The engine will be able to alert on anomalous application flows.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP OWTF - Stateful Browser with configurable authentication ===

'''Brief explanation:'''

The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:

1) OWTF parameters

2) Configuration files

What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:
* Basic authentication - As requested here: [https://github.com/7a/owtf/issues/9 https://github.com/7a/owtf/issues/9]. .
* Cookie based authentication
* Form-based authentication

Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy project below.

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

=== OWASP OWTF - Inbound Proxy with MiTM and caching capabilities ===

'''Brief explanation:'''

At the moment one of the most seriously lacking features of OWASP OWTF is the Inbound proxy. Desired features here include:
* Proxy mode: Ability to start OWTF in "proxy mode" so that a human can review a site manually while taking advantage of all the OWTF grep plugins, without launching any tools.
* Proxy cache: At present, OWTF runs external tools to save time to a human pentester, the proxy cache would make OWTF smart enough to make external tools use the OWTF proxy and then avoid sending identical requests to the site (i.e. if 30 tools run by OWTF try to request X, OWTF will only make 1 request and not 30 anymore). OWTF should also be smart enough to use its own cache obviously :). The cache should be smart enough to detect lack of disk space and crashing :).
* Proxy throttling: We would like the proxy to auto-adjust speed to the speed of the target (i.e. based on how slower response times are getting) in a configurable fashion
* Proxy retry: We would like to have the ability to retry failed requests in an automated fashion for a configurable number of times
* Proxy MiTM: Proxy Man in The Middle capabilities are a must on any web app security tool. We need the ability to create a fake certificate on the fly to intercept and be able to analyse communications going to and from an "https" site.
* HTTP Transaction storage: The whole point here is of course, to store the HTTP transactions in the same way

Potential python libraries and references that could help here are:
* http://twistedmatrix.com/documents/10.0.0/api/twisted.web.proxy.Proxy.html
* https://github.com/moxie0/sslstrip
* https://github.com/7a/owtf/tree/master/framework/http <-- Current WIP OWTF state in this regard

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Increased overall performance: We should only be sending each probe once ever if several tools try to send the same HTTP request multiple times.
* Additional HTTP transactions logged for analysis
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, previous exposure to Twisted Proxy or other python HTTP proxies will be very welcome here, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Reporting ===

'''Brief explanation:'''

A common complaint about OWASP OWTF so far has been that the report is not very shiny. The intention here is to:
* Move as much of the HTML away from python files into template files: This will facilitate web designer's work in the future.
* Apply some nice web design to the report so that it is more nice and comfortable to work with: Clear the HTML, CSS, etc
* Identify and fix areas of improvement in click flow: For example, try to reduce the distance to move the mouse

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* The first reaction when an OWASP OWTF users opens the report is now "wow"
* The report is reliable and easy to work with, even when more than 30 URLs have been assessed (i.e. a lot of data in the report does not crash or make the browser slow)
* The improved design is lightweight and keeps the browser responsive at all times

'''Knowledge Prerequisite:'''

HTML, JavaScript, CSS and a bit of Python. Web Designer background or experience would be beneficial for this.

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Multiprocessing ===

'''Brief explanation:'''

OWASP OWTF can be quite slow when scanning multiple URLs simultanously due to not scanning several hosts in parallel. We would like to use the multiprocessing python library over the threading one to take full advantage of multi-core processors without the global interpreter lock (GIL) issues associated with the threading libary :)
* We would like to scan in parallel several websites when on a different IP:
* We would like to monitor the host machine resources to avoid crashing it before spawning new processes :)
* We would like to run plugins in parallel as much as possible but without compromising integrity: Using file locks where appropriate and so on

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, multiprocessing experience would be beneficial for this, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - SQL database ===

'''Brief explanation:'''

OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.
* Keep the current text file format as an option
* Add a database storage option using the sqlalchemy library

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability: Both with the sql database option and the text file options.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, sqlalchemy experience would be beneficial for this

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Unit Test Framework ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to create a unit testing framework so that creating OWASP OWTF unit tests is as simple as possible. The goal of this project is to create the Unit Test Framework and as many unit tests as possible to verify OWASP OWTF functionality.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Python version upgrade and compatibility ===

'''Brief explanation:'''

Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

''''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - Source Code testing environment ===

''''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - CMS improvements ===

''''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:

* '''Plugin api and plugin actions interface'''

An easy way for users to code their own plugins which will modify the appearance of hackademic or add to the functionality.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

GSoC2013 Ideas

2013-03-19T16:25:45Z

Abbas Naderi: /* OWASP Project Requests */ OWASP RBAC Project

==OWASP Project Requests==
===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

===OWASP ZAP: Dynamically Configurable actions===

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP: Enhanced HTTP Session Handling===

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

===OWASP ZAP: Advanced reporting===

'''Brief explanation:'''

The reports that ZAP generates are in a fixed format which is not particularly useful or attractive. This development would provide the user with a fine grained control over the contents, layout and branding of the reports.

'''Expected results:'''

A new user interface for genrating reports which is easy to use and provides the user with a wide range of options.
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP - SAML 2.0 Support===

'''Brief explanation:'''

SAML 2.0 is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). SAML specifications support many ways, called profiles and bindings, to generate and transport assertions between trusted entities The Web Browser SSO profile is of particular interest here since it enables web applications from 2 separate domains to leverage SSO easily by exchanging assertions via a web browser session.

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. This project will enhance those capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.

The scope of this project is limited to the following SAML bindings, profiles and protocols:

Profiles :
* Web Browser SSO

Bindings:
* HTTP POST
* HTTP Redirect

Protocols:
* Authentication Request Protocol

'''Expected results:'''

This component would enable ZAP to:
* Detect SAML Assertions in HTTP requests and responses
* Decode SAML Assertions
* Fuzz various entities and attributes within a SAML assertion
* Re-encode the assertion and send it forward
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

Users would have a choice either to fuzz the attributes within an assertion or just add/remove arbitrary attribute (to check for XML and SAML Schema Conformance).

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and SAML 2.0 Protocol. Some knowledge of application security would be useful, but not essential. Understanding of SSO and Federated SSO is preferred.

'''Mentor: Prasad N. Shenoy'''

GSoC2013 Ideas

2013-03-19T16:15:59Z

Abbas Naderi: /* OWASP Project Requests */ fixed zap project titles

==Guidelines==
===Information for Students===
The ideas below were contributed by OWASP project leaders and users. They are sometimes vague or incomplete. If you wish to submit a proposal based on these ideas, you may wish to contact the corresponding project leaders and find out more about the particular suggestion you're looking at.
Being accepted as a Google Summer of Code student is quite competitive. Accepted students typically have thoroughly researched the technologies of their proposed project and have been in frequent contact with potential mentors. Simply copying and pasting an idea here will not work. On the other hand, creating a completely new idea without first consulting potential mentors is unlikely to work out.

How to find ideas? Obvious sources of projects are the OWASP project wiki, bugs database, and project mailing lists.

=== Generic Sample Proposal===

'''Accepted for GSoC 2011'''

'''Brief explanation:'''

KDE has developed a number of very interesting and powerful technologies, libraries and components but there is no easy way to show them to other people.

'''Expected results:'''

Something like Qt Demo but with KDE technologies.

'''Knowledge prerequisite:'''

C++ is the main language of KDE, therefore the demo should be in C++. The more you know about C++, Qt, KDE and scripting (for Kross and KDE bindings demos), the better.
This idea encompasses so much different stuff the student is not expected to know everything before he starts coding (but will certainly know a lot when he's done!).

'''Skill level:''' medium

'''Mentor:''' Pau Garcia i Quiles as general mentor and someone to ask for directions. Specific help for each technology will probably require help from its developers.

==OWASP Project Requests==

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge Prerequistics:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP ZAP: Dynamically Configurable actions===

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP: Enhanced HTTP Session Handling===

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

===OWASP ZAP: Advanced reporting===

'''Brief explanation:'''

The reports that ZAP generates are in a fixed format which is not particularly useful or attractive. This development would provide the user with a fine grained control over the contents, layout and branding of the reports.

'''Expected results:'''

A new user interface for genrating reports which is easy to use and provides the user with a wide range of options.
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

GSoC2013 Ideas

2013-03-19T16:14:42Z

Abbas Naderi: /* OWASP Project Requests */ added OWASP PHP Security Project

==Guidelines==
===Information for Students===
The ideas below were contributed by OWASP project leaders and users. They are sometimes vague or incomplete. If you wish to submit a proposal based on these ideas, you may wish to contact the corresponding project leaders and find out more about the particular suggestion you're looking at.
Being accepted as a Google Summer of Code student is quite competitive. Accepted students typically have thoroughly researched the technologies of their proposed project and have been in frequent contact with potential mentors. Simply copying and pasting an idea here will not work. On the other hand, creating a completely new idea without first consulting potential mentors is unlikely to work out.

How to find ideas? Obvious sources of projects are the OWASP project wiki, bugs database, and project mailing lists.

=== Generic Sample Proposal===

'''Accepted for GSoC 2011'''

'''Brief explanation:'''

KDE has developed a number of very interesting and powerful technologies, libraries and components but there is no easy way to show them to other people.

'''Expected results:'''

Something like Qt Demo but with KDE technologies.

'''Knowledge prerequisite:'''

C++ is the main language of KDE, therefore the demo should be in C++. The more you know about C++, Qt, KDE and scripting (for Kross and KDE bindings demos), the better.
This idea encompasses so much different stuff the student is not expected to know everything before he starts coding (but will certainly know a lot when he's done!).

'''Skill level:''' medium

'''Mentor:''' Pau Garcia i Quiles as general mentor and someone to ask for directions. Specific help for each technology will probably require help from its developers.

==OWASP Project Requests==

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge Prerequistics:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Project: OWASP ZAP: Dynamically Configurable actions'''

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

'''Project: OWASP ZAP: Enhanced HTTP Session Handling'''

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

'''Project: OWASP ZAP: Advanced reporting'''

'''Brief explanation:'''

The reports that ZAP generates are in a fixed format which is not particularly useful or attractive. This development would provide the user with a fine grained control over the contents, layout and branding of the reports.

'''Expected results:'''

A new user interface for genrating reports which is easy to use and provides the user with a wide range of options.
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

Iran

2013-03-15T18:30:31Z

Abbas Naderi: fixed right to left on persian text

= Chapter Information =
{{Chapter Template|chaptername=Iran|extra=The chapter leader is [mailto:abbas.naderi@owasp.org Mr. Abbas Naderi].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-iran|emailarchives=http://lists.owasp.org/pipermail/owasp-iran}}

CAUTION: If you can not use the global OWASP donation/membership process, there's a separate process specific to Iranians. Check the [https://owasp.org/index.php/Iran#Membership Membership] tab.

=Membership=
This section is in Persian. If you're an Iranian but can not read Persian, contact the chapter leader.
<div dir='rtl'>
فرآیند جدید عضویت در اواسپ بعد از ماه‌ها تلاش سرپرست بخش تصویب شد.
در فرآیند جدید، دو نوع عضویت وجود دارد:

== عضویت عادی ==
از آنجایی که تحریم‌ها علیه ایران انتقال وجه از و به ایران را ممنوع ساخته است، و به دلیل بالا رفتن قیمت دلار آزاد در بازار، تخفیف ویژه گرفته شد و هزینه عضویت به جای ۵۰ دلار معمول در سال
به
'''تنها ۲۰ دلار در سال'''
کاهش یافت. برای پرداخت مبلغ و عضویت، می‌توانید مبلغ مورد نظر را به صورت دلاری به مسئول بخش تحویل داده و رسید بگیرید یا اینکه معادل ریالی آنرا به مسئول بخش تحویل دهید تا پرداخت را به صورت دلاری برای شما انجام دهد.
برای اطلاعات بیشتر با مسئول بخش تماس بگیرید.

== عضویت افتخاری ==
همچنین پس از رایزنی‌ها، امکان عضویت افتخاری نیز محیا شد. برای عضویت افتخاری، شما باید در فعالیت‌های بخش ایران (یا کل موسسه اواسپ)
همکاری نمایید و پس از اینکه میزان همکاری‌های شما به حد قابل قبولی رسید، مسئول بخش درخواست عضویت شما را به کمیته اصلی ارسال می‌کند و عضویت افتخاری شما تایید می‌شود.

== مزایای عضویت ==
با عضویت در اواسپ، نام شما در لیست اعضا درج می‌شود، امکان شرکت در انتخابات اواسپ را خواهید داشت، امکان شرکت در نظرسنجی‌های تاثیرگذار در استانداردها را خواهید داشت، از جدیدترین اخبار و دستاوردهای امنیتی بهره‌مند خواهید شد،
در اکثر کنفرانس‌های امنیتی می‌توانید با تخفیف شرکت کنید و علاوه بر همه اینها
'''یک ایمیل اختصاصی @owasp.org'''
به شما اختصاص می‌یابد.
تمام عضویت‌ها سالانه است.

</div>
= Chapter News =

==New Membership Process==
After months of exhaustive work, a new membership approach is available for Iranians. Check the membership tab.

== Chapter Meeting ==
The next chapter meeting would be in upcoming month. More information in the mailing list and here alter.

= Active Projects =
== OWASP ASVS Persian ==
A draft version of OWASP ASVS in Persian is available on the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project ASVS Download page] but needs review. Please contact chapter leadership to sign up.

= Past Events =
'''the First National Web Application Security Conference'''
[http://wasc.ir WASC.ir]
April 2011, Shahid Beheshti University

=== 4th Intl. Digital Media Fair ===
Tehran, Great Mosalla of Imam Khomeini, '''October 7th-16th'''
Two workshops by Abbas Naderi (aka) AbiusX :
* Common Web Security for People (including Social Engineering issues)
* Cryptography and Cryptanalysis

Both being held at October 9th

=== 3rd Intl. Digital Media Fair ===
Tehran , Great Mosalla of Imam Khomeini, '''October 01st-8th'''

سومین نمایشگاه بین‌المللی رسانه‌های دیجیتال، ۸ الی ۱۵، مصلی امام خمینی

Two security related presentations by '''Abbas Naderi (aka AbiusX)''':
* OWASP Top Ten in Persian for common web developers (2 Oct, 19-21 local time) ([http://abiusx.com/archive/presentation/OWASP_Top_10_Farsi.pptx download link])
* General Security and Privacy for the public (3 Oct, 19-21 local time) ([http://abiusx.com/archive/presentation/security-privacy2.pptx download link])
(Powerpoint and OpenOffice slides would be uploaded asap.)
* ۱۰ خطر اصلی در نرم افزارهای تحت وب - برای توسعه دهندگان وب
* امنیت عمومی در وب، حفاظت از اطلاعات شخصی برای عموم مردم

Attendance is free of charge.

=== Software security vulnerabilities and defense ===
seminar presented in YAZD University by Hamid kashfi (26 June 2008). ([http://strcpy.persiangig.com/Attacking_Software.ppt download link ])

= Resources =
== OWASP Top 10 Persian ==
(24/09/2009) Persian translation of OWASP TOP 10 Project is published by "Mitra Moosavi" and "Anahita Taheri". ([http://www.scribd.com/doc/20164417/OWASP-Top-10-2007-Persian download link])

لطفا پيشنهادات يا اصلاحات احتمالی را از طريق ايميل به تهيه کنندگان اين سند ارسال نماييد

<headertabs />

[[Category:OWASP_Chapter]]
[[Category:Middle East]]
[[Category:Asia/Pacific/Middle East]]

Iran

2013-03-15T18:23:25Z

Abbas Naderi: added new membership approach (mostly in Persian)

= Chapter Information =
{{Chapter Template|chaptername=Iran|extra=The chapter leader is [mailto:abbas.naderi@owasp.org Mr. Abbas Naderi].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-iran|emailarchives=http://lists.owasp.org/pipermail/owasp-iran}}

CAUTION: If you can not use the global OWASP donation/membership process, there's a separate process specific to Iranians. Check the [https://owasp.org/index.php/Iran#Membership Membership] tab.

=Membership=
This section is in Persian. If you're an Iranian but can not read Persian, contact the chapter leader.

فرآیند جدید عضویت در اواسپ بعد از ماه‌ها تلاش سرپرست بخش تصویب شد.
در فرآیند جدید، دو نوع عضویت وجود دارد:

== عضویت عادی (مالی) ==
از آنجایی که تحریم‌ها علیه ایران انتقال وجه از و به ایران را ممنوع ساخته است، و به دلیل بالا رفتن قیمت دلار آزاد در بازار، تخفیف ویژه گرفته شد و هزینه عضویت به جای ۵۰ دلار معمول در سال
به
'''تنها ۲۰ دلار در سال'''
کاهش یافت. برای پرداخت مبلغ و عضویت، می‌توانید مبلغ مورد نظر را به صورت دلاری به مسئول بخش تحویل داده و رسید بگیرید یا اینکه معادل ریالی آنرا به مسئول بخش تحویل دهید تا پرداخت را به صورت دلاری برای شما انجام دهد.
برای اطلاعات بیشتر با مسئول بخش تماس بگیرید.

== عضویت افتخاری (همکاری) ==
همچنین پس از رایزنی‌ها، امکان عضویت افتخاری نیز محیا شد. برای عضویت افتخاری، شما باید در فعالیت‌های بخش ایران (یا کل موسسه اواسپ)
همکاری نمایید و پس از اینکه میزان همکاری‌های شما به حد قابل قبولی رسید، مسئول بخش درخواست عضویت شما را به کمیته اصلی ارسال می‌کند و عضویت افتخاری شما تایید می‌شود.

== مزایای عضویت ==
با عضویت در اواسپ، نام شما در لیست اعضا درج می‌شود، امکان شرکت در انتخابات اواسپ را خواهید داشت، امکان شرکت در نظرسنجی‌های تاثیرگذار در استانداردها را خواهید داشت، از جدیدترین اخبار و دستاوردهای امنیتی بهره‌مند خواهید شد،
در اکثر کنفرانس‌های امنیتی می‌توانید با تخفیف شرکت کنید و علاوه بر همه اینها
'''یک ایمیل اختصاصی @owasp.org'''
به شما اختصاص می‌یابد.
تمام عضویت‌ها سالانه است.

= Chapter News =

==New Membership Process==
After months of exhaustive work, a new membership approach is available for Iranians. Check the membership tab.

== Chapter Meeting ==
The next chapter meeting would be in upcoming month. More information in the mailing list and here alter.

= Active Projects =
== OWASP ASVS Persian ==
A draft version of OWASP ASVS in Persian is available on the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project ASVS Download page] but needs review. Please contact chapter leadership to sign up.

= Past Events =
'''the First National Web Application Security Conference'''
[http://wasc.ir WASC.ir]
April 2011, Shahid Beheshti University

=== 4th Intl. Digital Media Fair ===
Tehran, Great Mosalla of Imam Khomeini, '''October 7th-16th'''
Two workshops by Abbas Naderi (aka) AbiusX :
* Common Web Security for People (including Social Engineering issues)
* Cryptography and Cryptanalysis

Both being held at October 9th

=== 3rd Intl. Digital Media Fair ===
Tehran , Great Mosalla of Imam Khomeini, '''October 01st-8th'''

سومین نمایشگاه بین‌المللی رسانه‌های دیجیتال، ۸ الی ۱۵، مصلی امام خمینی

Two security related presentations by '''Abbas Naderi (aka AbiusX)''':
* OWASP Top Ten in Persian for common web developers (2 Oct, 19-21 local time) ([http://abiusx.com/archive/presentation/OWASP_Top_10_Farsi.pptx download link])
* General Security and Privacy for the public (3 Oct, 19-21 local time) ([http://abiusx.com/archive/presentation/security-privacy2.pptx download link])
(Powerpoint and OpenOffice slides would be uploaded asap.)
* ۱۰ خطر اصلی در نرم افزارهای تحت وب - برای توسعه دهندگان وب
* امنیت عمومی در وب، حفاظت از اطلاعات شخصی برای عموم مردم

Attendance is free of charge.

=== Software security vulnerabilities and defense ===
seminar presented in YAZD University by Hamid kashfi (26 June 2008). ([http://strcpy.persiangig.com/Attacking_Software.ppt download link ])

= Resources =
== OWASP Top 10 Persian ==
(24/09/2009) Persian translation of OWASP TOP 10 Project is published by "Mitra Moosavi" and "Anahita Taheri". ([http://www.scribd.com/doc/20164417/OWASP-Top-10-2007-Persian download link])

لطفا پيشنهادات يا اصلاحات احتمالی را از طريق ايميل به تهيه کنندگان اين سند ارسال نماييد

<headertabs />

[[Category:OWASP_Chapter]]
[[Category:Middle East]]
[[Category:Asia/Pacific/Middle East]]

Projects/OWASP PHPRBAC Project/Releases/Current

2013-03-08T14:19:55Z

Abbas Naderi: added version 1.0 release

{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude>
| project_name = OWASP PHPRBAC Project
| project_home_page = OWASP PHPRBAC Project
| release_name = Version 1.0
| release_date = 3 March 2013

| release_description = Initial version with automated tests, works perfectly but no GUI template is available for maintenance.

| release_license = CC ShareAlike
| release_download_link = http://sourceforge.net/projects/phprbac/files/latest/download

| leader_name1 = Abbas Naderi
| leader_email1 = abbas.naderi@owasp.org
| leader_username1 = Abbas Naderi

| release_notes = Check [http://phprbac.net phprbac.net] for more info
}}

OWASP PHPRBAC Project

2013-03-07T05:26:25Z

Abbas Naderi: added link to website

=Main=
Welcome to PHP-RBAC OWASP page. PHP RBAC is an attempt to make computer software more secure by making role based access control practice much easier and safer. You can visit the official website of PHPRBAC where tutorials and documentations are available at [http://phprbac.net phprbac.net]

=Project About=
{{:Projects/OWASP_PHPRBAC_Project}}

[[Category:OWASP Project]]

Projects/OWASP PHPRBAC Project

2013-03-07T05:21:41Z

Abbas Naderi: edited some typos

{{Template:Project About
| project_name =OWASP PHPRBAC Project
| project_home_page =OWASP PHPRBAC Project
| project_description =PHPRBAC is a standard NIST Level 2 Hierarchical Role Based Access Control library implemented as a library for PHP. It allows perfectly maintainable function-level access control for enterprise and small applications or even frameworks.
Since implementation of NIST Level 2 Hierarchical RBAC is quite complicated, there are very few similar libraries and most of them do not adhere to standards. PHP RBAC is one of the fastest implementations (relying on a SQLite or MySQL backend) and has been tested in industry for more than three years.
| project_license =Creative Commons Attribution ShareAlike 3.0 License
| leader_name1 =Abbas Naderi
| leader_email1 =abbas.naderi@owasp.org
| leader_username1 =This is the wiki account for the leader
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_phprbac
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_PHPRBAC_Project/Roadmap
}}

PHPRBAC

2013-03-07T05:20:16Z

Abbas Naderi: redirect to actual page

#REDIRECT [[OWASP_PHPRBAC_Project]]