OWASP - User contributions [en]

OWASP Tiger

2007-04-08T22:55:47Z

Boris: /* Setup Instructios */

'''OWASP Tiger''' is a Windows application originally intented to be used for automating the process of testing various known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce ''alerts'', notifications that something is wrong with the application(s) or service(s) being tested.
==Goals==
Tiger's goals are quite simple:
* '''Provide a simple way to create HTTP or HTTPS requests.''' You can define these using a very simple to use GUI.
* '''Provide a simple, but flexible way of analyzing the responses automatically.''' You can define sets of rules that are to be applied to responses using a user friendly conditioin editor.
* '''Allow for easy sharing and reuse of tests.''' You can save your test projects, send them to other Tiger users and even create templates that new Tiger projects can be based upon.

[[Image:new_project_dialog.png]]

''Figure 1: Tiger's New Project dialog''

[[Image:condition_complete.png]]

''Figure 2: Tiger's Condition Editor''

[[Image:tiger_hover_info.png]]

''Figure 3: Examining the test results

==Download==
[http://sourceforge.net/project/downloading.php?group_id=64424&use_mirror=osdn&filename=Tiger_ASP_NET_Module.zip&97209405 ASP.Net Module] - Updated on 2/17/2007

[http://sourceforge.net/project/downloading.php?group_id=64424&use_mirror=osdn&filename=TigerClient.zip&2780900 Tiger Windows Client] - Updated on 2/17/2007

You can download the Tiger source code from [http://code.google.com/p/owasp-code-central/source Google code].

==Setup Instructions==
Tiger requires the .NET Framework 2.0 to be installed. If you don't have it, download it [http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en here (x86 architecture)].

==User Manual==
Tiger user manual is available [[Tiger User Manual|here]].
==Future Development==
Hopefully, the future development of OWASP Tiger will be twofold:
* Tiger itself
* Project templates for various well known Web applications (i.e. your favorite portal, forum, blog etc.)
==Project Contributors==
Tiger is developed by Boris Maletic, under an OWASP Autumn of Code 2006 sponsorship. Project leader is Dinis Cruz.

OWASP Spring Of Code 2007 Applications

2007-03-28T15:21:09Z

Boris: /* Boris - OWASP Report Tiger */

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*"Templatize" the code generation process, so it can support skinning of the resulting sites
*"Templatize" the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one

===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*More robustness
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples

===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

OWASP Spring Of Code 2007 Applications

2007-03-28T15:17:23Z

Boris: /* Development Objectives */

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*"Templatize" the code generation process, so it can support skinning of the resulting sites
*"Templatize" the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one

===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*More robustness
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples

===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

OWASP Spring Of Code 2007 Applications

2007-03-28T15:15:40Z

Boris: /* User Needs */

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*“Templatize” the code generation process, so it can support skinning of the resulting sites
*“Templatize” the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*More robustness
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples

===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

OWASP Spring Of Code 2007 Applications

2007-03-28T15:14:10Z

Boris: /* User Needs */

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*“Templatize” the code generation process, so it can support skinning of the resulting sites
*“Templatize” the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*A more robust solution
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples
===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

OWASP Spring Of Code 2007 Applications

2007-03-28T15:13:26Z

Boris:

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Find and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily
===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*“Templatize” the code generation process, so it can support skinning of the resulting sites
*“Templatize” the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*A more robust solution
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples
===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

Category:OWASP Project

2007-03-19T16:31:46Z

Boris: /* Beta Status Projects */

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

To propose a new project, please send an email to [mailto:owasp@owasp.org?subject=New_OWASP_Project_idea owasp@owasp.org]

Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.

==Release Quality Projects==

<table><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]
: an online training environment for hands-on learning about application security

; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]
: a tool for performing all types of security testing on web applications and web services

</td><td>

; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]
: FAQ covering many application security topics

; [[:Category:OWASP Guide Project|OWASP Guide Project]]
: a massive document covering all aspects of web application and web service security

; [[:Category:OWASP Legal Project|OWASP Legal Project]]
: a project focused on contracting for secure software

; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]
: an awareness document that describes the top ten web application security vulnerabilities

</td></tr></table>

==Beta Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]
: a JavaScript based web application security testing suite

; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]
: a project focused on the development of encoding best practices for web applications.

; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]
: an Eclipse-based source-code static analysis tool for Java

; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]
: a CD containing ready to use versions of application security analysis and testing tools

; [[:Category:OWASP .NET Project|OWASP .NET Research]]
: a project focused on helping .NET developers build secure applications

; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]
: a project focused on combining automated capabilities with complete manual testing to get the best results

; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]
: an open source black box security scanner used to assess the security of AJAX-enabled applications

; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]
: a project focused on the development of SQLiX, a full perl-based SQL scanner

; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]
: a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer

; [[ORG_%28Owasp_Report_Generator%29|OWASP Report Generator]]
: a project giving security professionals a way to report and keep track of their projects

; [[Owasp_SiteGenerator|OWASP Site Generator]]
: a project allowing users to create dynamic sites for use in training, web application scanner testing, etc...

; [[OWASP_Tiger|OWASP Tiger]]
: OWASP Tiger is a Windows application originally intended to be used for automating the process of testing various known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce alerts, notifications that something is wrong with the application(s) or service(s) being tested.
</td><td>

; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]
: a project focused on defining process elements that reinforce application security

; [[:Category:OWASP Code Review Project|OWASP Code Review Project]]
: a project to capture best practices for reviewing code

; [[:Category:OWASP Testing Project|OWASP Testing Guide]]
: a project focused on application security testing procedures and checklists

; [[:Category:OWASP Tools Project|OWASP Tools Project]]
: The OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools.

</td></tr></table>

==Alpha Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]
: a web application that includes common web application vulnerabilities

; [[:Category:OWASP Interceptor Project|OWASP Interceptor Project]]
: a testing tool for XML web service and Ajax interfaces

; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]
: a fuzzer application, supporting a number of automated security checks including basic cross site scripting checks (XSS) as well as basic SQL injection testing.

; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]
: a project focused on the development of a flexible code review engine

; [[:Category:OWASP Stinger Project|OWASP Stinger Project]]
: a project focus on the development of a centralized input validation mechanism which can be easily applied to existing or developmental applications

</td><td>

; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]
: investigating the security of AJAX enabled applications

; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]
: establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment

; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]
: identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security

; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]
: The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field.

; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]]
: a comprehensive and integrated guide to the fundamental building blocks of application security

; [[:Category:OWASP Java Project|OWASP Java Project]]
: a project focused on helping Java and J2EE developers build secure applications

; [[:Category:OWASP Logging Project|OWASP Logging Guide]]
: a project to define best practices for logging and log management

; [[:Category:OWASP PHP Project|OWASP PHP Project]]
: a project focused on helping PHP developers build secure applications

; [[:Category:OWASP Validation Project|OWASP Validation Project]]
: a project that provides guidance and tools related to validation

; [[:Category:OWASP WASS Project|OWASP WASS Guide]]
: a standards project to develop more concrete criteria for secure applications

; [[:Category:OWASP XML Security Gateway Evaluation Criteria Project|OWASP XML Security Gateway Evaluation Criteria]]
: a project to define evaluation criteria for XML Security Gateways

; [[:Category:OWASP Education Project|OWASP Education Project]]
: a project to build educational tracks and modules for different audiences

</td></tr></table>

__NOTOC__

Category:OWASP Project

2007-03-19T16:30:06Z

Boris: /* Beta Status Projects */

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

To propose a new project, please send an email to [mailto:owasp@owasp.org?subject=New_OWASP_Project_idea owasp@owasp.org]

Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.

==Release Quality Projects==

<table><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]
: an online training environment for hands-on learning about application security

; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]
: a tool for performing all types of security testing on web applications and web services

</td><td>

; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]
: FAQ covering many application security topics

; [[:Category:OWASP Guide Project|OWASP Guide Project]]
: a massive document covering all aspects of web application and web service security

; [[:Category:OWASP Legal Project|OWASP Legal Project]]
: a project focused on contracting for secure software

; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]
: an awareness document that describes the top ten web application security vulnerabilities

</td></tr></table>

==Beta Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]
: a JavaScript based web application security testing suite

; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]
: a project focused on the development of encoding best practices for web applications.

; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]
: an Eclipse-based source-code static analysis tool for Java

; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]
: a CD containing ready to use versions of application security analysis and testing tools

; [[:Category:OWASP .NET Project|OWASP .NET Research]]
: a project focused on helping .NET developers build secure applications

; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]
: a project focused on combining automated capabilities with complete manual testing to get the best results

; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]
: an open source black box security scanner used to assess the security of AJAX-enabled applications

; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]
: a project focused on the development of SQLiX, a full perl-based SQL scanner

; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]
: a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer

; [[ORG_%28Owasp_Report_Generator%29|OWASP Report Generator]]
: a project giving security professionals a way to report and keep track of their projects

; [[Owasp_SiteGenerator|OWASP Site Generator]]
: a project allowing users to create dynamic sites for use in training, web application scanner testing, etc...

; [[Owasp_Tiger|OWASP Tiger]]
: OWASP Tiger is a Windows application originally intented to be used for automating the process of testing various known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce alerts, notifications that something is wrong with the application(s) or service(s) being tested.
</td><td>

; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]
: a project focused on defining process elements that reinforce application security

; [[:Category:OWASP Code Review Project|OWASP Code Review Project]]
: a project to capture best practices for reviewing code

; [[:Category:OWASP Testing Project|OWASP Testing Guide]]
: a project focused on application security testing procedures and checklists

; [[:Category:OWASP Tools Project|OWASP Tools Project]]
: The OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools.

</td></tr></table>

==Alpha Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]
: a web application that includes common web application vulnerabilities

; [[:Category:OWASP Interceptor Project|OWASP Interceptor Project]]
: a testing tool for XML web service and Ajax interfaces

; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]
: a fuzzer application, supporting a number of automated security checks including basic cross site scripting checks (XSS) as well as basic SQL injection testing.

; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]
: a project focused on the development of a flexible code review engine

; [[:Category:OWASP Stinger Project|OWASP Stinger Project]]
: a project focus on the development of a centralized input validation mechanism which can be easily applied to existing or developmental applications

</td><td>

; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]
: investigating the security of AJAX enabled applications

; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]
: establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment

; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]
: identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security

; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]
: The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field.

; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]]
: a comprehensive and integrated guide to the fundamental building blocks of application security

; [[:Category:OWASP Java Project|OWASP Java Project]]
: a project focused on helping Java and J2EE developers build secure applications

; [[:Category:OWASP Logging Project|OWASP Logging Guide]]
: a project to define best practices for logging and log management

; [[:Category:OWASP PHP Project|OWASP PHP Project]]
: a project focused on helping PHP developers build secure applications

; [[:Category:OWASP Validation Project|OWASP Validation Project]]
: a project that provides guidance and tools related to validation

; [[:Category:OWASP WASS Project|OWASP WASS Guide]]
: a standards project to develop more concrete criteria for secure applications

; [[:Category:OWASP XML Security Gateway Evaluation Criteria Project|OWASP XML Security Gateway Evaluation Criteria]]
: a project to define evaluation criteria for XML Security Gateways

; [[:Category:OWASP Education Project|OWASP Education Project]]
: a project to build educational tracks and modules for different audiences

</td></tr></table>

__NOTOC__

OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools

2007-03-07T18:10:33Z

Boris: /* Latest */

'''AoC Candidate:''' Boris

'''Project Coordinator:''' Dinis Cruz

'''Project Progress:''' 100% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools_-_Progress|Progress Page]]
==Latest==
Tiger 1.0 is available for download! Get more details on the new [[OWASP_Tiger|official project page]].

== Background and Motivation ==

===History Behind Project===
OWASP .NET Tools were originally created by Dinis Cruz as standalone applications [[ANSA]], [[ANBS]] and [[SAM'SHE]]. These tools are used to diagnose security problems in shared hosting environments based on Microsoft's ASP.NET platform.

===Motivation===
The number of Web sites and applications is growing rapidly, as well as number of platforms. Microsoft's Web platform is known for its high level of developer productivity, ease of setup and administration and great integration with other, often very widespread, Microsoft products. So, the Microsoft Web platform may be very attractive to individuals and various types of organizations. However, there are still many doubts about how secure it is. Many of these doubts are not backed by specific, measurable data and tests but instead on historical (but not necessarily outdated) data and "word of mouth" type of evidence. Determining how secure an application running on Microsoft's Web platform is usually requires a lot of time and resources. There aren't many tools for testing security aspects of Microsoft's Web platform that make things easier. Even few are publicly available.

Another problem is that, due to a user-friendly nature of the tools provided in Microsoft's products, administering Web sites and applications may seem easier than it sometimes is. Many times these tasks are delegated to people who are not aware of numerous security-related problems (sometimes even not to professional IT administrators) that may occur. As a result, many Web sites and applications deployed are insecure.

===Problem to be Addressed===
OWASP Tiger 1.0 (this project) is meant to improve and integrate ANSA, ANBS and SAM'SHE into single (but versatile) tool and create both more functionality and better user exeprience.

===Benefit to OWASP Members and Community===
The deliverables of this project will (hopefully) help OWASP members and community
* be aware of vulnerabilities and risks involved with their applications before releasing them to general public
* determine if their applications are deployed in a less than optimal security environment
* ease patch/hotfix management of their OS/Web server software
* perhaps even make decisions about the technology stack(s) used

== Goals and Deliverables ==

===Plan of Approach===
* Convert all [[SAM'SHE]] and [[ANSA]] tests into [[Owasp SiteGenerator]] tests
* Document and risk rate all tests using [[ORG (OWASP Report Generator)|Owasp Report Generator]]
* Merge and update current [[SAM'SHE]], [[ANSA]] and [[ANBS]] user interface to reflect the new identity and funcionality

===Deliverables===
The main deliverables of Tiger 1.0 will be:
* Source code checked in a publicly available source code control system (most probably SourceForge.net)
* Binaries (in the form of installer) posted on SourceForge.net
* User documentation posted on SourceForge.net

== Risks and Rewards ==

===Main Risks===
The biggest risks with this project are:
* Lack of technical documentation for the current releases (so it's difficult to grasp and build upon the current system)
* Envisioned functionality is not fully specified (yet). Ideally, we sould have a full-blown functional specification.

===Rewards of Successful Project===
Hopefully, this project will help security professionals find and patch security vulnerabilities much faster and easier than before. That will in turn help the whole user community by making Web applications (well, at least those deployed on the Microsoft platform) more reliable and trustworthy.

OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools

2007-03-07T18:07:55Z

Boris: /* Latest */

'''AoC Candidate:''' Boris

'''Project Coordinator:''' Dinis Cruz

'''Project Progress:''' 100% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools_-_Progress|Progress Page]]
==Latest==
Tiger 1.0 is available for download. More details can be found on the project: [[official page|OWASP_Tiger]].

== Background and Motivation ==

===History Behind Project===
OWASP .NET Tools were originally created by Dinis Cruz as standalone applications [[ANSA]], [[ANBS]] and [[SAM'SHE]]. These tools are used to diagnose security problems in shared hosting environments based on Microsoft's ASP.NET platform.

===Motivation===
The number of Web sites and applications is growing rapidly, as well as number of platforms. Microsoft's Web platform is known for its high level of developer productivity, ease of setup and administration and great integration with other, often very widespread, Microsoft products. So, the Microsoft Web platform may be very attractive to individuals and various types of organizations. However, there are still many doubts about how secure it is. Many of these doubts are not backed by specific, measurable data and tests but instead on historical (but not necessarily outdated) data and "word of mouth" type of evidence. Determining how secure an application running on Microsoft's Web platform is usually requires a lot of time and resources. There aren't many tools for testing security aspects of Microsoft's Web platform that make things easier. Even few are publicly available.

Another problem is that, due to a user-friendly nature of the tools provided in Microsoft's products, administering Web sites and applications may seem easier than it sometimes is. Many times these tasks are delegated to people who are not aware of numerous security-related problems (sometimes even not to professional IT administrators) that may occur. As a result, many Web sites and applications deployed are insecure.

===Problem to be Addressed===
OWASP Tiger 1.0 (this project) is meant to improve and integrate ANSA, ANBS and SAM'SHE into single (but versatile) tool and create both more functionality and better user exeprience.

===Benefit to OWASP Members and Community===
The deliverables of this project will (hopefully) help OWASP members and community
* be aware of vulnerabilities and risks involved with their applications before releasing them to general public
* determine if their applications are deployed in a less than optimal security environment
* ease patch/hotfix management of their OS/Web server software
* perhaps even make decisions about the technology stack(s) used

== Goals and Deliverables ==

===Plan of Approach===
* Convert all [[SAM'SHE]] and [[ANSA]] tests into [[Owasp SiteGenerator]] tests
* Document and risk rate all tests using [[ORG (OWASP Report Generator)|Owasp Report Generator]]
* Merge and update current [[SAM'SHE]], [[ANSA]] and [[ANBS]] user interface to reflect the new identity and funcionality

===Deliverables===
The main deliverables of Tiger 1.0 will be:
* Source code checked in a publicly available source code control system (most probably SourceForge.net)
* Binaries (in the form of installer) posted on SourceForge.net
* User documentation posted on SourceForge.net

== Risks and Rewards ==

===Main Risks===
The biggest risks with this project are:
* Lack of technical documentation for the current releases (so it's difficult to grasp and build upon the current system)
* Envisioned functionality is not fully specified (yet). Ideally, we sould have a full-blown functional specification.

===Rewards of Successful Project===
Hopefully, this project will help security professionals find and patch security vulnerabilities much faster and easier than before. That will in turn help the whole user community by making Web applications (well, at least those deployed on the Microsoft platform) more reliable and trustworthy.

OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools

2007-03-07T18:07:22Z

Boris:

'''AoC Candidate:''' Boris

'''Project Coordinator:''' Dinis Cruz

'''Project Progress:''' 100% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools_-_Progress|Progress Page]]
==Latest==
Tiger 1.0 is available for download. More details can be found on the project official page: [[OWASP_Tiger]].
== Background and Motivation ==

===History Behind Project===
OWASP .NET Tools were originally created by Dinis Cruz as standalone applications [[ANSA]], [[ANBS]] and [[SAM'SHE]]. These tools are used to diagnose security problems in shared hosting environments based on Microsoft's ASP.NET platform.

===Motivation===
The number of Web sites and applications is growing rapidly, as well as number of platforms. Microsoft's Web platform is known for its high level of developer productivity, ease of setup and administration and great integration with other, often very widespread, Microsoft products. So, the Microsoft Web platform may be very attractive to individuals and various types of organizations. However, there are still many doubts about how secure it is. Many of these doubts are not backed by specific, measurable data and tests but instead on historical (but not necessarily outdated) data and "word of mouth" type of evidence. Determining how secure an application running on Microsoft's Web platform is usually requires a lot of time and resources. There aren't many tools for testing security aspects of Microsoft's Web platform that make things easier. Even few are publicly available.

Another problem is that, due to a user-friendly nature of the tools provided in Microsoft's products, administering Web sites and applications may seem easier than it sometimes is. Many times these tasks are delegated to people who are not aware of numerous security-related problems (sometimes even not to professional IT administrators) that may occur. As a result, many Web sites and applications deployed are insecure.

===Problem to be Addressed===
OWASP Tiger 1.0 (this project) is meant to improve and integrate ANSA, ANBS and SAM'SHE into single (but versatile) tool and create both more functionality and better user exeprience.

===Benefit to OWASP Members and Community===
The deliverables of this project will (hopefully) help OWASP members and community
* be aware of vulnerabilities and risks involved with their applications before releasing them to general public
* determine if their applications are deployed in a less than optimal security environment
* ease patch/hotfix management of their OS/Web server software
* perhaps even make decisions about the technology stack(s) used

== Goals and Deliverables ==

===Plan of Approach===
* Convert all [[SAM'SHE]] and [[ANSA]] tests into [[Owasp SiteGenerator]] tests
* Document and risk rate all tests using [[ORG (OWASP Report Generator)|Owasp Report Generator]]
* Merge and update current [[SAM'SHE]], [[ANSA]] and [[ANBS]] user interface to reflect the new identity and funcionality

===Deliverables===
The main deliverables of Tiger 1.0 will be:
* Source code checked in a publicly available source code control system (most probably SourceForge.net)
* Binaries (in the form of installer) posted on SourceForge.net
* User documentation posted on SourceForge.net

== Risks and Rewards ==

===Main Risks===
The biggest risks with this project are:
* Lack of technical documentation for the current releases (so it's difficult to grasp and build upon the current system)
* Envisioned functionality is not fully specified (yet). Ideally, we sould have a full-blown functional specification.

===Rewards of Successful Project===
Hopefully, this project will help security professionals find and patch security vulnerabilities much faster and easier than before. That will in turn help the whole user community by making Web applications (well, at least those deployed on the Microsoft platform) more reliable and trustworthy.

OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools

2007-02-27T19:30:45Z

Boris:

'''AoC Candidate:''' Boris

'''Project Coordinator:''' Dinis Cruz

'''Project Progress:''' 100% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools_-_Progress|Progress Page]]

== Background and Motivation ==

===History Behind Project===
OWASP .NET Tools were originally created by Dinis Cruz as standalone applications [[ANSA]], [[ANBS]] and [[SAM'SHE]]. These tools are used to diagnose security problems in shared hosting environments based on Microsoft's ASP.NET platform.

===Motivation===
The number of Web sites and applications is growing rapidly, as well as number of platforms. Microsoft's Web platform is known for its high level of developer productivity, ease of setup and administration and great integration with other, often very widespread, Microsoft products. So, the Microsoft Web platform may be very attractive to individuals and various types of organizations. However, there are still many doubts about how secure it is. Many of these doubts are not backed by specific, measurable data and tests but instead on historical (but not necessarily outdated) data and "word of mouth" type of evidence. Determining how secure an application running on Microsoft's Web platform is usually requires a lot of time and resources. There aren't many tools for testing security aspects of Microsoft's Web platform that make things easier. Even few are publicly available.

Another problem is that, due to a user-friendly nature of the tools provided in Microsoft's products, administering Web sites and applications may seem easier than it sometimes is. Many times these tasks are delegated to people who are not aware of numerous security-related problems (sometimes even not to professional IT administrators) that may occur. As a result, many Web sites and applications deployed are insecure.

===Problem to be Addressed===
OWASP Tiger 1.0 (this project) is meant to improve and integrate ANSA, ANBS and SAM'SHE into single (but versatile) tool and create both more functionality and better user exeprience.

===Benefit to OWASP Members and Community===
The deliverables of this project will (hopefully) help OWASP members and community
* be aware of vulnerabilities and risks involved with their applications before releasing them to general public
* determine if their applications are deployed in a less than optimal security environment
* ease patch/hotfix management of their OS/Web server software
* perhaps even make decisions about the technology stack(s) used

== Goals and Deliverables ==

===Plan of Approach===
* Convert all [[SAM'SHE]] and [[ANSA]] tests into [[Owasp SiteGenerator]] tests
* Document and risk rate all tests using [[ORG (OWASP Report Generator)|Owasp Report Generator]]
* Merge and update current [[SAM'SHE]], [[ANSA]] and [[ANBS]] user interface to reflect the new identity and funcionality

===Deliverables===
The main deliverables of Tiger 1.0 will be:
* Source code checked in a publicly available source code control system (most probably SourceForge.net)
* Binaries (in the form of installer) posted on SourceForge.net
* User documentation posted on SourceForge.net

== Risks and Rewards ==

===Main Risks===
The biggest risks with this project are:
* Lack of technical documentation for the current releases (so it's difficult to grasp and build upon the current system)
* Envisioned functionality is not fully specified (yet). Ideally, we sould have a full-blown functional specification.

===Rewards of Successful Project===
Hopefully, this project will help security professionals find and patch security vulnerabilities much faster and easier than before. That will in turn help the whole user community by making Web applications (well, at least those deployed on the Microsoft platform) more reliable and trustworthy.

OWASP Tiger

2007-02-17T23:17:13Z

Boris:

'''OWASP Tiger''' is a Windows application originally intented to be used for automating the process of testing variuous known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce ''alerts'', notifications that something is wrong with the application(s) or service(s) being tested.
==Goals==
Tiger's goals are quite simple:
* '''Provide a simple way to create HTTP or HTTPS requests.''' You can define these using a very simple to use GUI.
* '''Provide a simple, but flexible way of analyzing the responses automatically.''' You can define sets of rules that are to be applied to responses using a user friendly conditioin editor.
* '''Allow for easy sharing and reuse of tests.''' You can save your test projects, send them to other Tiger users and even create templates that new Tiger projects can be based upon.

[[Image:new_project_dialog.png]]

''Figure 1: Tiger's New Project dialog''

[[Image:condition_complete.png]]

''Figure 2: Tiger's Condition Editor''

[[Image:tiger_hover_info.png]]

''Figure 3: Examining the test results

==Download==
Tiger is not yet available for download.

You can download the Tiger source code from [http://code.google.com/p/owasp-code-central/source Google code].
==Setup Instructios==
Tiger requires the .NET Framework 2.0 to be installed. If you don't have it, download it [http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en here (x86 architecture)].

==User Manual==
Tiger user manual is available [[Tiger User Manual|here]].
==Future Development==
Hopefully, the future development of OWASP Tiger will be twofold:
* Tiger itself
* Project templates for various well known Web applications (i.e. your favorite portal, forum, blog etc.)
==Project Contributors==
Tiger is developed by Boris Maletic, under an OWASP Autumn of Code 2006 sponsorship. Project leader is Dinis Cruz.

File:Tiger hover info.PNG

2007-02-09T05:48:41Z

Boris:

OWASP Tiger

2007-02-09T05:48:22Z

Boris: /* Goals */

'''OWASP Tiger''' is a Windows application originally intented to be used for automating the process of testing variuous known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce ''alerts'', notifications that something is wrong with the application(s) or service(s) being tested.
==Goals==
Tiger's goals are quite simple:
* '''Provide a simple way to create HTTP or HTTPS requests.''' You can define these using a very simple to use GUI.
* '''Provide a simple, but flexible way of analyzing the responses automatically.''' You can define sets of rules that are to be applied to responses using a user friendly conditioin editor.
* '''Allow for easy sharing and reuse of tests.''' You can save your test projects, send them to other Tiger users and even create templates that new Tiger projects can be based upon.

[[Image:new_project_dialog.png]]

''Figure 1: Tiger's New Project dialog''

[[Image:condition_complete.png]]

''Figure 2: Tiger's Condition Editor''

[[Image:tiger_hover_info.PNG]]

''Figure 3: Examining the test results

==Download==
Tiger is not yet available for download.

You can download the Tiger source code from [http://code.google.com/p/owasp-code-central/source Google code].
==Setup Instructios==
Tiger requires the .NET Framework 2.0 to be installed. If you don't have it, download it [http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en here (x86 architecture)].

==User Manual==
Tiger user manual is available [[Tiger User Manual|here]].
==Future Development==
Hopefully, the future development of OWASP Tiger will be twofold:
* Tiger itself
* Project templates for various well known Web applications (i.e. your favorite portal, forum, blog etc.)
==Project Contributors==
Tiger is developed by Boris Maletic, under an OWASP Autumn of Code 2006 sponsorship. Project leader is Dinis Cruz.

Tiger User Manual

2007-02-09T05:46:18Z

Boris: /* Saving Your Project as a Project Template */

==Managing Projects==
===What is a Tiger Project?===
Tiger project is a logical grouping of test targets and tests to be performed as a whole. Each Tiger project consists of zero or more targets, each containing zero or more tests (although projects without any targets and tests are not very meaningful).
===Starting a New Project===
A blank project is created automatically when you start Tiger. If you need to create a project based on a project template, or simply another blank project, do this:
* To create a project based on a project template, from the File menu, select New.
* To create a blank project, click the New button on the toolbar, or press '''Ctrl+N'''. Alternatively, from the '''File''' menu, select '''New''' and choose the "Blank Project" template.
===Opening an Existing Project===
To open an existing project, either
* Click the '''Open''' toolbar button, or
* From the '''File''' menu, select '''Open'''
Tiger projects have the '''.tgp''' file extension.
===Saving Your Project===
To save your project, either
* Click the '''Save''' toolbar button, or
* From the '''File''' menu, select '''Save''' (to save the project using its current file name and location) or '''Save As''' (to save the project under a new name and/or at a new location)
===Saving Your Project as a Project Template===
You can also save your project as a template. That way, you and other users can quickly create new projects based on your project. After your template is imported (currently, there is no GUI for this, just place your '''.tgpt''' file in the '''Project Templates''' subfolder), it will appear in the '''New Project''' dialog (displayed when you select '''New''' from the '''File''' menu, or press '''Ctrl+N''') and new projects can easily be created based on it.

'''Note''': Typically, users will want to run the same tests, but not on the same servers as you did in your project, so it’s a good idea to clear the Path properties of your project targets before saving the project as a template.

Tiger currently ships with the '''Tiger ASP.NET Module''' template, which contains tests for some well known ASP.NET 2.0 vulnerabilites.

[[Image:new_project_dialog.png]]

''Figure: The New Project dialog box''

==Managing Targets==
===What is a Tiger Target?===
Tiger target is a web site or virtual directory upon which tests are to be performed. Each target contains zero or more tests to be performed. Essentially, target is defined by its ''path'' (a http or https prefixed URL, without the document name, query and fragment. If needed, all of those can be provided at the test level).

Each project can contain multiple targets, and each target can contain multiple tests.
===Adding a Target===
You can add targets to your project by
* Selecting '''Add Target''' from the '''Project''' menu
* Right-clicking the project node in the Project Explorer, and selecting '''Add Target''' from the shortcut menu that appears.
===Configuring a Target===
====Path====
The '''Path''' property of the target object must be set to a valid ''http'' or ''https'' scheme URL of the web site or virtual directory containing tests to be executed. Otherwise, you won’t be able to run the project.

Additionally, the '''Tests''' collection should contain one or more Test objects. Although technically possible, creating a target with no associated tests does not make much sense (unless, of course, you plan to add tests later).
===Deleting a Target===
To delete a target from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the target (along with all the tests it contained) is gone.
==Managing Tests==
===What is a Tiger Test?===
Tiger test is a web page or service that is to be called during the execution of a project, using the supplied parameters and specified HTTP method. The outcome of that call is later evaluated by a set of various conditions. If those conditions are met, they generate ''alerts'' (essentially signals that something is wrong). Generation of such alerts is the ultimate goal of running any Tiger project.

Each test is associated with a target, which defines the scheme, host, port and virtual path parts of the virtual directory that contains that particular test. (Please note that Tiger supports only the ''http'' and ''https'' schemes.)
===Adding a Test===
To add a new test to your project (or, more precisely, target), do one of the following:
* Select the target to add a test to and, from the '''Project''' menu, select '''Add Test'''.
* Right-click on the target in the Project Explorer and select '''Add Test''' from the shortcut menu.
===Configuring a Test===
====Relative Path====
The scheme, host, port and virtual path parts of the virtual directory are defined by the target containing that particular test. The other parts of the test URL (namely, the file name, query and fragment) can be, if needed, supplied by the test itself, using its '''Relative Path''' property. Supplying a value for that property, however, is not mandatory (this allows you test the default document of the target’s virtual directory).

This division of the URL parts between the target and test objects may seem awkward at first, but it allows you to redirect execution of a bunch of tests to a different server (or virtual directory) just by changing one property value (specifically, the '''Path''' property of the Target object).
====Method====
Tests can be invoked using the standard GET or POST HTTP methods. You can define which one to use via the '''Method''' property. The default is GET.
====Parameters====
Tiger supports passing parameters to tests. Basically, a parameter is a pair of strings where the first value in the pair represents the name of the parameter, and the other represents the actual value to be passed.

How the parameters are ultimately passed to the test is determined by the value of the '''Method''' property.
====Alerts====
After a test has finished executing, its response is matched against a set of conditions. If one of these condition is met, an alert is generated. Alerts notify the user that something is wrong (although nothing prevents you from defining alerts to be generated when something is right) with the web site or application being tested.

Each alert is defined by its alert condition, message and type. More info on alerts is provided in the [[#Managing Alerts|"Managing Alerts"]] section.
===Deleting a Test===
To delete a test from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the test (along with all the parameters and alerts it contained) is gone.
==Managing Alerts==
Alerts are the final result of executing tests. After a test has finished executing, its response is matched against a set of conditions that you defined. If one of these conditions is met, an alert (including a descriptive message that you defined) is displayed to the user.

Although tests without alerts defined for them are of a questionable usefulness, they are allowed. They can be used for automating access to a set of pages. For example, you might define a test project to 'warm-up" a web application before you give a demo of it (so no one will think it is slower that it actually is ;).
===Adding an Alert===
To add a new alert to your test
* Right-click on the test in the Project Explorer and select '''Add Alert''' from the shortcut menu.
===Specifying Alert Conditions===
Once you have created the alert, the most important thing to do is to specify the condition that defines when this alert is going to be generated. Tiger supports these types of conditions:
* Response status code is equal to the value you specified
* Response status code is not equal to the value you specified
* Response body contains the text you specified
* Response body does not contain the text you specified
* Response body contains a match for the regular expression you specified
* Response body des not contain a match for the regular expression you specified
* Logical AND combination of two conditions, including other AND and OR conditions
* Logical OR combination of two conditions, including other AND and OR conditions
These basic conditions allow for creation of very complex tests, although most often alert conditions tend to be quite simple.
====Creating a condition====
Without a condition defined, a test is not considered valid and it cannot be run. Conditions are created using the condition editor. To display it, in the Project Explorer, select the alert you want to define condition for. Then, in the Property window, click the '''Condition''' property. The ellipsis button will show up. Click on it, and finally the condition editor appears.

Initially, it looks like this:

[[Image:condition_start.png]]

To add a condition, right-click the placeholder element. A shortcut menu appears:

[[Image:condition_menu.png]]

Select the type of condition you want to add. If you made a mistake, right click on the condition and select Delete from the shortcut menu. Repeat the process until you are done. Here’s an example of a not too complex condition:

[[Image:condition_complete.png]]

===Specifying Alert Type===
Alert type defines how serious the problem is. There are three types of alerts:
* '''Red''' alert, intended to indicate most serious problems
* '''Orange''' alert
* '''Yellow''' alert, intended to indicate not-so-serious problems
The default alert type is Red.
===Specifying Alert Message===
Alert message is a descriptive text that will be displayed to the user if the alert is generated (i.e. if the alert condition is met).
===Alert Ordering Matters!===
Multiple alerts can be defined for one test. (This feature is most often used to define different types of alerts for the same test, although that is not a requirement). For example, you can generate a red alert if the test manages to start the operating system shell and execute certain executable, and yellow alert if it manages to start the shell, but fails to execute that particular executable).

However, keep in mind that the evaluation of alert conditions will stop when a first condition is met. (So, in the previous scenario, you won’t get both red and orange alert, which is usually what you want).

One important consequence of this is that you should always specify your alerts in particular order: the most serious alerts should be tested before the not-so-serious ones.
==Managing Test Parameters==
In order to allow for flexibility when running tests, Tiger supports passing parameters to tests. These parameters usually alter the behavior of the test in some way, and are standard parameters used in almost every Web application (so the chances are that you are already familiar with the concept). Parameters are passed to tests using the standard GET or POST method (depending on how you configured the '''Method''' property of the test).
===Adding a Parameter===
To add a new parameter to your test, do one of the following:
* Select the test you want to add a parameter to and, from the '''Project''' menu, select '''Add Test Parameter'''.
* Right-click on the test in the Project Explorer and select '''Add Parameter''' from the shortcut menu.
===Configuring a Parameter===
When configuring a parameter, it is necessary to specify its name. Although most often you will specify a value for it, it is not required that you do so. Encoding the parameter value during the test invocation is done automatically, so don’t encode it yourself.
===Deleting a Parameter===
To delete a test parameter, right-click on it in the Project Explorer, and select '''Delete''' from the shortcut menu.
==Testing a Test==
You don’t have to run the whole project in order to check if you configured a test right. You can "test a test" by right-clicking on it, and selecting '''Test Run''' from the shortcut menu.
==Running Your Project==
===Starting the Project===
After everything is set up, you run your project by
* Selecting '''Run''' from the '''Project''' menu
* Clicking the '''Run''' toolbar button
* Pressing '''F5'''
The tests start, and the current status of each individual test is denoted by an icon and descriptive text.
===Stopping the Project===
Sometimes a test can take very long time to execute. If you don’t want to wait for the test(s) to finish, you can stop the project, effectively cancelling all the currently executing tests. You can stop the project by
* Selecting '''Stop''' from the '''Project''' menu
* Clicking the '''Stop''' toolbar button
Note that stopping the project does not affect tests that have already finished executing in any way.

===Finding Out the Test Status===
You can determine the status of a certain test by looking at the icon displayed before its name. A descriptive message is displayed as well. Here are the meanings of the icons used:

[[Image:running.gif]] - The test is currently executing.

[[Image:red_flag.gif]] - The test has finished executing and a red alert has been generated.

[[Image:orange_flag.gif]] - The test has finished executing and an orange alert has been generated.

[[Image:yellow_flag.gif]] - The test has finished executing and a yellow alert has been generated.

[[Image:test_succeeded.gif]] - The test execution has succeeded, but no alerts have been generated.

[[Image:test_failed.gif]] - The test execution has failed.

[[Image:test_cancelled.png]] - The test has been cancelled by the user.

==Viewing, Printing and Exporting Project Results==
After all the tests are finished executing, you can examine the results in the main Tiger window, or view a report by clicking the '''View Report''' button.

[[Image:tiger_hover_info.png]]

''Figure: examining the test results in the main Tiger window''

[[Image:project_report.png]]

''Figure: A simple project results report''

From there, you can print the report and/or save it in the HTML format.

To print the report
* Click the '''Print''' toolbar button

To save the report as HTML
* Click the '''Save''' toolbar button

2007-02-08T01:55:26Z

Boris:

OWASP Tiger

2007-02-08T01:53:59Z

Boris:

'''OWASP Tiger''' is a Windows application originally intented to be used for automating the process of testing variuous known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce ''alerts'', notifications that something is wrong with the application(s) or service(s) being tested.
==Goals==
Tiger's goals are quite simple:
* '''Provide a simple way to create HTTP or HTTPS requests.''' You can define these using a very simple to use GUI.
* '''Provide a simple, but flexible way of analyzing the responses automatically.''' You can define sets of rules that are to be applied to responses using a user friendly conditioin editor.
* '''Allow for easy sharing and reuse of tests.''' You can save your test projects, send them to other Tiger users and even create templates that new Tiger projects can be based upon.

[[Image:add_condition_complete.png]]

''Figure 1: Tiger's Condition Editor''
==Download==
Tiger is not yet available for download.
==User Manual==
Tiger user manual is available [[Tiger User Manual|here]].
==Future Development==
Hopefully, the future development of OWASP Tiger will be twofold:
* Tiger itself (for example, cookie support)
* Project templates for various well known Web applications (i.e. your favorite portal, forum, blog etc.)

OWASP Tiger

2007-02-08T01:53:41Z

File:Project report.png

2007-02-05T01:34:29Z

Boris:

Tiger User Manual

2007-02-05T01:33:57Z

Boris:

==Managing Projects==
===What is a Tiger Project?===
Tiger project is a logical grouping of test targets and tests to be performed as a whole. Each Tiger project consists of zero or more targets, each containing zero or more tests (although projects without any targets and tests are not very meaningful).
===Starting a New Project===
A blank project is created automatically when you start Tiger. If you need to create a project based on a project template, or simply another blank project, do this:
* To create a project based on a project template, from the File menu, select New.
* To create a blank project, click the New button on the toolbar, or press '''Ctrl+N'''. Alternatively, from the '''File''' menu, select '''New''' and choose the "Blank Project" template.
===Opening an Existing Project===
To open an existing project, either
* Click the '''Open''' toolbar button, or
* From the '''File''' menu, select '''Open'''
Tiger projects have the '''.tgp''' file extension.
===Saving Your Project===
To save your project, either
* Click the '''Save''' toolbar button, or
* From the '''File''' menu, select '''Save''' (to save the project using its current file name and location) or '''Save As''' (to save the project under a new name and/or at a new location)
===Saving Your Project as a Project Template===
You can also save your project as a template. That way, you and other users can quickly create new projects based on your project. After your template is imported (currently, there is no GUI for this, just place your '''.tgpt''' file in the '''Project Templates''' subfolder), it will appear in the '''New Project''' dialog (displayed when you select '''New''' from the '''File''' menu, or press '''Ctrl+N''') and new projects can easily be created based on it.

'''Note''': Typically, users will want to run the same tests, but not on the same servers as you did in your project, so it’s a good idea to clear the Path properties of your project targets before saving the project as a template.

Tiger currently ships with the '''Tiger ASP.NET Module''' template, which contains tests for some well known ASP.NET 2.0 vulnerabilites.

[[Image:new_project_dialog.png]]

==Managing Targets==
===What is a Tiger Target?===
Tiger target is a web site or virtual directory upon which tests are to be performed. Each target contains zero or more tests to be performed. Essentially, target is defined by its ''path'' (a http or https prefixed URL, without the document name, query and fragment. If needed, all of those can be provided at the test level).

Each project can contain multiple targets, and each target can contain multiple tests.
===Adding a Target===
You can add targets to your project by
* Selecting '''Add Target''' from the '''Project''' menu
* Right-clicking the project node in the Project Explorer, and selecting '''Add Target''' from the shortcut menu that appears.
===Configuring a Target===
====Path====
The '''Path''' property of the target object must be set to a valid ''http'' or ''https'' scheme URL of the web site or virtual directory containing tests to be executed. Otherwise, you won’t be able to run the project.

Additionally, the '''Tests''' collection should contain one or more Test objects. Although technically possible, creating a target with no associated tests does not make much sense (unless, of course, you plan to add tests later).
===Deleting a Target===
To delete a target from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the target (along with all the tests it contained) is gone.
==Managing Tests==
===What is a Tiger Test?===
Tiger test is a web page or service that is to be called during the execution of a project, using the supplied parameters and specified HTTP method. The outcome of that call is later evaluated by a set of various conditions. If those conditions are met, they generate ''alerts'' (essentially signals that something is wrong). Generation of such alerts is the ultimate goal of running any Tiger project.

Each test is associated with a target, which defines the scheme, host, port and virtual path parts of the virtual directory that contains that particular test. (Please note that Tiger supports only the ''http'' and ''https'' schemes.)
===Adding a Test===
To add a new test to your project (or, more precisely, target), do one of the following:
* Select the target to add a test to and, from the '''Project''' menu, select '''Add Test'''.
* Right-click on the target in the Project Explorer and select '''Add Test''' from the shortcut menu.
===Configuring a Test===
====Relative Path====
The scheme, host, port and virtual path parts of the virtual directory are defined by the target containing that particular test. The other parts of the test URL (namely, the file name, query and fragment) can be, if needed, supplied by the test itself, using its '''Relative Path''' property. Supplying a value for that property, however, is not mandatory (this allows you test the default document of the target’s virtual directory).

This division of the URL parts between the target and test objects may seem awkward at first, but it allows you to redirect execution of a bunch of tests to a different server (or virtual directory) just by changing one property value (specifically, the '''Path''' property of the Target object).
====Method====
Tests can be invoked using the standard GET or POST HTTP methods. You can define which one to use via the '''Method''' property. The default is GET.
====Parameters====
Tiger supports passing parameters to tests. Basically, a parameter is a pair of strings where the first value in the pair represents the name of the parameter, and the other represents the actual value to be passed.

How the parameters are ultimately passed to the test is determined by the value of the '''Method''' property.
====Alerts====
After a test has finished executing, its response is matched against a set of conditions. If one of these condition is met, an alert is generated. Alerts notify the user that something is wrong (although nothing prevents you from defining alerts to be generated when something is right) with the web site or application being tested.

Each alert is defined by its alert condition, message and type. More info on alerts is provided in the [[#Managing Alerts|"Managing Alerts"]] section.
===Deleting a Test===
To delete a test from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the test (along with all the parameters and alerts it contained) is gone.
==Managing Alerts==
Alerts are the final result of executing tests. After a test has finished executing, its response is matched against a set of conditions that you defined. If one of these conditions is met, an alert (including a descriptive message that you defined) is displayed to the user.

Although tests without alerts defined for them are of a questionable usefulness, they are allowed. They can be used for automating access to a set of pages. For example, you might define a test project to 'warm-up" a web application before you give a demo of it (so no one will think it is slower that it actually is ;).
===Adding an Alert===
To add a new alert to your test
* Right-click on the test in the Project Explorer and select '''Add Alert''' from the shortcut menu.
===Specifying Alert Conditions===
Once you have created the alert, the most important thing to do is to specify the condition that defines when this alert is going to be generated. Tiger supports these types of conditions:
* Response status code is equal to the value you specified
* Response status code is not equal to the value you specified
* Response body contains the text you specified
* Response body does not contain the text you specified
* Response body contains a match for the regular expression you specified
* Response body des not contain a match for the regular expression you specified
* Logical AND combination of two conditions, including other AND and OR conditions
* Logical OR combination of two conditions, including other AND and OR conditions
These basic conditions allow for creation of very complex tests, although most often alert conditions tend to be quite simple.
====Creating a condition====
Without a condition defined, a test is not considered valid and it cannot be run. Conditions are created using the condition editor. To display it, in the Project Explorer, select the alert you want to define condition for. Then, in the Property window, click the '''Condition''' property. The ellipsis button will show up. Click on it, and finally the condition editor appears.

Initially, it looks like this:

[[Image:condition_start.png]]

To add a condition, right-click the placeholder element. A shortcut menu appears:

[[Image:condition_menu.png]]

Select the type of condition you want to add. If you made a mistake, right click on the condition and select Delete from the shortcut menu. Repeat the process until you are done. Here’s an example of a not too complex condition:

[[Image:condition_complete.png]]

===Specifying Alert Type===
Alert type defines how serious the problem is. There are three types of alerts:
* '''Red''' alert, intended to indicate most serious problems
* '''Orange''' alert
* '''Yellow''' alert, intended to indicate not-so-serious problems
The default alert type is Red.
===Specifying Alert Message===
Alert message is a descriptive text that will be displayed to the user if the alert is generated (i.e. if the alert condition is met).
===Alert Ordering Matters!===
Multiple alerts can be defined for one test. (This feature is most often used to define different types of alerts for the same test, although that is not a requirement). For example, you can generate a red alert if the test manages to start the operating system shell and execute certain executable, and yellow alert if it manages to start the shell, but fails to execute that particular executable).

However, keep in mind that the evaluation of alert conditions will stop when a first condition is met. (So, in the previous scenario, you won’t get both red and orange alert, which is usually what you want).

One important consequence of this is that you should always specify your alerts in particular order: the most serious alerts should be tested before the not-so-serious ones.
==Managing Test Parameters==
In order to allow for flexibility when running tests, Tiger supports passing parameters to tests. These parameters usually alter the behavior of the test in some way, and are standard parameters used in almost every Web application (so the chances are that you are already familiar with the concept). Parameters are passed to tests using the standard GET or POST method (depending on how you configured the '''Method''' property of the test).
===Adding a Parameter===
To add a new parameter to your test, do one of the following:
* Select the test you want to add a parameter to and, from the '''Project''' menu, select '''Add Test Parameter'''.
* Right-click on the test in the Project Explorer and select '''Add Parameter''' from the shortcut menu.
===Configuring a Parameter===
When configuring a parameter, it is necessary to specify its name. Although most often you will specify a value for it, it is not required that you do so. Encoding the parameter value during the test invocation is done automatically, so don’t encode it yourself.
===Deleting a Parameter===
To delete a test parameter, right-click on it in the Project Explorer, and select '''Delete''' from the shortcut menu.
==Testing a Test==
You don’t have to run the whole project in order to check if you configured a test right. You can "test a test" by right-clicking on it, and selecting '''Test Run''' from the shortcut menu.
==Running Your Project==
===Starting the Project===
After everything is set up, you run your project by
* Selecting '''Run''' from the '''Project''' menu
* Clicking the '''Run''' toolbar button
* Pressing '''F5'''
The tests start, and the current status of each individual test is denoted by an icon and descriptive text.
===Stopping the Project===
Sometimes, a test can take very long time to execute. If you don’t want to wait for the test(s) to finish, you can stop the project, effectively cancelling all the currently executing tests. You can stop the project by
* Selecting '''Stop''' from the '''Project''' menu
* Clicking the '''Stop''' toolbar button
Note that stopping the project does not affect tests that have already finished executing in any way.
===Finding Out the Test Status===
You can determine the status of a certain test by looking at the icon displayed before its name. A descriptive message is displayed as well. Here are the meanings of the icons used:

[[Image:running.gif]] - The test is currently executing.

[[Image:red_flag.gif]] - The test has finished executing and a red alert has been generated.

[[Image:orange_flag.gif]] - The test has finished executing and an orange alert has been generated.

[[Image:yellow_flag.gif]] - The test has finished executing and a yellow alert has been generated.

[[Image:test_succeeded.gif]] - The test execution has succeeded, but no alerts have been generated.

[[Image:test_failed.gif]] - The test execution has failed.

[[Image:test_cancelled.png]] - The test has been cancelled by the user.

==Viewing, Printing and Exporting Project Results==
After all the tests are finished executing, you can view a report by clicking the '''View Report''' button. A simple project results report might look like this:

[[Image:project_report.png]]

From there, you can print the report and/or save it in the HTML format.

To print the report
* Click the '''Print''' toolbar button

To save the report as HTML
* Click the '''Save''' toolbar button

Tiger User Manual

2007-02-05T01:25:09Z

Boris:

==Managing Projects==
===What is a Tiger Project?===
Tiger project is a logical grouping of test targets and tests to be performed as a whole. Each Tiger project consists of zero or more targets, each containing zero or more tests (although projects without any targets and tests are not very meaningful).
===Starting a New Project===
A blank project is created automatically when you start Tiger. If you need to create a project based on a project template, or simply another blank project, do this:
* To create a project based on a project template, from the File menu, select New.
* To create a blank project, click the New button on the toolbar, or press '''Ctrl+N'''. Alternatively, from the '''File''' menu, select '''New''' and choose the "Blank Project" template.
===Opening an Existing Project===
To open an existing project, either
* Click the '''Open''' toolbar button, or
* From the '''File''' menu, select '''Open'''
Tiger projects have the '''.tgp''' file extension.
===Saving Your Project===
To save your project, either
* Click the '''Save''' toolbar button, or
* From the '''File''' menu, select '''Save''' (to save the project using its current file name and location) or '''Save As''' (to save the project under a new name and/or at a new location)
===Saving Your Project as a Project Template===
You can also save your project as a template. That way, you and other users can quickly create new projects based on your project. After your template is imported (currently, there is no GUI for this, just place your '''.tgpt''' file in the '''Project Templates''' subfolder), it will appear in the '''New Project''' dialog (displayed when you select '''New''' from the '''File''' menu, or press '''Ctrl+N''') and new projects can easily be created based on it.

'''Note''': Typically, users will want to run the same tests, but not on the same servers as you did in your project, so it’s a good idea to clear the Path properties of your project targets before saving the project as a template.

Tiger currently ships with the '''Tiger ASP.NET Module''' template, which contains tests for some well known ASP.NET 2.0 vulnerabilites.

[[Image:new_project_dialog.png]]

==Managing Targets==
===What is a Tiger Target?===
Tiger target is a web site or virtual directory upon which tests are to be performed. Each target contains zero or more tests to be performed. Essentially, target is defined by its ''path'' (a http or https prefixed URL, without the document name, query and fragment. If needed, all of those can be provided at the test level).

Each project can contain multiple targets, and each target can contain multiple tests.
===Adding a Target===
You can add targets to your project by
* Selecting '''Add Target''' from the '''Project''' menu
* Right-clicking the project node in the Project Explorer, and selecting '''Add Target''' from the shortcut menu that appears.
===Configuring a Target===
====Path====
The '''Path''' property of the target object must be set to a valid ''http'' or ''https'' scheme URL of the web site or virtual directory containing tests to be executed. Otherwise, you won’t be able to run the project.

Additionally, the '''Tests''' collection should contain one or more Test objects. Although technically possible, creating a target with no associated tests does not make much sense (unless, of course, you plan to add tests later).
===Deleting a Target===
To delete a target from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the target (along with all the tests it contained) is gone.
==Managing Tests==
===What is a Tiger Test?===
Tiger test is a web page or service that is to be called during the execution of a project, using the supplied parameters and specified HTTP method. The outcome of that call is later evaluated by a set of various conditions. If those conditions are met, they generate ''alerts'' (essentially signals that something is wrong). Generation of such alerts is the ultimate goal of running any Tiger project.

Each test is associated with a target, which defines the scheme, host, port and virtual path parts of the virtual directory that contains that particular test. (Please note that Tiger supports only the ''http'' and ''https'' schemes.)
===Adding a Test===
To add a new test to your project (or, more precisely, target), do one of the following:
* Select the target to add a test to and, from the '''Project''' menu, select '''Add Test'''.
* Right-click on the target in the Project Explorer and select '''Add Test''' from the shortcut menu.
===Configuring a Test===
====Relative Path====
The scheme, host, port and virtual path parts of the virtual directory are defined by the target containing that particular test. The other parts of the test URL (namely, the file name, query and fragment) can be, if needed, supplied by the test itself, using its '''Relative Path''' property. Supplying a value for that property, however, is not mandatory (this allows you test the default document of the target’s virtual directory).

This division of the URL parts between the target and test objects may seem awkward at first, but it allows you to redirect execution of a bunch of tests to a different server (or virtual directory) just by changing one property value (specifically, the '''Path''' property of the Target object).
====Method====
Tests can be invoked using the standard GET or POST HTTP methods. You can define which one to use via the '''Method''' property. The default is GET.
====Parameters====
Tiger supports passing parameters to tests. Basically, a parameter is a pair of strings where the first value in the pair represents the name of the parameter, and the other represents the actual value to be passed.

How the parameters are ultimately passed to the test is determined by the value of the '''Method''' property.
====Alerts====
After a test has finished executing, its response is matched against a set of conditions. If one of these condition is met, an alert is generated. Alerts notify the user that something is wrong (although nothing prevents you from defining alerts to be generated when something is right) with the web site or application being tested.

Each alert is defined by its alert condition, message and type. More info on alerts is provided in the [[#Managing Alerts|"Managing Alerts"]] section.
===Deleting a Test===
To delete a test from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the test (along with all the parameters and alerts it contained) is gone.
==Managing Alerts==
Alerts are the final result of executing tests. After a test has finished executing, its response is matched against a set of conditions that you defined. If one of these conditions is met, an alert (including a descriptive message that you defined) is displayed to the user.

Although tests without alerts defined for them are of a questionable usefulness, they are allowed. They can be used for automating access to a set of pages. For example, you might define a test project to 'warm-up" a web application before you give a demo of it (so no one will think it is slower that it actually is ;).
===Adding an Alert===
To add a new alert to your test
* Right-click on the test in the Project Explorer and select '''Add Alert''' from the shortcut menu.
===Specifying Alert Conditions===
Once you have created the alert, the most important thing to do is to specify the condition that defines when this alert is going to be generated. Tiger supports these types of conditions:
* Response status code is equal to the value you specified
* Response status code is not equal to the value you specified
* Response body contains the text you specified
* Response body does not contain the text you specified
* Response body contains a match for the regular expression you specified
* Response body des not contain a match for the regular expression you specified
* Logical AND combination of two conditions, including other AND and OR conditions
* Logical OR combination of two conditions, including other AND and OR conditions
These basic conditions allow for creation of very complex tests, although most often alert conditions tend to be quite simple.
====Creating a condition====
Without a condition defined, a test is not considered valid and it cannot be run. Conditions are created using the condition editor. To display it, in the Project Explorer, select the alert you want to define condition for. Then, in the Property window, click the '''Condition''' property. The ellipsis button will show up. Click on it, and finally the condition editor appears.

Initially, it looks like this:

[[Image:condition_start.png]]

To add a condition, right-click the placeholder element. A shortcut menu appears:

[[Image:condition_menu.png]]

Select the type of condition you want to add. If you made a mistake, right click on the condition and select Delete from the shortcut menu. Repeat the process until you are done. Here’s an example of a not too complex condition:

[[Image:condition_complete.png]]

===Specifying Alert Type===
Alert type defines how serious the problem is. There are three types of alerts:
* '''Red''' alert, intended to indicate most serious problems
* '''Orange''' alert
* '''Yellow''' alert, intended to indicate not-so-serious problems
The default alert type is Red.
===Specifying Alert Message===
Alert message is a descriptive text that will be displayed to the user if the alert is generated (i.e. if the alert condition is met).
===Alert Ordering Matters!===
Multiple alerts can be defined for one test. (This feature is most often used to define different types of alerts for the same test, although that is not a requirement). For example, you can generate a red alert if the test manages to start the operating system shell and execute certain executable, and yellow alert if it manages to start the shell, but fails to execute that particular executable).

However, keep in mind that the evaluation of alert conditions will stop when a first condition is met. (So, in the previous scenario, you won’t get both red and orange alert, which is usually what you want).

One important consequence of this is that you should always specify your alerts in particular order: the most serious alerts should be tested before the not-so-serious ones.
==Managing Test Parameters==
In order to allow for flexibility when running tests, Tiger supports passing parameters to tests. These parameters usually alter the behavior of the test in some way, and are standard parameters used in almost every Web application (so the chances are that you are already familiar with the concept). Parameters are passed to tests using the standard GET or POST method (depending on how you configured the '''Method''' property of the test).
===Adding a Parameter===
To add a new parameter to your test, do one of the following:
* Select the test you want to add a parameter to and, from the '''Project''' menu, select '''Add Test Parameter'''.
* Right-click on the test in the Project Explorer and select '''Add Parameter''' from the shortcut menu.
===Configuring a Parameter===
When configuring a parameter, it is necessary to specify its name. Although most often you will specify a value for it, it is not required that you do so. Encoding the parameter value during the test invocation is done automatically, so don’t encode it yourself.
===Deleting a Parameter===
To delete a test parameter, right-click on it in the Project Explorer, and select '''Delete''' from the shortcut menu.
==Testing a Test==
You don’t have to run the whole project in order to check if you configured a test right. You can "test a test" by right-clicking on it, and selecting '''Test Run''' from the shortcut menu.
==Running Your Project==
===Starting the Project===
After everything is set up, you run your project by
* Selecting '''Run''' from the '''Project''' menu
* Clicking the '''Run''' toolbar button
* Pressing '''F5'''
The tests start, and the current status of each individual test is denoted by an icon and descriptive text.
===Stopping the Project===
Sometimes, a test can take very long time to execute. If you don’t want to wait for the test(s) to finish, you can stop the project, effectively cancelling all the currently executing tests. You can stop the project by
* Selecting '''Stop''' from the '''Project''' menu
* Clicking the '''Stop''' toolbar button
Note that stopping the project does not affect tests that have already finished executing in any way.
===Finding Out the Test Status===
You can determine the status of a certain test by looking at the icon displayed before its name. A descriptive message is displayed as well. Here are the meanings of the icons used:

[[Image:running.gif]] - The test is currently executing.

[[Image:red_flag.gif]] - The test has finished executing and a red alert has been generated.

[[Image:orange_flag.gif]] - The test has finished executing and an orange alert has been generated.

[[Image:yellow_flag.gif]] - The test has finished executing and a yellow alert has been generated.

[[Image:test_succeeded.gif]] - The test execution has succeeded, but no alerts have been generated.

[[Image:test_failed.gif]] - The test execution has failed.

[[Image:test_cancelled.png]] - The test has been cancelled by the user.

Tiger User Manual

2007-02-05T01:10:21Z

Boris: /* Running Your Project */

==Managing Projects==
===What is a Tiger Project?===
Tiger project is a logical grouping of test targets and tests to be performed as a whole. Each Tiger project consists of zero or more targets, each containing zero or more tests (although projects without any targets and tests are not very meaningful).
===Starting a New Project===
A blank project is created automatically when you start Tiger. If you need to create a project based on a project template, or simply another blank project, do this:
* To create a project based on a project template, from the File menu, select New.
* To create a blank project, click the New button on the toolbar, or press '''Ctrl+N'''. Alternatively, from the '''File''' menu, select '''New''' and choose the "Blank Project" template.
===Opening an Existing Project===
To open an existing project, either
* Click the '''Open''' toolbar button, or
* From the '''File''' menu, select '''Open'''
Tiger projects have the '''.tgp''' file extension.
===Saving Your Project===
To save your project, either
* Click the '''Save''' toolbar button, or
* From the '''File''' menu, select '''Save''' (to save the project using its current file name and location) or '''Save As''' (to save the project under a new name and/or at a new location)
===Saving Your Project as a Project Template===
You can also save your project as a template. That way, you and other users can quickly create new projects based on your project. After your template is imported (currently, there is no GUI for this, just place your '''.tgpt''' file in the '''Project Templates''' subfolder), it will appear in the '''New Project''' dialog (displayed when you select '''New''' from the '''File''' menu, or press '''Ctrl+N''') and new projects can easily be created based on it.

'''Note''': Typically, users will want to run the same tests, but not on the same servers as you did in your project, so it’s a good idea to clear the Path properties of your project targets before saving the project as a template.

Tiger currently ships with the '''Tiger ASP.NET Module''' template, which contains tests for some well known ASP.NET 2.0 vulnerabilites.

[[Image:new_project_dialog.png]]

==Managing Targets==
===What is a Tiger Target?===
Tiger target is a web site or virtual directory upon which tests are to be performed. Each target contains zero or more tests to be performed. Essentially, target is defined by its ''path'' (a http or https prefixed URL, without the document name, query and fragment. If needed, all of those can be provided at the test level).

Each project can contain multiple targets, and each target can contain multiple tests.
===Adding a Target===
You can add targets to your project by
* Selecting '''Add Target''' from the '''Project''' menu
* Right-clicking the project node in the Project Explorer, and selecting '''Add Target''' from the shortcut menu that appears.
===Configuring a Target===
====Path====
The '''Path''' property of the target object must be set to a valid ''http'' or ''https'' scheme URL of the web site or virtual directory containing tests to be executed. Otherwise, you won’t be able to run the project.

Additionally, the '''Tests''' collection should contain one or more Test objects. Although technically possible, creating a target with no associated tests does not make much sense (unless, of course, you plan to add tests later).
===Deleting a Target===
To delete a target from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the target (along with all the tests it contained) is gone.
==Managing Tests==
===What is a Tiger Test?===
Tiger test is a web page or service that is to be called during the execution of a project, using the supplied parameters and specified HTTP method. The outcome of that call is later evaluated by a set of various conditions. If those conditions are met, they generate ''alerts'' (essentially signals that something is wrong). Generation of such alerts is the ultimate goal of running any Tiger project.

Each test is associated with a target, which defines the scheme, host, port and virtual path parts of the virtual directory that contains that particular test. (Please note that Tiger supports only the ''http'' and ''https'' schemes.)
===Adding a Test===
To add a new test to your project (or, more precisely, target), do one of the following:
* Select the target to add a test to and, from the '''Project''' menu, select '''Add Test'''.
* Right-click on the target in the Project Explorer and select '''Add Test''' from the shortcut menu.
===Configuring a Test===
====Relative Path====
The scheme, host, port and virtual path parts of the virtual directory are defined by the target containing that particular test. The other parts of the test URL (namely, the file name, query and fragment) can be, if needed, supplied by the test itself, using its '''Relative Path''' property. Supplying a value for that property, however, is not mandatory (this allows you test the default document of the target’s virtual directory).

This division of the URL parts between the target and test objects may seem awkward at first, but it allows you to redirect execution of a bunch of tests to a different server (or virtual directory) just by changing one property value (specifically, the '''Path''' property of the Target object).
====Method====
Tests can be invoked using the standard GET or POST HTTP methods. You can define which one to use via the '''Method''' property. The default is GET.
====Parameters====
Tiger supports passing parameters to tests. Basically, a parameter is a pair of strings where the first value in the pair represents the name of the parameter, and the other represents the actual value to be passed.

How the parameters are ultimately passed to the test is determined by the value of the '''Method''' property.
====Alerts====
After a test has finished executing, its response is matched against a set of conditions. If one of these condition is met, an alert is generated. Alerts notify the user that something is wrong (although nothing prevents you from defining alerts to be generated when something is right) with the web site or application being tested.

Each alert is defined by its alert condition, message and type. More info on alerts is provided in the [[#Managing Alerts|"Managing Alerts"]] section.
===Deleting a Test===
To delete a test from your project, right-click on it in the Project Explorer window. Then select '''Delete''' from the shortcut menu. After you confirm the deletion, the test (along with all the parameters and alerts it contained) is gone.
==Managing Alerts==
Alerts are the final result of executing tests. After a test has finished executing, its response is matched against a set of conditions that you defined. If one of these conditions is met, an alert (including a descriptive message that you defined) is displayed to the user.

Although tests without alerts defined for them are of a questionable usefulness, they are allowed. They can be used for automating access to a set of pages. For example, you might define a test project to 'warm-up" a web application before you give a demo of it (so no one will think it is slower that it actually is ;).
===Adding an Alert===
To add a new alert to your test
* Right-click on the test in the Project Explorer and select '''Add Alert''' from the shortcut menu.
===Specifying Alert Conditions===
Once you have created the alert, the most important thing to do is to specify the condition that defines when this alert is going to be generated. Tiger supports these types of conditions:
* Response status code is equal to the value you specified
* Response status code is not equal to the value you specified
* Response body contains the text you specified
* Response body does not contain the text you specified
* Response body contains a match for the regular expression you specified
* Response body des not contain a match for the regular expression you specified
* Logical AND combination of two conditions, including other AND and OR conditions
* Logical OR combination of two conditions, including other AND and OR conditions
These basic conditions allow for creation of very complex tests, although most often alert conditions tend to be quite simple.
====Creating a condition====
Without a condition defined, a test is not considered valid and it cannot be run. Conditions are created using the condition editor. To display it, in the Project Explorer, select the alert you want to define condition for. Then, in the Property window, click the '''Condition''' property. The ellipsis button will show up. Click on it, and finally the condition editor appears.

Initially, it looks like this:

[[Image:condition_start.png]]

To add a condition, right-click the placeholder element. A shortcut menu appears:

[[Image:condition_menu.png]]

Select the type of condition you want to add. If you made a mistake, right click on the condition and select Delete from the shortcut menu. Repeat the process until you are done. Here’s an example of a not too complex condition:

[[Image:condition_complete.png]]

===Specifying Alert Type===
Alert type defines how serious the problem is. There are three types of alerts:
* '''Red''' alert, intended to indicate most serious problems
* '''Orange''' alert
* '''Yellow''' alert, intended to indicate not-so-serious problems
The default alert type is Red.
===Specifying Alert Message===
Alert message is a descriptive text that will be displayed to the user if the alert is generated (i.e. if the alert condition is met).
===Alert Ordering Matters!===
Multiple alerts can be defined for one test. (This feature is most often used to define different types of alerts for the same test, although that is not a requirement). For example, you can generate a red alert if the test manages to start the operating system shell and execute certain executable, and yellow alert if it manages to start the shell, but fails to execute that particular executable).

However, keep in mind that the evaluation of alert conditions will stop when a first condition is met. (So, in the previous scenario, you won’t get both red and orange alert, which is usually what you want).

One important consequence of this is that you should always specify your alerts in particular order: the most serious alerts should be tested before the not-so-serious ones.
==Managing Test Parameters==
In order to allow for flexibility when running tests, Tiger supports passing parameters to tests. These parameters usually alter the behavior of the test in some way, and are standard parameters used in almost every Web application (so the chances are that you are already familiar with the concept). Parameters are passed to tests using the standard GET or POST method (depending on how you configured the '''Method''' property of the test).
===Adding a Parameter===
To add a new parameter to your test, do one of the following:
* Select the test you want to add a parameter to and, from the '''Project''' menu, select '''Add Test Parameter'''.
* Right-click on the test in the Project Explorer and select '''Add Parameter''' from the shortcut menu.
===Configuring a Parameter===
When configuring a parameter, it is necessary to specify its name. Although most often you will specify a value for it, it is not required that you do so. Encoding the parameter value during the test invocation is done automatically, so don’t encode it yourself.
===Deleting a Parameter===
To delete a test parameter, right-click on it in the Project Explorer, and select '''Delete''' from the shortcut menu.
==Testing a Test==
You don’t have to run the whole project in order to check if you configured a test right. You can "test a test" by right-clicking on it, and selecting '''Test Run''' from the shortcut menu.
==Running Your Project==
After everything is set up, you run your project by
* Selecting '''Run''' from the '''Project''' menu
* Clicking the '''Run''' toolbar button
* Pressing '''F5'''
The tests start, and the current status of each individual test is denoted by an icon and descriptive text.
===Test Status Notification Icons===

[[Image:running.gif]] - The test is currently executing.

[[Image:red_flag.gif]] - The test has finished executing and a red alert has been generated.

[[Image:orange_flag.gif]] - The test has finished executing and an orange alert has been generated.

[[Image:yellow_flag.gif]] - The test has finished executing and a yellow alert has been generated.

[[Image:test_succeeded.gif]] - The test execution has succeeded, but no alerts have been generated.

[[Image:test_failed.gif]] - The test execution has failed.

[[Image:test_cancelled.png]] - The test has been cancelled by the user.

File:Test cancelled.png

2007-02-05T01:09:09Z

Boris:

File:Test failed.gif

2007-02-05T01:08:53Z

Boris: