OWASP - User contributions [en]

File:SRDF-Design.png

2014-08-22T14:13:38Z

AmrThabet: AmrThabet uploaded a new version of "File:SRDF-Design.png"

The User-Mode Design

OWASP Security Research and Development Framework

2014-08-22T14:12:30Z

AmrThabet:

=Main=

<div style="width:100%;height:100%;border:0;margin:0;overflow: hidden;">[[File:SRDF-Project-Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Abstract: ==

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

== Introduction: ==

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

'''SRDF is seeking contributors to help with the next releases . Contact [mailto:amr.thabet@owasp.org Amr Thabet] for more info.

'''We can help you create your own project based on SRDF .. just contact us from the email above

==Licensing==
SRDF is a free open source framework. It is licensed under the GPL v2

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

==The Features:==

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

===in Malware:===

• Assembler and Disassembler

• x86 Emulator

• x86 Debugger

• PE Analyzer, ELF Analyzer, PDF Analyzer (still in progress), Android APK Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker, IAT Hooking and Process Injection

• Backend Database, XML Serializer

• And many more

===in Network:===

• Packet capturing using winpcap

• Pcap file analysis and packet analyzer

• detecting malformed packets and packet generator

• Session analysis and session separation

• Protocol Analysis like tcp, udp, icmp .. etc

• Application layer protocol analysis like http and dns

• And many more

and the project is totally object oriented, very expandable and well organized

''' the project development still active and still expanding

== Python SRDF (pySRDF)==

it's an implementation for SRDF on python and very easy to use like this:

>>from pySRDF import *
>>dbg = Dbg("C:\\test.exe")
>>dbg.SetBp(0x401000)
>>dbg.Run()

OR Using the Emulator:

>> emu = Emulator("C:\\test.exe")
>> emu.SetBp("eip == 0x401000")
>> emu.Run()

OR

>> emu.SetBp("__isdirty(eip)") #which set bp on Execute on modified data
>> emu.Run()

Find it at:

[https://github.com/AmrThabet/pySRDF pySRDF Github]

[https://github.com/AmrThabet/pySRDF/tree/master/Examples Examples]

| valign="top" style="padding-left:25px;width:200px;" |

== Source Code: ==

[https://github.com/AmrThabet/winSRDF Github]

[https://www.openhub.net/p/winSRDF Openhub]

[http://www.security-framework.com Our Website]

== Project Leader ==
[mailto:amr.thabet@owasp.org Amr Thabet]
|}

=Design=

== The Design: ==

the main design is:

[[File:SRDF-Design.png]]

=== Infrastructure: ===

This includes the essential elements of any development framework and it’s not related to security like: string, hash, list, serializer, database, registry manipulation, sockets and so on.

We decided to create this part rather than depending on any development framework to make this framework independent from any other development frameworks and to be portable on any development framework

==== Targets: ====

This is the beginning of the SRDF. This part is simply the Target from your security tool. What do you want to secure or secure from. And it includes Files (PE Files and others), Processes and Packets.

==== Libraries: ====

That’s the security tools that the SRDF support. And it’s divided into two namespaces: malware and network

Malware includes the assemblers and disassemblers, emulator, debugger, API Hooker, Yara Scanner (wildcard scanner) file recursive scanner and other tools

Network includes User-Mode capturing and Firewall

==== Core (The Application Interface): ====

The Core includes the Logging system and the back-end Database.

And also, it’s the Application Interface. Like cConsoleApp … and you can inherit from it to create your own User-Interface.

We wish this part to be expanded to include more user interfaces and management systems

== The Infrastructure: ==

=== Elements: ===

It’s divided into three namespaces:

1. String: it contains the string class, encoded string, hash and list

2. Code: it contains the NativeCode class and StoredProcedure … and they represents the shellcode and the code that stored in database. Like a virus detection routines inside an Antivirus

3. XML: and it contains the XML Encoder and the Serializer.

=== Connections: ===

It’s divided into three namespaces:

1. Internet: and it contains the internet communication protocols like sockets, HTTP Sockets and so on.

2. IPC: and it contains the Inter-Process Communication protocol

3. User-Mode to Kernel-Mode Communication: and it contains the communication protocol to communicate to the kernel-mode part of the SRDF

=== Storage: ===

It’s divided into three namespaces:

1. Databases: and it contains the Database class and SQLiteDB and so on.

2. Files: and contains the File writing and logging classes

3. Registry: and it contains the registry read and write

== The Targets: ==

=== Files: ===

This namespace describes the File Formats of The Files that could contain malicious code like: Executable Files (PE and ELF) and Document Files (PDF, Docx …) and so on.

Until now it contains The PE Files parser

=== Process: ===

And it includes one class only named cProcess. And, this class describes a running process and parses its PEB and gives you the important information about the process and its memory map. And support injecting code and create a remote thread.

=== Packets: ===

And it includes classes that describe an internet packets captured on the wire or generated for an attack.

== Libraries: ==

It contains two namespaces:

=== Malware: ===

This namespace contains the scanning, Hooking and emulation libraries and contains Pokas Emulator wrapper class, Yara wrapper class (wildcard scanner), a debugger and contains a directory recursive scanner and other tools

And also, it contains the x86 assembler and disassembler (using Pokas Emulator Assembler) and allow to contain other assemblers and for other platforms.

=== Network: ===

This namespace should contain the User-Mode Packet capture and firewall. And should contain the Winpcap Packet capturing and firewall system.
It also should include Application Layer parsers for FTP, HTTP, IRC and all known protocols and include Pcap Reader and writer.

== The Core: ==

And the core includes the cApp class that contains the back-end database and logging and the User-Interface such as cConsoleApp

=Project About=
{{:Projects/OWASP_Security_Research_and_Development_Framework}}
__NOTOC__ <headertabs />
[[Category:OWASP Project]]

File:SRDF-Design.png

2014-08-22T14:11:36Z

AmrThabet: AmrThabet uploaded a new version of "File:SRDF-Design.png"

The User-Mode Design

File:SRDF-Project-Header.jpg

2014-08-22T09:47:21Z

AmrThabet: AmrThabet uploaded a new version of "File:SRDF-Project-Header.jpg"

Security Research and Development Framework Project

File:SRDF-Project-Header.jpg

2014-08-21T09:38:59Z

AmrThabet: AmrThabet uploaded a new version of "File:SRDF-Project-Header.jpg"

Security Research and Development Framework Project

OWASP Security Research and Development Framework

2014-08-20T16:03:42Z

AmrThabet:

File:SRDF-Project-Header.jpg

2014-08-20T16:01:14Z

AmrThabet: AmrThabet uploaded a new version of "File:SRDF-Project-Header.jpg"

Security Research and Development Framework Project

File:SRDF-Project-Header.jpg

2014-08-20T15:56:33Z

AmrThabet: AmrThabet uploaded a new version of "File:SRDF-Project-Header.jpg"

Security Research and Development Framework Project

File:SRDF-Project-Header.jpg

2014-08-20T15:40:50Z

AmrThabet: Security Research and Development Framework Project

Security Research and Development Framework Project

OWASP Security Research and Development Framework

2014-08-20T12:01:25Z

AmrThabet:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Security Reseach and Development Framework ==

''Do you see writing a security tool in windows is hard?''

''Do you have a great idea but you can’t implement it?''

''Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?''

''So, Security Research and Development Framework is for you.''

= Abstract: =

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

= Introduction: =

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

'''SRDF is seeking contributors to help with the next releases . Contact [mailto:amr.thabet@owasp.org Amr Thabet] for more info.

'''We can help you create your own project based on SRDF .. just contact us from the email above

==Licensing==
SRDF is a free open source framework. It is licensed under the GPL v2

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

==The Features:==

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

===in Malware:===

• Assembler and Disassembler

• x86 Emulator

• x86 Debugger

• PE Analyzer, ELF Analyzer, PDF Analyzer (still in progress), Android APK Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker, IAT Hooking and Process Injection

• Backend Database, XML Serializer

• And many more

===in Network:===

• Packet capturing using winpcap

• Pcap file analysis and packet analyzer

• detecting malformed packets and packet generator

• Session analysis and session separation

• Protocol Analysis like tcp, udp, icmp .. etc

• Application layer protocol analysis like http and dns

• And many more

and the project is totally object oriented, very expandable and well organized

''' the project development still active and still expanding

== Join Us: ==

''Do you get benefit from this framework and you need to give something back?''

''Do you want to add something to your CV?''

''Do you want to meet smart developers and join a big community?''

''Do you want to learn new things?''

''Here is place … join the development community, meet new smart people and have fun.''

| valign="top" style="padding-left:25px;width:200px;" |

== Source Code: ==

[https://github.com/AmrThabet/winSRDF Github]

[https://www.openhub.net/p/winSRDF Openhub]

[http://www.security-framework.com Our Website]

== Python SRDF (pySRDF)==

it's an implementation for SRDF on python and very easy to use like this:

>>from pySRDF import *
>>dbg = Dbg("C:\\test.exe")
>>dbg.SetBp(0x401000)
>>dbg.Run()

OR Using the Emulator:

>> emu = Emulator("C:\\test.exe")
>> emu.SetBp("eip == 0x401000")
>> emu.Run()

OR

>> emu.SetBp("__isdirty(eip)") #which set bp on Execute on modified data
>> emu.Run()

Find it at:

[https://github.com/AmrThabet/pySRDF pySRDF Github]

[https://github.com/AmrThabet/pySRDF/tree/master/Examples Examples]

|}

OWASP Security Research and Development Framework

2014-08-20T12:00:01Z

AmrThabet:

GSoC2013 Ideas

2013-04-16T09:27:43Z

AmrThabet:

==OWASP Project Requests==
===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.

'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP CSRF Guard===
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].

'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.

'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

===OWASP XSSer Project===

XSSer has a correct engine implementation to search/exploit XSS vulnerabilities, but it is necessary to work on some different fields to obtain better results. Some of them are: to fight against "false positive" results, to implemenet a better human-readable output results and to develop some new features (like; CSSer, Code checks user inputs, etc...). Also, it will be nice to update the tool with more valid XSS vectors (DOM, DCP, reflected, etc...) and some "anti-anti-XSS" systems for more common browsers.

There is a roadmap on a pdf file with all tasks required to advance to next release of 'XSSer' (v1.7b - Total Swarm!)

Download: http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf

'''Brief explanation:'''

Below is shown a structure of phases and milestones code areas.

Milestones:
• Phase 1: Core:
+ Bugfixing:
- False positives
- Fix “swarm” results
- Fix 'maximize' screen (bug reported)
- Add auto-update revision
- Fix multithreading (review)
- Research 'glibc' corruption

+ Add crawlering for POST+GET (auto test 'whole' page forms)
+ Update XSS payloads (vectors.py / DOM.py / DCP.py / etc...)
+ Advance Statistics results (show more detailed outputs)
+ Advance Exporting methods (create 'whitehat' reports (xml/json))
+ Advance “WebSockets” technology on XSSer 'fortune' option
+ Update Interface (GTK+)

• Phase 2: New features:
+ Add 'code pre-check' option: Users can set which code will return target's website, to try to evade false positive results.
+ Add 'CSSer' option: Payloads for CSS injections.
+ Research/Search anti-IDS/NIDS/IPS... codes to evade XSS filters.
+ BurpXSSer: Create a Burp plugin (with Jython libs)
+ ZAPXSSer: Create a ZAP plugin (with Jython libs)

'''Expected results:'''

* To deploy a new stable version of XSSer with GTk+/Web/Shell main features working propertly,

The code should be:

* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

XSSer is written in Python, so a good knowledge of this language is recommended, as is knowledge of HTML and Javascript. Also, is necessary to have some knowledge of application security and more in concret about XSS techniques.

'''Skill Level:''' Medium

'''Mentor: epsylon (psy) - OWASP XSSer Project Leader'''

===OWASP ZAP: Dynamically Configurable actions===

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP: Enhanced HTTP Session Handling===

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

===OWASP ZAP: Exploring Advanced reporting using BIRT===

'''Brief explanation:'''

BIRT (Business Intelligence and Reporting Tools) is an open source development framework used for report development. The objective of the project is to explore the development of advance reports in OWASP ZAP using the BIRT Report Designer, which is a an Eclipse plug-in that utilizes BIRT technologies.

Reports can be designed using the BIRT Report Designer; however a complete integration within OWASP ZAP is the ideal solution. This can be achieve integrating BIRT with OWASP ZAP since the reporting application does not require the BIRT Report Designer user interface to generate a report.
The org.eclipse.birt.report.engine.api package contains the classes and interfaces that an application uses to generate reports. The main classes and interfaces are ReportEngine, EngineConfig, IReportRunnable, IRenderOption and its descendants, and IEngineTask and its descendants.

'''Expected results:'''

*Installed and Configured BIRT Environment into the Eclipse OWASP ZAP project ( this can be delivered as an independent project)
*Analysis report of the pros-and cons of using BIRT within OWASP ZAP as reporting tool
*Be able to Generate reports from the application using the BIRT report engine API.
*Creation of prototype reports regarding the results output of the Sessions & attacks such as: Alerts, History, Search etc.
*A new user interface for generating reports which is easy to use and provides the user with a wide range of options.

The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Johanna Curiel'''

===OWASP ZAP - SAML 2.0 Support===

'''Brief explanation:'''

SAML 2.0 is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). SAML specifications support many ways, called profiles and bindings, to generate and transport assertions between trusted entities The Web Browser SSO profile is of particular interest here since it enables web applications from 2 separate domains to leverage SSO easily by exchanging assertions via a web browser session.

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. This project will enhance those capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.

The scope of this project is limited to the following SAML bindings, profiles and protocols:

Profiles :
* Web Browser SSO

Bindings:
* HTTP POST
* HTTP Redirect

Protocols:
* Authentication Request Protocol

'''Expected results:'''

This component would enable ZAP to:
* Detect SAML Assertions in HTTP requests and responses
* Decode SAML Assertions
* Fuzz various entities and attributes within a SAML assertion
* Re-encode the assertion and send it forward
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

Users would have a choice either to fuzz the attributes within an assertion or just add/remove arbitrary attribute (to check for XML and SAML Schema Conformance).

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and SAML 2.0 Protocol. Some knowledge of application security would be useful, but not essential. Understanding of SSO and Federated SSO is preferred.

'''Mentor: Prasad N. Shenoy'''

===OWASP ZAP: SOCKS support===

This project is to extend ZAP to act as an intercepting proxy for SOCKS 4 and 5.

'''Brief explanation:'''

Suggested phases include:

* Identifying suitable Java SOCKS libraries
* Evaluating the SOCKS support other security tools provide (eg Mallory and Burp)
* Enhance ZAP to provide an option to use SOCKS for all outgoing connections
* Enhance ZAP to act as invisible SOCKS proxy
* Display the SOCKS data in ZAP
* Support searching of SOCKS data
* Support breaking and changing the data manually
* Support fuzzing SOCKS data
* Support SOCKS authentication

The ZAP WebSockets addon should be used as an indication of how this could be achieved both technically and visually, but should not limit the implementation.

Each phase should be tested against 3rd party tools which use SOCKS and include stand alone unit tests.

'''Expected results:'''

ZAP will be able to act as a SOCKS proxy, displaying the data sent and allowing it to be intercepted and changed.

The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP Security Research and Development Framework ===

'''Brief explanation:'''

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

'''Targeted Applications:'''

* Packet Analysis Tools (Personal Firewalls, HIDS/HIPS, WAF, Network Analysis, Network Capture)
* Malware Analysis Tools (Static, Dynamic, Behavioral)
* Antivirus and Virus Removal Tools (Signature-based, Behavioral-based)

'''Features:'''

The User Mode Features:

* Assembler and Disassembler
* x86 Emulator
* Debugger
* PE Analyzer
* Process Analyzer (Loaded DLLs, Memory Maps … etc)
* MD5, SSDeep and Wildlist Scanner (YARA)
* API Hooker and Process Injection
* Backend Database, XML Serializer
* Packet Analysis Tool and Session Separation
* Protocol Analyzers for TCP,UDP,ICMP,ARP and Application Layer like HTTP and DNS
* and many more

The Kernel Mode Features:

* Object-oriented and easy to use development framework
* Easy IRP dispatching mechanism
* SSDT Hooker
* Layered Devices Filtering
* TDI Firewall
* File and Registry Manager
* Kernel Mode easy to use internet sockets
* Filesystem Filter

'''Future Plan'''

we need to do the following:

* WOW64 Hooker (Hooking system calls on wow64 processes .. it will be like an API hooker in a wrapper dll inside the wow64 processes)
* Improve our Kernel-Mode part to work on 64-bits and to implement NDIS, Kernel Sockets and Packet Filtering System (as we support TDI only and it's out-date)
* We need to implement SRDF in linux ... implement the file parsers and the packet analysis is easy .. but we need to implement memory analysis on linux and so on
* We need to improve the static analysis tools .. we need to implement the X-RAY and Recursive Disassembler Tool
* we need to improve our dynamic analysis tools ... we need to support more APIs in Pokas Emulator and need more beta-testing
* we need to create a tool that do emulation and debugging (we have a debugger in SRDF) for beta-testing
* we need to improve the Behavioral Analysis Tools ... if you have ideas in behavioral analysis that's will be great
* we need to implement more file formats like swf and rtf
* we need to implement srdf in python using SWIG
* we need more improvement on memory usage and detecting memory-leaks
* we need to implement OpenSBI virus classification file format
* we need to collect static unpacking codes (static means no debugger, no breakpoints, no kernel-mode and no emulator . just decrypt using equations) for known unpackers like upx, fsg and so on. as a library for developers
* we need to implement zip library to decompress and rar library for the same
* we need a Process Analyzer for 64 applications .. and could it be done by a wow64 process?

'''Knowledge Prerequisite:'''

We need variety of skills in different languages and platforms. We need a good knowledge in C++ in windows. We need a python developer for integrating SRDF in python. We need C++ developers have a good knowledge in Assembly (for working in disassembling part) and we need C++ developers have a knowledge in Kernel-Mode(for Kernel-Mode improvement and beta-testing)

'''Mentor: Amr Thabet - OWASP Security Research and Development Framework Project Leader'''

=== OWASP ModSecurity CRS - Create "Sniffer-Mode" ===

'''Brief explanation:'''

The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. One possible solution would be create a ModSecurity "plugin" for the Snort IDS.

'''Expected results:'''

This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Port to Java ===

'''Brief explanation:'''

The goal is to have a ModSecurity version that can be used within Java servers (e.g. Tomcat). There may be methods to use JNI to call the standalone code from a filter in Tomcat.

'''Expected results:'''

This new version allow organizations to run ModSecurity/OWASP ModSecurity CRS in Java web servers.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement libinjection Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-327

libinjection (https://github.com/client9/libinjection) is a C library that detects SQLi attacks in user input. It is designed to be embedded in existing or new applications:

*Fast > 100k inspections per second
*No memory allocation
*No threads
*Stable memory usage (approximately 500 bytes on stack)
*500 lines of C code (plus a few kiobytes of data)

It is based on lexical analysis of SQL and SQLi attempts and does not use regular expressions.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new SQL Injection detection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement DoS Prevention Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-265

Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create a Positive Learning/Profile Engine ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-193

ModSecurity needs a profiling engine that implements the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.

'''Expected results:'''

The new engine will implement more detection points to detect abnormal request attributes.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create an Engine to Detect Application Flow Anomalies ===

'''Brief explanation:'''

Need an engine that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.

'''Expected results:'''

The engine will be able to alert on anomalous application flows.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP OWTF - Stateful Browser with configurable authentication ===

'''Brief explanation:'''

The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:

1) OWTF parameters

2) Configuration files

What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:
* Basic authentication - As requested here: [https://github.com/7a/owtf/issues/9 https://github.com/7a/owtf/issues/9]. .
* Cookie based authentication
* Form-based authentication

Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy project below.

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

=== OWASP OWTF - Inbound Proxy with MiTM and caching capabilities ===

'''Brief explanation:'''

At the moment one of the most seriously lacking features of OWASP OWTF is the Inbound proxy. Desired features here include:
* Proxy mode: Ability to start OWTF in "proxy mode" so that a human can review a site manually while taking advantage of all the OWTF grep plugins, without launching any tools.
* Proxy cache: At present, OWTF runs external tools to save time to a human pentester, the proxy cache would make OWTF smart enough to make external tools use the OWTF proxy and then avoid sending identical requests to the site (i.e. if 30 tools run by OWTF try to request X, OWTF will only make 1 request and not 30 anymore). OWTF should also be smart enough to use its own cache obviously :). The cache should be smart enough to detect lack of disk space and crashing :).
* Proxy throttling: We would like the proxy to auto-adjust speed to the speed of the target (i.e. based on how slower response times are getting) in a configurable fashion
* Proxy retry: We would like to have the ability to retry failed requests in an automated fashion for a configurable number of times
* Proxy MiTM: Proxy Man in The Middle capabilities are a must on any web app security tool. We need the ability to create a fake certificate on the fly to intercept and be able to analyse communications going to and from an "https" site.
* HTTP Transaction storage: The whole point here is of course, to store the HTTP transactions in the same way

Potential python libraries and references that could help here are:
* http://twistedmatrix.com/documents/10.0.0/api/twisted.web.proxy.Proxy.html
* https://github.com/moxie0/sslstrip
* https://github.com/7a/owtf/tree/master/framework/http <-- Current WIP OWTF state in this regard

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Increased overall performance: We should only be sending each probe once ever if several tools try to send the same HTTP request multiple times.
* Additional HTTP transactions logged for analysis
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, previous exposure to Twisted Proxy or other python HTTP proxies will be very welcome here, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Reporting ===

'''Brief explanation:'''

A common complaint about OWASP OWTF so far has been that the report is not very shiny. The intention here is to:
* Move as much of the HTML away from python files into template files: This will facilitate web designer's work in the future.
* Apply some nice web design to the report so that it is more nice and comfortable to work with: Clear the HTML, CSS, etc
* Identify and fix areas of improvement in click flow: For example, try to reduce the distance to move the mouse

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* The first reaction when an OWASP OWTF users opens the report is now "wow"
* The report is reliable and easy to work with, even when more than 30 URLs have been assessed (i.e. a lot of data in the report does not crash or make the browser slow)
* The improved design is lightweight and keeps the browser responsive at all times

'''Knowledge Prerequisite:'''

HTML, JavaScript, CSS and a bit of Python. Web Designer background or experience would be beneficial for this.

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Multiprocessing ===

'''Brief explanation:'''

OWASP OWTF can be quite slow when scanning multiple URLs simultanously due to not scanning several hosts in parallel. We would like to use the multiprocessing python library over the threading one to take full advantage of multi-core processors without the global interpreter lock (GIL) issues associated with the threading libary :)
* We would like to scan in parallel several websites when on a different IP:
* We would like to monitor the host machine resources to avoid crashing it before spawning new processes :)
* We would like to run plugins in parallel as much as possible but without compromising integrity: Using file locks where appropriate and so on

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, multiprocessing experience would be beneficial for this, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - SQL database ===

'''Brief explanation:'''

OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.
* Keep the current text file format as an option
* Add a database storage option using the sqlalchemy library

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability: Both with the sql database option and the text file options.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, sqlalchemy experience would be beneficial for this

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Unit Test Framework ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to create a unit testing framework so that creating OWASP OWTF unit tests is as simple as possible. The goal of this project is to create the Unit Test Framework and as many unit tests as possible to verify OWASP OWTF functionality.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Python version upgrade and compatibility ===

'''Brief explanation:'''

Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

''''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - Source Code testing environment ===

''''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - CMS improvements ===

''''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:

* '''Plugin api and plugin actions interface'''

An easy way for users to code their own plugins which will modify the appearance of hackademic or add to the functionality.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

GSoC2013 Ideas

2013-04-16T09:23:56Z

AmrThabet:

==OWASP Project Requests==
===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.

'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP CSRF Guard===
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].

'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.

'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

===OWASP XSSer Project===

XSSer has a correct engine implementation to search/exploit XSS vulnerabilities, but it is necessary to work on some different fields to obtain better results. Some of them are: to fight against "false positive" results, to implemenet a better human-readable output results and to develop some new features (like; CSSer, Code checks user inputs, etc...). Also, it will be nice to update the tool with more valid XSS vectors (DOM, DCP, reflected, etc...) and some "anti-anti-XSS" systems for more common browsers.

There is a roadmap on a pdf file with all tasks required to advance to next release of 'XSSer' (v1.7b - Total Swarm!)

Download: http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf

'''Brief explanation:'''

Below is shown a structure of phases and milestones code areas.

Milestones:
• Phase 1: Core:
+ Bugfixing:
- False positives
- Fix “swarm” results
- Fix 'maximize' screen (bug reported)
- Add auto-update revision
- Fix multithreading (review)
- Research 'glibc' corruption

+ Add crawlering for POST+GET (auto test 'whole' page forms)
+ Update XSS payloads (vectors.py / DOM.py / DCP.py / etc...)
+ Advance Statistics results (show more detailed outputs)
+ Advance Exporting methods (create 'whitehat' reports (xml/json))
+ Advance “WebSockets” technology on XSSer 'fortune' option
+ Update Interface (GTK+)

• Phase 2: New features:
+ Add 'code pre-check' option: Users can set which code will return target's website, to try to evade false positive results.
+ Add 'CSSer' option: Payloads for CSS injections.
+ Research/Search anti-IDS/NIDS/IPS... codes to evade XSS filters.
+ BurpXSSer: Create a Burp plugin (with Jython libs)
+ ZAPXSSer: Create a ZAP plugin (with Jython libs)

'''Expected results:'''

* To deploy a new stable version of XSSer with GTk+/Web/Shell main features working propertly,

The code should be:

* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

XSSer is written in Python, so a good knowledge of this language is recommended, as is knowledge of HTML and Javascript. Also, is necessary to have some knowledge of application security and more in concret about XSS techniques.

'''Skill Level:''' Medium

'''Mentor: epsylon (psy) - OWASP XSSer Project Leader'''

===OWASP ZAP: Dynamically Configurable actions===

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP: Enhanced HTTP Session Handling===

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

===OWASP ZAP: Exploring Advanced reporting using BIRT===

'''Brief explanation:'''

BIRT (Business Intelligence and Reporting Tools) is an open source development framework used for report development. The objective of the project is to explore the development of advance reports in OWASP ZAP using the BIRT Report Designer, which is a an Eclipse plug-in that utilizes BIRT technologies.

Reports can be designed using the BIRT Report Designer; however a complete integration within OWASP ZAP is the ideal solution. This can be achieve integrating BIRT with OWASP ZAP since the reporting application does not require the BIRT Report Designer user interface to generate a report.
The org.eclipse.birt.report.engine.api package contains the classes and interfaces that an application uses to generate reports. The main classes and interfaces are ReportEngine, EngineConfig, IReportRunnable, IRenderOption and its descendants, and IEngineTask and its descendants.

'''Expected results:'''

*Installed and Configured BIRT Environment into the Eclipse OWASP ZAP project ( this can be delivered as an independent project)
*Analysis report of the pros-and cons of using BIRT within OWASP ZAP as reporting tool
*Be able to Generate reports from the application using the BIRT report engine API.
*Creation of prototype reports regarding the results output of the Sessions & attacks such as: Alerts, History, Search etc.
*A new user interface for generating reports which is easy to use and provides the user with a wide range of options.

The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Johanna Curiel'''

===OWASP ZAP - SAML 2.0 Support===

'''Brief explanation:'''

SAML 2.0 is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). SAML specifications support many ways, called profiles and bindings, to generate and transport assertions between trusted entities The Web Browser SSO profile is of particular interest here since it enables web applications from 2 separate domains to leverage SSO easily by exchanging assertions via a web browser session.

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. This project will enhance those capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.

The scope of this project is limited to the following SAML bindings, profiles and protocols:

Profiles :
* Web Browser SSO

Bindings:
* HTTP POST
* HTTP Redirect

Protocols:
* Authentication Request Protocol

'''Expected results:'''

This component would enable ZAP to:
* Detect SAML Assertions in HTTP requests and responses
* Decode SAML Assertions
* Fuzz various entities and attributes within a SAML assertion
* Re-encode the assertion and send it forward
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

Users would have a choice either to fuzz the attributes within an assertion or just add/remove arbitrary attribute (to check for XML and SAML Schema Conformance).

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and SAML 2.0 Protocol. Some knowledge of application security would be useful, but not essential. Understanding of SSO and Federated SSO is preferred.

'''Mentor: Prasad N. Shenoy'''

===OWASP ZAP: SOCKS support===

This project is to extend ZAP to act as an intercepting proxy for SOCKS 4 and 5.

'''Brief explanation:'''

Suggested phases include:

* Identifying suitable Java SOCKS libraries
* Evaluating the SOCKS support other security tools provide (eg Mallory and Burp)
* Enhance ZAP to provide an option to use SOCKS for all outgoing connections
* Enhance ZAP to act as invisible SOCKS proxy
* Display the SOCKS data in ZAP
* Support searching of SOCKS data
* Support breaking and changing the data manually
* Support fuzzing SOCKS data
* Support SOCKS authentication

The ZAP WebSockets addon should be used as an indication of how this could be achieved both technically and visually, but should not limit the implementation.

Each phase should be tested against 3rd party tools which use SOCKS and include stand alone unit tests.

'''Expected results:'''

ZAP will be able to act as a SOCKS proxy, displaying the data sent and allowing it to be intercepted and changed.

The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP Security Research and Development Framework ===

'''Brief explanation:'''

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

'''Targeted Applications:'''

* Packet Analysis Tools (Personal Firewalls, HIDS/HIPS, WAF, Network Analysis, Network Capture)
* Malware Analysis Tools (Static, Dynamic, Behavioral)
* Antivirus and Virus Removal Tools (Signature-based, Behavioral-based)

'''Features:'''

The User Mode Features:

• Assembler and Disassembler
• x86 Emulator
• Debugger
• PE Analyzer
• Process Analyzer (Loaded DLLs, Memory Maps … etc)
• MD5, SSDeep and Wildlist Scanner (YARA)
• API Hooker and Process Injection
• Backend Database, XML Serializer
• Packet Analysis Tool and Session Separation
• Protocol Analyzers for TCP,UDP,ICMP,ARP and Application Layer like HTTP and DNS
• and many more

The Kernel Mode Features:

• Object-oriented and easy to use development framework
• Easy IRP dispatching mechanism
• SSDT Hooker
• Layered Devices Filtering
• TDI Firewall
• File and Registry Manager
• Kernel Mode easy to use internet sockets
• Filesystem Filter

'''Future Plan'''

and we need to do the following:

* WOW64 Hooker (Hooking system calls on wow64 processes .. it will be like an API hooker in a wrapper dll inside the wow64 processes)
* Improve our Kernel-Mode part to work on 64-bits and to implement NDIS, Kernel Sockets and Packet Filtering System (as we support TDI only and it's out-date)
* We need to implement SRDF in linux ... implement the file parsers and the packet analysis is easy .. but we need to implement memory analysis on linux and so on
* We need to improve the static analysis tools .. we need to implement the X-RAY and Recursive Disassembler Tool
* we need to improve our dynamic analysis tools ... we need to support more APIs in Pokas Emulator and need more beta-testing
* we need to create a tool that do emulation and debugging (we have a debugger in SRDF) for beta-testing
* we need to improve the Behavioral Analysis Tools ... if you have ideas in behavioral analysis that's will be great
* we need to implement more file formats like swf and rtf
* we need to implement srdf in python using SWIG
* we need more improvement on memory usage and detecting memory-leaks
* we need to implement OpenSBI virus classification file format
* we need to collect static unpacking codes (static means no debugger, no breakpoints, no kernel-mode and no emulator . just decrypt using equations) for known unpackers like upx, fsg and so on. as a library for developers
* we need to implement zip library to decompress and rar library for the same
* we need a Process Analyzer for 64 applications .. and could it be done by a wow64 process?

'''Knowledge Prerequisite:'''

We need variety of skills in different languages and platforms. We need a good knowledge in C++ in windows. We need a python developer for integrating SRDF in python. We need C++ developers have a good knowledge in Assembly (for working in disassembling part) and we need C++ developers have a knowledge in Kernel-Mode(for Kernel-Mode improvement and beta-testing)

'''Mentor: Amr Thabet - OWASP Security Research and Development Framework Project Leader'''

=== OWASP ModSecurity CRS - Create "Sniffer-Mode" ===

'''Brief explanation:'''

The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. One possible solution would be create a ModSecurity "plugin" for the Snort IDS.

'''Expected results:'''

This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Port to Java ===

'''Brief explanation:'''

The goal is to have a ModSecurity version that can be used within Java servers (e.g. Tomcat). There may be methods to use JNI to call the standalone code from a filter in Tomcat.

'''Expected results:'''

This new version allow organizations to run ModSecurity/OWASP ModSecurity CRS in Java web servers.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement libinjection Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-327

libinjection (https://github.com/client9/libinjection) is a C library that detects SQLi attacks in user input. It is designed to be embedded in existing or new applications:

*Fast > 100k inspections per second
*No memory allocation
*No threads
*Stable memory usage (approximately 500 bytes on stack)
*500 lines of C code (plus a few kiobytes of data)

It is based on lexical analysis of SQL and SQLi attempts and does not use regular expressions.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new SQL Injection detection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement DoS Prevention Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-265

Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create a Positive Learning/Profile Engine ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-193

ModSecurity needs a profiling engine that implements the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.

'''Expected results:'''

The new engine will implement more detection points to detect abnormal request attributes.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create an Engine to Detect Application Flow Anomalies ===

'''Brief explanation:'''

Need an engine that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.

'''Expected results:'''

The engine will be able to alert on anomalous application flows.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP OWTF - Stateful Browser with configurable authentication ===

'''Brief explanation:'''

The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:

1) OWTF parameters

2) Configuration files

What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:
* Basic authentication - As requested here: [https://github.com/7a/owtf/issues/9 https://github.com/7a/owtf/issues/9]. .
* Cookie based authentication
* Form-based authentication

Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy project below.

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* High performance
* Reliability
* Ease of use
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

=== OWASP OWTF - Inbound Proxy with MiTM and caching capabilities ===

'''Brief explanation:'''

At the moment one of the most seriously lacking features of OWASP OWTF is the Inbound proxy. Desired features here include:
* Proxy mode: Ability to start OWTF in "proxy mode" so that a human can review a site manually while taking advantage of all the OWTF grep plugins, without launching any tools.
* Proxy cache: At present, OWTF runs external tools to save time to a human pentester, the proxy cache would make OWTF smart enough to make external tools use the OWTF proxy and then avoid sending identical requests to the site (i.e. if 30 tools run by OWTF try to request X, OWTF will only make 1 request and not 30 anymore). OWTF should also be smart enough to use its own cache obviously :). The cache should be smart enough to detect lack of disk space and crashing :).
* Proxy throttling: We would like the proxy to auto-adjust speed to the speed of the target (i.e. based on how slower response times are getting) in a configurable fashion
* Proxy retry: We would like to have the ability to retry failed requests in an automated fashion for a configurable number of times
* Proxy MiTM: Proxy Man in The Middle capabilities are a must on any web app security tool. We need the ability to create a fake certificate on the fly to intercept and be able to analyse communications going to and from an "https" site.
* HTTP Transaction storage: The whole point here is of course, to store the HTTP transactions in the same way

Potential python libraries and references that could help here are:
* http://twistedmatrix.com/documents/10.0.0/api/twisted.web.proxy.Proxy.html
* https://github.com/moxie0/sslstrip
* https://github.com/7a/owtf/tree/master/framework/http <-- Current WIP OWTF state in this regard

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Increased overall performance: We should only be sending each probe once ever if several tools try to send the same HTTP request multiple times.
* Additional HTTP transactions logged for analysis
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, previous exposure to Twisted Proxy or other python HTTP proxies will be very welcome here, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Reporting ===

'''Brief explanation:'''

A common complaint about OWASP OWTF so far has been that the report is not very shiny. The intention here is to:
* Move as much of the HTML away from python files into template files: This will facilitate web designer's work in the future.
* Apply some nice web design to the report so that it is more nice and comfortable to work with: Clear the HTML, CSS, etc
* Identify and fix areas of improvement in click flow: For example, try to reduce the distance to move the mouse

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* The first reaction when an OWASP OWTF users opens the report is now "wow"
* The report is reliable and easy to work with, even when more than 30 URLs have been assessed (i.e. a lot of data in the report does not crash or make the browser slow)
* The improved design is lightweight and keeps the browser responsive at all times

'''Knowledge Prerequisite:'''

HTML, JavaScript, CSS and a bit of Python. Web Designer background or experience would be beneficial for this.

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Multiprocessing ===

'''Brief explanation:'''

OWASP OWTF can be quite slow when scanning multiple URLs simultanously due to not scanning several hosts in parallel. We would like to use the multiprocessing python library over the threading one to take full advantage of multi-core processors without the global interpreter lock (GIL) issues associated with the threading libary :)
* We would like to scan in parallel several websites when on a different IP:
* We would like to monitor the host machine resources to avoid crashing it before spawning new processes :)
* We would like to run plugins in parallel as much as possible but without compromising integrity: Using file locks where appropriate and so on

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, multiprocessing experience would be beneficial for this, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - SQL database ===

'''Brief explanation:'''

OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.
* Keep the current text file format as an option
* Add a database storage option using the sqlalchemy library

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Reliability: Both with the sql database option and the text file options.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, sqlalchemy experience would be beneficial for this

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Unit Test Framework ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to create a unit testing framework so that creating OWASP OWTF unit tests is as simple as possible. The goal of this project is to create the Unit Test Framework and as many unit tests as possible to verify OWASP OWTF functionality.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP OWTF - Python version upgrade and compatibility ===

'''Brief explanation:'''

Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''

=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

''''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - Source Code testing environment ===

''''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - CMS improvements ===

''''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:

* '''Plugin api and plugin actions interface'''

An easy way for users to code their own plugins which will modify the appearance of hackademic or add to the functionality.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''' Νοte: ''''
The ideas on each proposed project are examples, it would be good if you undertook any of these but we equally value creativity and we are always looking for awesome new features to add to the project, so if you have an idea don't be shy, contact us. :-)

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

File:SRDF-Design.png

2013-03-28T08:10:29Z

AmrThabet: uploaded a new version of "File:SRDF-Design.png"

The User-Mode Design

File:SRDF-Design.png

2013-03-28T08:08:32Z

AmrThabet: uploaded a new version of "File:SRDF-Design.png"

The User-Mode Design

File:SRDF-Design.png

2013-03-28T08:07:55Z

AmrThabet: uploaded a new version of "File:SRDF-Design.png"

The User-Mode Design

GSoC2013 Ideas

2013-03-20T11:59:16Z

AmrThabet:

==OWASP Project Requests==
===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

===OWASP XSSer Project===

XSSer has a correct engine implementation to search/exploit XSS vulnerabilities, but it is necessary to work on some different fields to obtain better results. Some of them are: to fight against "false positive" results, to implemenet a better human-readable output results and to develop some new features (like; CSSer, Code checks user inputs, etc...). Also, it will be nice to update the tool with more valid XSS vectors (DOM, DCP, reflected, etc...) and some "anti-anti-XSS" systems for more common browsers.

There is a roadmap on a pdf file with all tasks required to advance to next release of 'XSSer' (v1.7b - Total Swarm!)

Download: http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf

'''Brief explanation:'''

Below is shown a structure of phases and milestones code areas.

Milestones:
• Phase 1: Core:
+ Bugfixing:
- False positives
- Fix “swarm” results
- Fix 'maximize' screen (bug reported)
- Add auto-update revision
- Fix multithreading (review)
- Research 'glibc' corruption

+ Add crawlering for POST+GET (auto test 'whole' page forms)
+ Update XSS payloads (vectors.py / DOM.py / DCP.py / etc...)
+ Advance Statistics results (show more detailed outputs)
+ Advance Exporting methods (create 'whitehat' reports (xml/json))
+ Advance “WebSockets” technology on XSSer 'fortune' option
+ Update Interface (GTK+)

• Phase 2: New features:
+ Add 'code pre-check' option: Users can set which code will return target's website, to try to evade false positive results.
+ Add 'CSSer' option: Payloads for CSS injections.
+ Research/Search anti-IDS/NIDS/IPS... codes to evade XSS filters.
+ BurpXSSer: Create a Burp plugin (with Jython libs)
+ ZAPXSSer: Create a ZAP plugin (with Jython libs)

'''Expected results:'''

* To deploy a new stable version of XSSer with GTk+/Web/Shell main features working propertly,

The code should be:

* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

XSSer is written in Python, so a good knowledge of this language is recommended, as is knowledge of HTML and Javascript. Also, is necessary to have some knowledge of application security and more in concret about XSS techniques.

'''Skill Level:''' Medium

'''Mentor: epsylon (psy) - OWASP XSSer Project Leader'''

===OWASP ZAP: Dynamically Configurable actions===

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP: Enhanced HTTP Session Handling===

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

===OWASP ZAP: Advanced reporting===

'''Brief explanation:'''

The reports that ZAP generates are in a fixed format which is not particularly useful or attractive. This development would provide the user with a fine grained control over the contents, layout and branding of the reports.

'''Expected results:'''

A new user interface for genrating reports which is easy to use and provides the user with a wide range of options.
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP - SAML 2.0 Support===

'''Brief explanation:'''

SAML 2.0 is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). SAML specifications support many ways, called profiles and bindings, to generate and transport assertions between trusted entities The Web Browser SSO profile is of particular interest here since it enables web applications from 2 separate domains to leverage SSO easily by exchanging assertions via a web browser session.

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. This project will enhance those capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.

The scope of this project is limited to the following SAML bindings, profiles and protocols:

Profiles :
* Web Browser SSO

Bindings:
* HTTP POST
* HTTP Redirect

Protocols:
* Authentication Request Protocol

'''Expected results:'''

This component would enable ZAP to:
* Detect SAML Assertions in HTTP requests and responses
* Decode SAML Assertions
* Fuzz various entities and attributes within a SAML assertion
* Re-encode the assertion and send it forward
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

Users would have a choice either to fuzz the attributes within an assertion or just add/remove arbitrary attribute (to check for XML and SAML Schema Conformance).

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and SAML 2.0 Protocol. Some knowledge of application security would be useful, but not essential. Understanding of SSO and Federated SSO is preferred.

'''Mentor: Prasad N. Shenoy'''

===OWASP Security Research and Development Framework ===

'''Brief explanation:'''

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Targeted Applications:

* Packet Analysis Tools (Personal Firewalls, HIDS/HIPS, WAF, Network Analysis, Network Capture)
* Malware Analysis Tools (Static, Dynamic, Behavioral)
* Antivirus and Virus Removal Tools (Signature-based, Behavioral-based)

'''Expected results:'''

* Implement XRAY Tool, Recursive Disassembler Tool (based on our disassembler)
* Improve Pokas Emulator and its disassembler engine
* Improve The Kernel-Mode Part and more beta-testing
* Integrate SRDF in python using SWIG

'''Knowledge Prerequisite:'''

We need variety of skills in different languages and platforms. We need a good knowledge in C++ in windows. We need a python developer for integrating SRDF in python. We need C++ developers have a good knowledge in Assembly (for working in disassembling part) and we need C++ developers have a knowledge in Kernel-Mode(for Kernel-Mode improvement and beta-testing)

'''Mentor: Amr Thabet - OWASP Security Research and Development Framework Project Leader'''

Projects/OWASP Security Research and Development Framework/Releases/Current

2013-01-04T01:12:47Z

AmrThabet:

[http://code.google.com/p/srdf/downloads/detail?name=SRDF-v1.00.rar&can=2&q= SRDF-v1.00.rar]

[http://code.google.com/p/srdf/downloads/detail?name=SRDF%20Reference%20Manual.pdf&can=2&q= SRDF Reference Manual v.100.pdf]

[http://code.google.com/p/srdf/source/browse Browse Source Code]

Projects/OWASP Security Research and Development Framework/Releases/Current

2013-01-04T01:12:14Z

AmrThabet:

[http://code.google.com/p/srdf/downloads/detail?name=SRDF-v1.00.rar&can=2&q= SRDF-v1.00.rar]

[http://code.google.com/p/srdf/downloads/detail?name=SRDF%20Reference%20Manual.pdf&can=2&q= SRDF Reference Manual v.100.pdf]

Also .. you can browse the source code:

[http://code.google.com/p/srdf/source/browse Browse Code]

Projects/OWASP Security Research and Development Framework/Releases/Current

2013-01-04T01:11:22Z

AmrThabet: Created page with "The First Release is: --------------------- [http://code.google.com/p/srdf/downloads/detail?name=SRDF-v1.00.rar&can=2&q= SRDF-v1.00.rar] [http://code.google.com/p/srdf/downlo..."

The First Release is:
---------------------
[http://code.google.com/p/srdf/downloads/detail?name=SRDF-v1.00.rar&can=2&q= SRDF-v1.00.rar]

[http://code.google.com/p/srdf/downloads/detail?name=SRDF%20Reference%20Manual.pdf&can=2&q= SRDF Reference Manual v.100.pdf]

Also .. you can browse the source code:

[http://code.google.com/p/srdf/source/browse Browse Code]

OWASP Security Research and Development Framework

2012-12-11T21:21:31Z

AmrThabet:

''Do you see writing a security tool in windows is hard?''

''Do you have a great idea but you can’t implement it?''

''Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?''

''So, Security Research and Development Framework is for you.''

= Abstract: =

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

= Introduction: =

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

= The Features: =

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools

=== The User Mode Features: ===

• Assembler and Disassembler

• x86 Emulator

• Debugger

• PE Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker and Process Injection

• Backend Database, XML Serializer

• And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features.

=== The Kernel Mode Features: ===

• Object-oriented and easy to use development framework

• Easy IRP dispatching mechanism

• SSDT Hooker

• Layered Devices Filtering

• TDI Firewall

• File and Registry Manager

• Kernel Mode easy to use internet sockets

• Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Let’s now see the design:

= The User-Mode Part: =

== The Design: ==

[[File:SRDF-Design.png]]

=== Infrastructure: ===

This includes the essential elements of any development framework and it’s not related to security like: string, hash, list, serializer, database, registry manipulation, sockets and so on.

We decided to create this part rather than depending on any development framework to make this framework independent from any other development frameworks and to be portable on any development framework

==== Targets: ====

This is the beginning of the SRDF. This part is simply the Target from your security tool. What do you want to secure or secure from. And it includes Files (PE Files and others), Processes and Packets.

==== Libraries: ====

That’s the security tools that the SRDF support. And it’s divided into two namespaces: malware and network

Malware includes the assemblers and disassemblers, emulator, debugger, API Hooker, Yara Scanner (wildcard scanner) file recursive scanner and other tools

Network includes User-Mode capturing and Firewall

==== Core (The Application Interface): ====

The Core includes the Logging system and the back-end Database.

And also, it’s the Application Interface. Like cConsoleApp … and you can inherit from it to create your own User-Interface.

We wish this part to be expanded to include more user interfaces and management systems

== The Infrastructure: ==

=== Elements: ===

It’s divided into three namespaces:

1. String: it contains the string class, encoded string, hash and list

2. Code: it contains the NativeCode class and StoredProcedure … and they represents the shellcode and the code that stored in database. Like a virus detection routines inside an Antivirus

3. XML: and it contains the XML Encoder and the Serializer.

=== Connections: ===

It’s divided into three namespaces:

1. Internet: and it contains the internet communication protocols like sockets, HTTP Sockets and so on.

2. IPC: and it contains the Inter-Process Communication protocol

3. User-Mode to Kernel-Mode Communication: and it contains the communication protocol to communicate to the kernel-mode part of the SRDF

=== Storage: ===

It’s divided into three namespaces:

1. Databases: and it contains the Database class and SQLiteDB and so on.

2. Files: and contains the File writing and logging classes

3. Registry: and it contains the registry read and write

== The Targets: ==

=== Files: ===

This namespace describes the File Formats of The Files that could contain malicious code like: Executable Files (PE and ELF) and Document Files (PDF, Docx …) and so on.

Until now it contains The PE Files parser

=== Process: ===

And it includes one class only named cProcess. And, this class describes a running process and parses its PEB and gives you the important information about the process and its memory map. And support injecting code and create a remote thread.

=== Packets: ===

And it includes classes that describe an internet packets captured on the wire or generated for an attack.

== Libraries: ==

It contains two namespaces:

=== Malware: ===

This namespace contains the scanning, Hooking and emulation libraries and contains Pokas Emulator wrapper class, Yara wrapper class (wildcard scanner), a debugger and contains a directory recursive scanner and other tools

And also, it contains the x86 assembler and disassembler (using Pokas Emulator Assembler) and allow to contain other assemblers and for other platforms.

=== Network: ===

This namespace should contain the User-Mode Packet capture and firewall. And should contain the Winpcap Packet capturing and firewall system.
It also should include Application Layer parsers for FTP, HTTP, IRC and all known protocols and include Pcap Reader and writer.

== The Core: ==

And the core includes the cApp class that contains the back-end database and logging and the User-Interface such as cConsoleApp

= The Kernel-Mode: =

== The Kernel-Mode Goals: ==

The Goals of the kernel-Mode development Framework are:

1. Easy to create a Kernel-Mode security tool

2. Support OOP using the native device driver programming APIs

3. Support detaching between devices in IRPs

4. Easy to use files, registry and so on

5. Create a User-Mode/Kernel-Mode communication protocol

6. Designed only for hooking and security tools.

The Kernel-Mode SRDF is designed on native device driver programming APIs and independent from the WDF (windows drivers foundation).

Now we will describe the design of Framework and then we will go through the IRP dispatching mechanism in the KM-SRDF

== The Design: ==

[[File:SRDF-Kernel-Design.png]]

'''Driver:''' It’s the core management system that dispatching the IRPs to the devices and manage the devices.

'''Device:''' it represents a device object and it contains the IRP dispatching between the control device object and the filtering device objects and includes attaching and detaching from a devices chain and all necessary functions for a device object

'''SSDT Device:''' this class is inherited from device class and it’s created for SSDT Hooking

'''Filter Device:''' this class created for attaching to a chain and filtering the inputs and the outputs of the IRPs

'''File Filter Device:''' this class is inherited from Filter Device and it’s created for filtering the File system I/O request packets (IRPs) or monitoring file operations

'''TDI Firewall:''' this class is inherited from Filter Device and it’s created for filtering the internet packets and connections and the processes that tries to connect to the internet

'''DKOM Device:''' this class created to provide a generic way to work with opaque structures in windows without worrying about windows version and subversion (under construction)

'''Process Device:''' this class provides a way to inject code or modify the memory of a process from the kernel-mode

'''File/Registry Managers:''' they are tools created to support writing files and working with registry easily without worrying about IRQL

'''Sockets:''' it’s an easy interface to connect to the internet using the TDI interface

== The IRP Dispatching: ==

[[File:SRDF-IRP-Dispatching.png]]

• The IRP dispatching begins from the entry.cpp and it dispatch the IRP to the Driver

• The driver checks the device object and dispatch the IRP to the related device

• The device sends the IRP to the User-Mode communication object to work with it as it’s sent to the control device object

• If it’s a FileFilter Device, the device dispatches the IRP based on the device object to the Attached Device Objects or to the control device object and the user-mode communication

= Source Code: =

http://code.google.com/p/srdf/

= Join Us: =

''Do you get benefit from this framework and you need to give something back?''

''Do you want to add something to your CV?''

''Do you want to meet smart developers and join a big community?''

''Do you want to learn new things?''

''Here is place … join the development community, meet new smart people and have fun.''

= Roadmap: =

== 1. Antivirus: ==

a. XRAY Tool

b. Heuristics Analysis

c. Behavior-based Detection Tools.

d. More File Formats (PDF, apk, …)

e. OpenSBI and other Virus Classification File Formats

f. Sandboxing Mechanism.

i. Using API/ SSDT Hooking

ii. Emulation Based on Pokas Emulator.

g. Update System with Flexible Mechanism

== 2. Malware Analysis: ==

a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls)

b. API Hooking (for the same as above)

c. Improvement in Pokas Emulator, Assembler and Disassembler

d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)

e. Recursive Disassembler

f. More APIs Emulation in Pokas x86 Emulator

g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)

h. Support idb (IDA Pro Database) to read it and use its analysis

== 3. Unpackers: ==

I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community

== 4. Integrations: ==

a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)

b. OllyDbg Plugin Interface

c. Ollyscript Executer on cDebugger

d. Metasploit Integeration (in Meterpreter Post Exploitation

e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll

== 5. Network: ==

a. Support NDIS, kernel sockets and more new libraries

b. Process Analyzer in Kernel-Mode

c. Packet Capturing Library

d. More Debugging and Bug fixing

== 6. Others: ==

a. We need to build website.

b. We need activities for learning.

c. We need more documentations and tutorials

d. We need more helpful tools and applications based on SRDF

= Conclusion: =

This development framework will support the anti-malware technologies to grow and support implementing researches in the malware field more to withstand against the new attacks nowadays

The framework is based on community and we aim to create a big community for it. We didn’t finished the framework … we just begin

=Project About=
{{:Projects/OWASP_Security_Research_and_Development_Framework}}

[[Category:OWASP Project]]

OWASP Security Research and Development Framework

2012-12-11T21:19:17Z

AmrThabet:

''Do you see writing a security tool in windows is hard?''

''Do you have a great idea but you can’t implement it?''

''Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?''

''So, Security Research and Development Framework is for you.''

= Abstract: =

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

= Introduction: =

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

= The Features: =

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools

=== The User Mode Features: ===

• Assembler and Disassembler

• x86 Emulator

• Debugger

• PE Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker and Process Injection

• Backend Database, XML Serializer

• And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features.

=== The Kernel Mode Features: ===

• Object-oriented and easy to use development framework

• Easy IRP dispatching mechanism

• SSDT Hooker

• Layered Devices Filtering

• TDI Firewall

• File and Registry Manager

• Kernel Mode easy to use internet sockets

• Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Let’s now see the design:

= The User-Mode Part: =

== The Design: ==

[[File:SRDF-Design.png]]

=== Infrastructure: ===

This includes the essential elements of any development framework and it’s not related to security like: string, hash, list, serializer, database, registry manipulation, sockets and so on.

We decided to create this part rather than depending on any development framework to make this framework independent from any other development frameworks and to be portable on any development framework

==== Targets: ====

This is the beginning of the SRDF. This part is simply the Target from your security tool. What do you want to secure or secure from. And it includes Files (PE Files and others), Processes and Packets.

==== Libraries: ====

That’s the security tools that the SRDF support. And it’s divided into two namespaces: malware and network

Malware includes the assemblers and disassemblers, emulator, debugger, API Hooker, Yara Scanner (wildcard scanner) file recursive scanner and other tools

Network includes User-Mode capturing and Firewall

==== Core (The Application Interface): ====

The Core includes the Logging system and the back-end Database.

And also, it’s the Application Interface. Like cConsoleApp … and you can inherit from it to create your own User-Interface.

We wish this part to be expanded to include more user interfaces and management systems

== The Infrastructure: ==

=== Elements: ===

It’s divided into three namespaces:

1. String: it contains the string class, encoded string, hash and list
2. Code: it contains the NativeCode class and StoredProcedure … and they represents the shellcode and the code that stored in database. Like a virus detection routines inside an Antivirus
3. XML: and it contains the XML Encoder and the Serializer.

=== Connections: ===

It’s divided into three namespaces:

1. Internet: and it contains the internet communication protocols like sockets, HTTP Sockets and so on.
2. IPC: and it contains the Inter-Process Communication protocol
3. User-Mode to Kernel-Mode Communication: and it contains the communication protocol to communicate to the kernel-mode part of the SRDF

=== Storage: ===

It’s divided into three namespaces:

1. Databases: and it contains the Database class and SQLiteDB and so on.
2. Files: and contains the File writing and logging classes
3. Registry: and it contains the registry read and write

== The Targets: ==

=== Files: ===

This namespace describes the File Formats of The Files that could contain malicious code like: Executable Files (PE and ELF) and Document Files (PDF, Docx …) and so on.

Until now it contains The PE Files parser

=== Process: ===

And it includes one class only named cProcess. And, this class describes a running process and parses its PEB and gives you the important information about the process and its memory map. And support injecting code and create a remote thread.

=== Packets: ===

And it includes classes that describe an internet packets captured on the wire or generated for an attack.

== Libraries: ==

It contains two namespaces:

=== Malware: ===

This namespace contains the scanning, Hooking and emulation libraries and contains Pokas Emulator wrapper class, Yara wrapper class (wildcard scanner), a debugger and contains a directory recursive scanner and other tools

And also, it contains the x86 assembler and disassembler (using Pokas Emulator Assembler) and allow to contain other assemblers and for other platforms.

=== Network: ===

This namespace should contain the User-Mode Packet capture and firewall. And should contain the Winpcap Packet capturing and firewall system.
It also should include Application Layer parsers for FTP, HTTP, IRC and all known protocols and include Pcap Reader and writer.

== The Core: ==

And the core includes the cApp class that contains the back-end database and logging and the User-Interface such as cConsoleApp

= The Kernel-Mode: =

== The Kernel-Mode Goals: ==

The Goals of the kernel-Mode development Framework are:

1. Easy to create a Kernel-Mode security tool

2. Support OOP using the native device driver programming APIs

3. Support detaching between devices in IRPs

4. Easy to use files, registry and so on

5. Create a User-Mode/Kernel-Mode communication protocol

6. Designed only for hooking and security tools.

The Kernel-Mode SRDF is designed on native device driver programming APIs and independent from the WDF (windows drivers foundation).

Now we will describe the design of Framework and then we will go through the IRP dispatching mechanism in the KM-SRDF

== The Design: ==

[[File:SRDF-Kernel-Design.png]]

'''Driver:''' It’s the core management system that dispatching the IRPs to the devices and manage the devices.

'''Device:''' it represents a device object and it contains the IRP dispatching between the control device object and the filtering device objects and includes attaching and detaching from a devices chain and all necessary functions for a device object

'''SSDT Device:''' this class is inherited from device class and it’s created for SSDT Hooking

'''Filter Device:''' this class created for attaching to a chain and filtering the inputs and the outputs of the IRPs

'''File Filter Device:''' this class is inherited from Filter Device and it’s created for filtering the File system I/O request packets (IRPs) or monitoring file operations

'''TDI Firewall:''' this class is inherited from Filter Device and it’s created for filtering the internet packets and connections and the processes that tries to connect to the internet

'''DKOM Device:''' this class created to provide a generic way to work with opaque structures in windows without worrying about windows version and subversion (under construction)

'''Process Device:''' this class provides a way to inject code or modify the memory of a process from the kernel-mode

'''File/Registry Managers:''' they are tools created to support writing files and working with registry easily without worrying about IRQL

'''Sockets:''' it’s an easy interface to connect to the internet using the TDI interface

== The IRP Dispatching: ==

[[File:SRDF-IRP-Dispatching.png]]

• The IRP dispatching begins from the entry.cpp and it dispatch the IRP to the Driver

• The driver checks the device object and dispatch the IRP to the related device

• The device sends the IRP to the User-Mode communication object to work with it as it’s sent to the control device object

• If it’s a FileFilter Device, the device dispatches the IRP based on the device object to the Attached Device Objects or to the control device object and the user-mode communication

= Source Code: =

http://code.google.com/p/srdf/

= Join Us: =

''Do you get benefit from this framework and you need to give something back?''

''Do you want to add something to your CV?''

''Do you want to meet smart developers and join a big community?''

''Do you want to learn new things?''

''Here is place … join the development community, meet new smart people and have fun.''

= Roadmap: =

== 1. Antivirus: ==

a. XRAY Tool

b. Heuristics Analysis

c. Behavior-based Detection Tools.

d. More File Formats (PDF, apk, …)

e. OpenSBI and other Virus Classification File Formats

f. Sandboxing Mechanism.

i. Using API/ SSDT Hooking

ii. Emulation Based on Pokas Emulator.

g. Update System with Flexible Mechanism

== 2. Malware Analysis: ==

a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls)

b. API Hooking (for the same as above)

c. Improvement in Pokas Emulator, Assembler and Disassembler

d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)

e. Recursive Disassembler

f. More APIs Emulation in Pokas x86 Emulator

g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)

h. Support idb (IDA Pro Database) to read it and use its analysis

== 3. Unpackers: ==

I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community

== 4. Integrations: ==

a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)

b. OllyDbg Plugin Interface

c. Ollyscript Executer on cDebugger

d. Metasploit Integeration (in Meterpreter Post Exploitation

e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll

== 5. Network: ==

a. Support NDIS, kernel sockets and more new libraries

b. Process Analyzer in Kernel-Mode

c. Packet Capturing Library

d. More Debugging and Bug fixing

== 6. Others: ==

a. We need to build website.

b. We need activities for learning.

c. We need more documentations and tutorials

d. We need more helpful tools and applications based on SRDF

= Conclusion: =

This development framework will support the anti-malware technologies to grow and support implementing researches in the malware field more to withstand against the new attacks nowadays

The framework is based on community and we aim to create a big community for it. We didn’t finished the framework … we just begin

=Project About=
{{:Projects/OWASP_Security_Research_and_Development_Framework}}

[[Category:OWASP Project]]

File:SRDF-Kernel-Design.png

2012-12-11T21:16:35Z

AmrThabet:

File:SRDF-IRP-Dispatching.png

2012-12-11T21:16:22Z

AmrThabet:

File:SRDF-Design.png

2012-12-11T21:15:51Z

AmrThabet: The User-Mode Design

The User-Mode Design

OWASP Security Research and Development Framework

2012-12-11T21:09:45Z

AmrThabet:

''Do you see writing a security tool in windows is hard?''

''Do you have a great idea but you can’t implement it?''

''Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?''

''So, Security Research and Development Framework is for you.''

= Abstract: =

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

= Introduction: =

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

= The Features: =

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools

=== The User Mode Features: ===

• Assembler and Disassembler

• x86 Emulator

• Debugger

• PE Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker and Process Injection

• Backend Database, XML Serializer

• And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features.

=== The Kernel Mode Features: ===

• Object-oriented and easy to use development framework

• Easy IRP dispatching mechanism

• SSDT Hooker

• Layered Devices Filtering

• TDI Firewall

• File and Registry Manager

• Kernel Mode easy to use internet sockets

• Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Let’s now see the design:

= The User-Mode Part: =

== The Design: ==

=== Infrastructure: ===

This includes the essential elements of any development framework and it’s not related to security like: string, hash, list, serializer, database, registry manipulation, sockets and so on.

We decided to create this part rather than depending on any development framework to make this framework independent from any other development frameworks and to be portable on any development framework

==== Targets: ====

This is the beginning of the SRDF. This part is simply the Target from your security tool. What do you want to secure or secure from. And it includes Files (PE Files and others), Processes and Packets.

==== Libraries: ====

That’s the security tools that the SRDF support. And it’s divided into two namespaces: malware and network

Malware includes the assemblers and disassemblers, emulator, debugger, API Hooker, Yara Scanner (wildcard scanner) file recursive scanner and other tools

Network includes User-Mode capturing and Firewall

==== Core (The Application Interface): ====

The Core includes the Logging system and the back-end Database.

And also, it’s the Application Interface. Like cConsoleApp … and you can inherit from it to create your own User-Interface.

We wish this part to be expanded to include more user interfaces and management systems

== The Infrastructure: ==

=== Elements: ===

It’s divided into three namespaces:

1. String: it contains the string class, encoded string, hash and list
2. Code: it contains the NativeCode class and StoredProcedure … and they represents the shellcode and the code that stored in database. Like a virus detection routines inside an Antivirus
3. XML: and it contains the XML Encoder and the Serializer.

=== Connections: ===

It’s divided into three namespaces:

1. Internet: and it contains the internet communication protocols like sockets, HTTP Sockets and so on.
2. IPC: and it contains the Inter-Process Communication protocol
3. User-Mode to Kernel-Mode Communication: and it contains the communication protocol to communicate to the kernel-mode part of the SRDF

=== Storage: ===

It’s divided into three namespaces:

1. Databases: and it contains the Database class and SQLiteDB and so on.
2. Files: and contains the File writing and logging classes
3. Registry: and it contains the registry read and write

== The Targets: ==

=== Files: ===

This namespace describes the File Formats of The Files that could contain malicious code like: Executable Files (PE and ELF) and Document Files (PDF, Docx …) and so on.

Until now it contains The PE Files parser

=== Process: ===

And it includes one class only named cProcess. And, this class describes a running process and parses its PEB and gives you the important information about the process and its memory map. And support injecting code and create a remote thread.

=== Packets: ===

And it includes classes that describe an internet packets captured on the wire or generated for an attack.

== Libraries: ==

It contains two namespaces:

=== Malware: ===

This namespace contains the scanning, Hooking and emulation libraries and contains Pokas Emulator wrapper class, Yara wrapper class (wildcard scanner), a debugger and contains a directory recursive scanner and other tools

And also, it contains the x86 assembler and disassembler (using Pokas Emulator Assembler) and allow to contain other assemblers and for other platforms.

=== Network: ===

This namespace should contain the User-Mode Packet capture and firewall. And should contain the Winpcap Packet capturing and firewall system.
It also should include Application Layer parsers for FTP, HTTP, IRC and all known protocols and include Pcap Reader and writer.

== The Core: ==

And the core includes the cApp class that contains the back-end database and logging and the User-Interface such as cConsoleApp

= The Kernel-Mode: =

== The Kernel-Mode Goals: ==

The Goals of the kernel-Mode development Framework are:

1. Easy to create a Kernel-Mode security tool

2. Support OOP using the native device driver programming APIs

3. Support detaching between devices in IRPs

4. Easy to use files, registry and so on

5. Create a User-Mode/Kernel-Mode communication protocol

6. Designed only for hooking and security tools.

The Kernel-Mode SRDF is designed on native device driver programming APIs and independent from the WDF (windows drivers foundation).

Now we will describe the design of Framework and then we will go through the IRP dispatching mechanism in the KM-SRDF

== The Design: ==

'''Driver:''' It’s the core management system that dispatching the IRPs to the devices and manage the devices.

'''Device:''' it represents a device object and it contains the IRP dispatching between the control device object and the filtering device objects and includes attaching and detaching from a devices chain and all necessary functions for a device object

'''SSDT Device:''' this class is inherited from device class and it’s created for SSDT Hooking

'''Filter Device:''' this class created for attaching to a chain and filtering the inputs and the outputs of the IRPs

'''File Filter Device:''' this class is inherited from Filter Device and it’s created for filtering the File system I/O request packets (IRPs) or monitoring file operations

'''TDI Firewall:''' this class is inherited from Filter Device and it’s created for filtering the internet packets and connections and the processes that tries to connect to the internet

'''DKOM Device:''' this class created to provide a generic way to work with opaque structures in windows without worrying about windows version and subversion (under construction)

'''Process Device:''' this class provides a way to inject code or modify the memory of a process from the kernel-mode

'''File/Registry Managers:''' they are tools created to support writing files and working with registry easily without worrying about IRQL

'''Sockets:''' it’s an easy interface to connect to the internet using the TDI interface

== The IRP Dispatching: ==

• The IRP dispatching begins from the entry.cpp and it dispatch the IRP to the Driver

• The driver checks the device object and dispatch the IRP to the related device

• The device sends the IRP to the User-Mode communication object to work with it as it’s sent to the control device object

• If it’s a FileFilter Device, the device dispatches the IRP based on the device object to the Attached Device Objects or to the control device object and the user-mode communication

= Source Code: =

http://code.google.com/p/srdf/

= Join Us: =

''Do you get benefit from this framework and you need to give something back?''

''Do you want to add something to your CV?''

''Do you want to meet smart developers and join a big community?''

''Do you want to learn new things?''

''Here is place … join the development community, meet new smart people and have fun.''

= Roadmap: =

== 1. Antivirus: ==

a. XRAY Tool

b. Heuristics Analysis

c. Behavior-based Detection Tools.

d. More File Formats (PDF, apk, …)

e. OpenSBI and other Virus Classification File Formats

f. Sandboxing Mechanism.

i. Using API/ SSDT Hooking

ii. Emulation Based on Pokas Emulator.

g. Update System with Flexible Mechanism

== 2. Malware Analysis: ==

a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls)

b. API Hooking (for the same as above)

c. Improvement in Pokas Emulator, Assembler and Disassembler

d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)

e. Recursive Disassembler

f. More APIs Emulation in Pokas x86 Emulator

g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)

h. Support idb (IDA Pro Database) to read it and use its analysis

== 3. Unpackers: ==

I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community

== 4. Integrations: ==

a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)

b. OllyDbg Plugin Interface

c. Ollyscript Executer on cDebugger

d. Metasploit Integeration (in Meterpreter Post Exploitation

e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll

== 5. Network: ==

a. Support NDIS, kernel sockets and more new libraries

b. Process Analyzer in Kernel-Mode

c. Packet Capturing Library

d. More Debugging and Bug fixing

== 6. Others: ==

a. We need to build website.

b. We need activities for learning.

c. We need more documentations and tutorials

d. We need more helpful tools and applications based on SRDF

= Conclusion: =

This development framework will support the anti-malware technologies to grow and support implementing researches in the malware field more to withstand against the new attacks nowadays

The framework is based on community and we aim to create a big community for it. We didn’t finished the framework … we just begin

=Project About=
{{:Projects/OWASP_Security_Research_and_Development_Framework}}

[[Category:OWASP Project]]

OWASP Security Research and Development Framework

2012-12-11T21:02:36Z

AmrThabet:

''Do you see writing a security tool in windows is hard?

Do you have a great idea but you can’t implement it?

Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?

So, Security Research and Development Framework is for you.''

= Abstract: =

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

= Introduction: =

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

= The Features: =

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

• Assembler and Disassembler

• x86 Emulator

• Debugger

• PE Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker and Process Injection

• Backend Database, XML Serializer

• And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

• Object-oriented and easy to use development framework

• Easy IRP dispatching mechanism

• SSDT Hooker

• Layered Devices Filtering

• TDI Firewall

• File and Registry Manager

• Kernel Mode easy to use internet sockets

• Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Let’s now see the design:

= The User-Mode Part: =

== The Design: ==

=== Infrastructure: ===

This includes the essential elements of any development framework and it’s not related to security like: string, hash, list, serializer, database, registry manipulation, sockets and so on.

We decided to create this part rather than depending on any development framework to make this framework independent from any other development frameworks and to be portable on any development framework

==== Targets: ====

This is the beginning of the SRDF. This part is simply the Target from your security tool. What do you want to secure or secure from. And it includes Files (PE Files and others), Processes and Packets.

==== Libraries: ====

That’s the security tools that the SRDF support. And it’s divided into two namespaces: malware and network

Malware includes the assemblers and disassemblers, emulator, debugger, API Hooker, Yara Scanner (wildcard scanner) file recursive scanner and other tools

Network includes User-Mode capturing and Firewall

==== Core (The Application Interface): ====

The Core includes the Logging system and the back-end Database.

And also, it’s the Application Interface. Like cConsoleApp … and you can inherit from it to create your own User-Interface.

We wish this part to be expanded to include more user interfaces and management systems

== The Infrastructure: ==

=== Elements: ===

It’s divided into three namespaces:

1. String: it contains the string class, encoded string, hash and list
2. Code: it contains the NativeCode class and StoredProcedure … and they represents the shellcode and the code that stored in database. Like a virus detection routines inside an Antivirus
3. XML: and it contains the XML Encoder and the Serializer.

=== Connections: ===

It’s divided into three namespaces:

1. Internet: and it contains the internet communication protocols like sockets, HTTP Sockets and so on.
2. IPC: and it contains the Inter-Process Communication protocol
3. User-Mode to Kernel-Mode Communication: and it contains the communication protocol to communicate to the kernel-mode part of the SRDF

=== Storage: ===

It’s divided into three namespaces:

1. Databases: and it contains the Database class and SQLiteDB and so on.
2. Files: and contains the File writing and logging classes
3. Registry: and it contains the registry read and write

=== The Targets: ===

==== Files: ====

This namespace describes the File Formats of The Files that could contain malicious code like: Executable Files (PE and ELF) and Document Files (PDF, Docx …) and so on.

Until now it contains The PE Files parser

==== Process: ====

And it includes one class only named cProcess. And, this class describes a running process and parses its PEB and gives you the important information about the process and its memory map. And support injecting code and create a remote thread.

==== Packets: ====

And it includes classes that describe an internet packets captured on the wire or generated for an attack.

=== Libraries: ===

It contains two namespaces:

==== Malware: ====

This namespace contains the scanning, Hooking and emulation libraries and contains Pokas Emulator wrapper class, Yara wrapper class (wildcard scanner), a debugger and contains a directory recursive scanner and other tools

And also, it contains the x86 assembler and disassembler (using Pokas Emulator Assembler) and allow to contain other assemblers and for other platforms.

==== Network: ====

This namespace should contain the User-Mode Packet capture and firewall. And should contain the Winpcap Packet capturing and firewall system.
It also should include Application Layer parsers for FTP, HTTP, IRC and all known protocols and include Pcap Reader and writer.

=== The Core: ===

And the core includes the cApp class that contains the back-end database and logging and the User-Interface such as cConsoleApp

= The Kernel-Mode: =

== The Kernel-Mode Goals: ==

The Goals of the kernel-Mode development Framework are:

1. Easy to create a Kernel-Mode security tool
2. Support OOP using the native device driver programming APIs
3. Support detaching between devices in IRPs
4. Easy to use files, registry and so on
5. Create a User-Mode/Kernel-Mode communication protocol
6. Designed only for hooking and security tools.

The Kernel-Mode SRDF is designed on native device driver programming APIs and independent from the WDF (windows drivers foundation).

Now we will describe the design of Framework and then we will go through the IRP dispatching mechanism in the KM-SRDF

== The Design: ==

'''Driver:''' It’s the core management system that dispatching the IRPs to the devices and manage the devices.

'''Device:''' it represents a device object and it contains the IRP dispatching between the control device object and the filtering device objects and includes attaching and detaching from a devices chain and all necessary functions for a device object

'''SSDT Device:''' this class is inherited from device class and it’s created for SSDT Hooking

'''Filter Device:''' this class created for attaching to a chain and filtering the inputs and the outputs of the IRPs

'''File Filter Device:''' this class is inherited from Filter Device and it’s created for filtering the File system I/O request packets (IRPs) or monitoring file operations

'''TDI Firewall:''' this class is inherited from Filter Device and it’s created for filtering the internet packets and connections and the processes that tries to connect to the internet

'''DKOM Device:''' this class created to provide a generic way to work with opaque structures in windows without worrying about windows version and subversion (under construction)

'''Process Device:''' this class provides a way to inject code or modify the memory of a process from the kernel-mode

'''File/Registry Managers:''' they are tools created to support writing files and working with registry easily without worrying about IRQL

'''Sockets:''' it’s an easy interface to connect to the internet using the TDI interface

== The IRP Dispatching: ==

• The IRP dispatching begins from the entry.cpp and it dispatch the IRP to the Driver
• The driver checks the device object and dispatch the IRP to the related device
• The device sends the IRP to the User-Mode communication object to work with it as it’s sent to the control device object
• If it’s a FileFilter Device, the device dispatches the IRP based on the device object to the Attached Device Objects or to the control device object and the user-mode communication

= Source Code: =

http://code.google.com/p/srdf/

= Join Us: =

''Do you get benefit from this framework and you need to give something back?''

''Do you want to add something to your CV?''

''Do you want to meet smart developers and join a big community?''

''Do you want to learn new things?''

Here is place … join the development community, meet new smart people and have fun.

= Roadmap: =

== 1. Antivirus: ==

a. XRAY Tool
b. Heuristics Analysis
c. Behavior-based Detection Tools.
d. More File Formats (PDF, apk, …)
e. OpenSBI and other Virus Classification File Formats
f. Sandboxing Mechanism.
i. Using API/ SSDT Hooking
ii. Emulation Based on Pokas Emulator.
g. Update System with Flexible Mechanism

== 2. Malware Analysis: ==

a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls)
b. API Hooking (for the same as above)
c. Improvement in Pokas Emulator, Assembler and Disassembler
d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)
e. Recursive Disassembler
f. More APIs Emulation in Pokas x86 Emulator
g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)
h. Support idb (IDA Pro Database) to read it and use its analysis

== 3. Unpackers: ==

I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community

== 4. Integrations: ==

a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)
b. OllyDbg Plugin Interface
c. Ollyscript Executer on cDebugger
d. Metasploit Integeration (in Meterpreter Post Exploitation
e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll

== 5. Network: ==

a. Support NDIS, kernel sockets and more new libraries
b. Process Analyzer in Kernel-Mode
c. Packet Capturing Library
d. More Debugging and Bug fixing

== 6. Others: ==

a. We need to build website.
b. We need activities for learning.
c. We need more documentations and tutorials
d. We need more helpful tools and applications based on SRDF

= Conclusion: =

This development framework will support the anti-malware technologies to grow and support implementing researches in the malware field more to withstand against the new attacks nowadays

The framework is based on community and we aim to create a big community for it. We didn’t finished the framework … we just begin

=Project About=
{{:Projects/OWASP_Security_Research_and_Development_Framework}}

[[Category:OWASP Project]]

OWASP Security Research and Development Framework

2012-12-11T20:51:50Z

AmrThabet:

=Main=

''Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.''

== Abstract: ==

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

== Introduction: ==

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

== The Features: ==

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

• Assembler and Disassembler

• x86 Emulator

• Debugger

• PE Analyzer

• Process Analyzer (Loaded DLLs, Memory Maps … etc)

• MD5, SSDeep and Wildlist Scanner (YARA)

• API Hooker and Process Injection

• Backend Database, XML Serializer

• And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

• Object-oriented and easy to use development framework

• Easy IRP dispatching mechanism

• SSDT Hooker

• Layered Devices Filtering

• TDI Firewall

• File and Registry Manager

• Kernel Mode easy to use internet sockets

• Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Let’s now see the design:

=Project About=
{{:Projects/OWASP_Security_Research_and_Development_Framework}}

[[Category:OWASP Project]]