https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Cam+MorrisOWASP - User contributions [en]2026-04-11T10:02:11ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=228607OWASP Passfault2017-04-12T16:03:15Z<p>Cam Morris: /* Demo Site */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]]<br />
<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
; Why do you need to pass the password over the wire?! Isn't that insecure? Others do it in javascript-client why don't you?<br />
: Passfault's mission is to replace password policies, not just be a cute strength meter. It was intended to be used by the sites that already take and use your passwords. With that use-case, adding Passfault doesn't lessen security in any way. Plus it has the added benefit that we can store LOTS of password lists and do some in-depth analysis that can't be done client-side. <br />
<br />
; Does 2FA (two-factor authentication) make Passfault obsolete?<br />
: No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an ''effective'' password policy. <br />
<br />
; Some argue that password policies make passwords less secure, does that apply to Passfault?<br />
: Researchers have found that, of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy.<br />
<br />
; How does Passfault compare to zxcvbn?<br />
: Passfault is very similar to zxcvbn in it's approach to password analysis. In fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable.<br />
<br />
; Why java - I hate java. If it were only in language ''x'' I'd use it. <br />
: Passfault is packaged up in docker as a microservice. You'd probably want to run passfault as a microservice anyway, so forget that it's java and just run with it. That said, we welcome any ports to typescript or any other language.<br />
<br />
Discuss with us more on twitter [[https://twitter.com/c4mm0r]] or join the email list: [[https://lists.owasp.org/mailman/listinfo/passfault]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* Bernardo Araujo Rodrigues<br />
* Ray Stone<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=228606OWASP Passfault2017-04-12T16:02:39Z<p>Cam Morris: /* FAQs */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]]<br />
<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
; Why do you need to pass the password over the wire?! Isn't that insecure? Others do it in javascript-client why don't you?<br />
: Passfault's mission is to replace password policies, not just be a cute strength meter. It was intended to be used by the sites that already take and use your passwords. With that use-case, adding Passfault doesn't lessen security in any way. Plus it has the added benefit that we can store LOTS of password lists and do some in-depth analysis that can't be done client-side. <br />
<br />
; Does 2FA (two-factor authentication) make Passfault obsolete?<br />
: No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an ''effective'' password policy. <br />
<br />
; Some argue that password policies make passwords less secure, does that apply to Passfault?<br />
: Researchers have found that, of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy.<br />
<br />
; How does Passfault compare to zxcvbn?<br />
: Passfault is very similar to zxcvbn in it's approach to password analysis. In fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable.<br />
<br />
; Why java - I hate java. If it were only in language ''x'' I'd use it. <br />
; Passfault is packaged up in docker as a microservice. You'd probably want to run passfault as a microservice anyway, so forget that it's java and just run with it. That said, we welcome any ports to typescript or any other language.<br />
<br />
Discuss with us more on twitter [[https://twitter.com/c4mm0r]] or join the email list: [[https://lists.owasp.org/mailman/listinfo/passfault]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* Bernardo Araujo Rodrigues<br />
* Ray Stone<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=228605OWASP Passfault2017-04-12T16:02:04Z<p>Cam Morris: /* FAQs */ "java haters", client-side versus server side processing</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]]<br />
<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
; Why do you need to pass the password over the wire?! Isn't that insecure? Others do it in javascript-client why don't you?<br />
; Passfault's mission is to replace password policies, not just be a cute strength meter. It was intended to be used by the sites that already take and use your passwords. With that use-case, adding Passfault doesn't lessen security in any way. Plus it has the added benefit that we can store LOTS of password lists and do some in-depth analysis that can't be done client-side. <br />
<br />
; Does 2FA (two-factor authentication) make Passfault obsolete?<br />
: No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an ''effective'' password policy. <br />
<br />
; Some argue that password policies make passwords less secure, does that apply to Passfault?<br />
: Researchers have found that, of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy.<br />
<br />
; How does Passfault compare to zxcvbn?<br />
: Passfault is very similar to zxcvbn in it's approach to password analysis. In fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable.<br />
<br />
; Why java - I hate java. If it were only in language ''x'' I'd use it. <br />
; Passfault is packaged up in docker as a microservice. You'd probably want to run passfault as a microservice anyway, so forget that it's java and just run with it. That said, we welcome any ports to typescript or any other language.<br />
<br />
Discuss with us more on twitter [[https://twitter.com/c4mm0r]] or join the email list: [[https://lists.owasp.org/mailman/listinfo/passfault]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* Bernardo Araujo Rodrigues<br />
* Ray Stone<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=228601OWASP Passfault2017-04-12T15:13:04Z<p>Cam Morris: /* FAQs */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]]<br />
<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
; Does 2FA (two-factor authentication) make Passfault obsolete?<br />
: No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an ''effective'' password policy. <br />
<br />
; Some argue that password policies make passwords less secure, does that apply to Passfault?<br />
: Researchers have found that, of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy.<br />
<br />
; How does Passfault compare to zxcvbn?<br />
: Passfault is very similar to zxcvbn in it's approach to password analysis. In fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable.<br />
<br />
Discuss with us more on twitter [[https://twitter.com/c4mm0r]] or join the email list: [[https://lists.owasp.org/mailman/listinfo/passfault]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* Bernardo Araujo Rodrigues<br />
* Ray Stone<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=228600OWASP Passfault2017-04-12T15:07:21Z<p>Cam Morris: /* FAQs */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]]<br />
<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
; Does 2FA (two-factor authentication) make Passfault obsolete?<br />
: No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an ''effective'' password policy. <br />
<br />
; Some argue that password policies make passwords less secure, does that apply to Passfault?<br />
: Researchers have found that, of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy.<br />
<br />
; How does Passfault compare to zxcvbn?<br />
: Passfault is very similar to zxcvbn in it's approach to password analysis, in fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable.<br />
<br />
Discuss with us more on twitter [[https://twitter.com/c4mm0r]] or join the email list: [[https://lists.owasp.org/mailman/listinfo/passfault]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* Bernardo Araujo Rodrigues<br />
* Ray Stone<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=228584OWASP Passfault2017-04-11T23:32:17Z<p>Cam Morris: /* FAQs */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]]<br />
<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
; Does 2FA (two-factor authentication) make Passfault obsolete?<br />
: No, not if one of the factors is password authentication. 2FA lessens the risk of passwords, but if you no longer care about password security then you shouldn't use passwords for authentication at all. If you still use passwords, you should have an ''effective'' password policy. <br />
<br />
; Some argue that password policies make passwords less secure, does that apply to Passfault?<br />
: Researchers have found that of all techniques used by password policies, only the required length had an effect on the overall strength, and even that claim is dubious. Passfault works different and we claim we can do better, a lot better, than any traditional password policy.<br />
<br />
; How does Passfault compare to zxcvbn?<br />
: Passfault is very similar to zxcvbn in it's approach to password analysis, in fact it is the only comparable tool that we know of, and the only alternative we endorse. zxcvbn presents the strength in units of "entropy", this measurement could be derived from passfault's "pattern size", however we feel that the "time-to-crack" help convey to the end user it's real risk (the downside to this is that really large numbers don't mean much to users, 10 years, or 10 million years, still feels like a long way away. Entropy is logarithmic so it shows this better. However entropy units are not intuitive to users.). We also search for a few more patterns that we think are valuable.<br />
<br />
Discuss with us more on twitter [[https://twitter.com/c4mm0r]] or join the email list: [[https://lists.owasp.org/mailman/listinfo/passfault]]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* Bernardo Araujo Rodrigues<br />
* Ray Stone<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=228581OWASP Passfault2017-04-11T21:32:10Z<p>Cam Morris: Added Bernardo's Research on Passfault</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''Passfault: an Open Source Tool for Measuring Password Complexity and Strength'' [[File:Artigo-Passfault.pdf]]<br />
<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* Bernardo Araujo Rodrigues<br />
* Ray Stone<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=File:Artigo-Passfault.pdf&diff=228580File:Artigo-Passfault.pdf2017-04-11T21:25:25Z<p>Cam Morris: Research paper presenting results of analyzing millions of hacked passwords against OWASP Passfault</p>
<hr />
<div>Research paper presenting results of analyzing millions of hacked passwords against OWASP Passfault</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=222776OWASP Passfault2016-10-27T14:02:49Z<p>Cam Morris: /* Main */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/owasp/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=222775OWASP Passfault2016-10-27T14:01:53Z<p>Cam Morris: /* Main */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/owasp/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=217441OWASP Passfault2016-05-26T21:43:55Z<p>Cam Morris: Added Cornell reference</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
== Research ==<br />
''General Framework for Evaluating Password Complexity and Strength'' [[http://arxiv.org/abs/1512.05814 Cornell University Library]] <br />
"...This is something that has not been captured by any previous password strength or complexity measures, with the exception of [OWASP] Passfault"<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=SAML_Security_Cheat_Sheet&diff=199846SAML Security Cheat Sheet2015-09-02T14:49:49Z<p>Cam Morris: minor editorial changes</p>
<hr />
<div> __NOTOC__<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
= Introduction =<br />
__TOC__{{TOC hidden}}<br />
<br />
The <i>Security Assertion Markup Language</i> (SAML) is an open standard for exchanging authorization and authentication information. The <i>Web Browser SAML/SSO Profile with Redirect/POST bindings</i> is one of the most common SSO implementation. This cheatsheet will focus primarily on that profile.<br />
<br />
<br />
= Validate Message Confidentiality and Integrity =<br />
<br />
* [[Transport Layer Protection Cheat Sheet|TLS 1.2]] is the most common solution to guarantee message confidentiality and integrity. Refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf SAML Security (section 4)] for additional information. This step will help counter the following attacks:<br />
** Eavesdropping 7.1.1.1<br />
** Theft of User Authentication Information 7.1.1.2<br />
** Theft of the Bearer Token 7.1.1.3<br />
** Message Deletion 7.1.1.6<br />
** Message Modification 7.1.1.7<br />
** Man-in-the-middle 7.1.1.8<br />
*A digitally signed message with a certified key is the most common solution to guarantee message integrity and authentication. Refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf SAML Security (section 4)] for additional information. This step will help counter the following attacks:<br />
**Man-in-the-middle 6.4.2<br />
**Forged Assertion 6.4.3<br />
<br />
<br />
=Validate Protocol Usage=<br />
<br />
This is a common area for security gaps - see [http://www.ai-lab.it/armando/pub/fmse9-armando.pdf Google SSO vulnerability] (AVANTSSAR 2008) for a real life example. Their SSO profile was vulnerable to a Man-in-the-middle attack from a malicious SP (Service Provider). The SSO Web Browser Profile is most susceptible to attacks from trusted partners. This particular security flaw was exposed because the SAML Response did not contain all of the required data elements necessary for a secure message exchange. Following the [http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf SAML Profile] usage requirements for AuthnRequest (4.1.4.1) and Response (4.1.4.2) will help counter this attack. The AVANTSSAR team suggested the following data elements should be required:<br />
<br />
* '''AuthnRequest(ID, SP);''' An AuthnRequest must contain and ID and SP. Where ID is a string uniquely identifying the request and an SP identifies the Service Provider that initiated the request. Furthermore, the request ID attribute must be returned in the response (InResponseTo="<requestId>"). InResponseTo helps guarantee authenticity of the response from the trusted IdP. This was one of the missing attributes that left Google's SSO vulnerable.<br />
* '''Response(ID, SP, IdP, {AA} K -1/IdP);''' A Response must contain all these elements. Where ID is a string uniquely identifying the response. SP identifies the recipient of the response. IdP identifies the identity provider authorizing the response. {AA} K -1/IdP is the assertion digitally signed with the private key of the IdP.<br />
* '''AuthAssert(ID, C, IdP, SP);''' An authentication assertion must exist within the Response. It must contain an ID, a client (C), an identity provider (IdP), and a service provider (SP) identifier.<br />
<br />
Further vulnerabilities in SAML implementations were described in 2012 ([https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91-8-23-12.pdf On Breaking SAML: Be Whoever You Want to Be]). The following recommendations were proposed in response ([http://arxiv.org/pdf/1401.7483v1.pdf Secure SAML validation to prevent XML signature wrapping attacks]):<br />
<br />
* Always perform schema validation on the XML document prior to using it for any security-related purposes.<br />
** Always use local, trusted copies of schemas for validation.<br />
** Never allow automatic download of schemas from third party locations.<br />
** If possible, inspect schemas and perform schema hardening, to disable possible wildcard type or relaxed processing statements.<br />
* Securely validate the digital signature.<br />
** If you expect only one signing key, use StaticKeySelector. Obtain the key directly from the identity provider, store it in local file and ignore any KeyInfo elements in the document.<br />
** If you expect more than one signing key, use X509KeySelector (the JKS variant). Obtain these keys directly form the identity providers, store them in local JKS and ignore any KeyInfo elements in the document.<br />
** If you expect a heterogenous signed documents (many certificates from many identity providers, multilevel validation paths), implement full trust establishment model based on PKIX and trusted root certificates.<br />
* Avoid signature-wrapping attacks.<br />
** Never use getElementsByTagName to select security related elements in an XML document without prior validation.<br />
**Always use absolute XPath expressions to select elements, unless a hardened schema is used for validation.<br />
<br />
<br />
=Validate Protocol Processing Rules=<br />
<br />
This is another common area for security gaps simply because of the vast number of steps to assert. Processing a SAML response is an expensive operation but all steps must be validated.<br />
*Validate AuthnRequest processing rules. Refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf SAML Core] (3.4.1.4) for all AuthnRequest processing rules. This step will help counter the following attacks:<br />
** Man-in-the-middle (6.4.2)<br />
* Validate Response processing rules. Refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf SAML Profiles] (4.1.4.3) for all Response processing rules. This step will help counter the following attacks:<br />
** Stolen Assertion (6.4.1)<br />
** Man-in-the-middle (6.4.2)<br />
** Forged Assertion (6.4.3)<br />
** Browser State Exposure (6.4.4)<br />
<br />
<br />
=Validate Binding Implementation=<br />
<br />
*For an HTTP Redirect Binding refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf SAML Binding] (3.4). To view an encoding example, you may want to reference RequestUtil.java found within [https://developers.google.com/google-apps/sso/saml_reference_implementation_web Google's reference implementation].<br />
* For an HTTP POST Binding refer to [http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf SAML Binding] (3.5). The caching considerations are also very important. If a SAML protocol message gets cached, it can subsequently be used as a Stolen Assertion (6.4.1) or Replay (6.4.5) attack.<br />
<br />
<br />
=Validate Security Countermeasures=<br />
<br />
Revisit each security threat that exists within the [http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf SAML Security] document and assert you have applied the appropriate countermeasures for threats that may exist for your particular implementation. Additional countermeasures considererd should include:<br />
*Prefer IP Filtering when appropriate. For example, this countermeasure could have prevented Google's initial security flaw if Google provided each trusted partner with a separate endpoint and setup an IP filter for each endpoint. This step will help counter the following attacks:<br />
**Stolen Assertion (6.4.1)<br />
**Man-in-the-middle (6.4.2)<br />
*Prefer short lifetimes on the SAML Response. This step will help counter the following attacks:<br />
**Stolen Assertion (6.4.1)<br />
**Browser State Exposure (6.4.4)<br />
*Prefer OneTimeUse on the SAML Response. This step will help counter the following attacks:<br />
**Browser State Exposure (6.4.4)<br />
**Replay (6.4.5)<br />
<br />
Need an architectural diagram? The [http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf SAML technical overview] contains the most complete diagrams. For the Web Browser SSO Profile with Redirect/POST bindings refer to the section 4.1.3. In fact, of all the SAML documentation, the technical overview is the most valuable from a high-level perspective.<br />
<br />
<br />
= First and Last Mile Considerations = <br />
<br />
The SAML protocol is rarely the vector of choice, though it's important to have cheatsheets to make sure that this is robust. The various endpoints are more targeted, so how the SAML token is generated and how it is consumed are both important in practice. <br />
<br />
== First Mile Considerations ==<br />
* Strong Authentication options for generating the SAML token<br />
* IDP validation (which IDP mints the token)<br />
<br />
== Last Mile Considerations ==<br />
* Validating session state for user<br />
* Level of granularity in setting authZ context when consuming SAML token (do you use groups, roles, attributes)<br />
* Validate authorized IDP<br />
<br />
<br />
= Input Validation =<br />
<br />
Just because SAML is a security protocol does not mean that input validation goes away. <br />
<br />
* Ensure that all SAML providers/consumers do proper [[Input_Validation_Cheat_Sheet | input validation]].<br />
<br />
<br />
= Authors and Primary Editors =<br />
<br />
* [http://bradbroulik.blogspot.dk/2010/01/bulletproof-sso-with-saml-20.html Brad Broulik]<br />
* [https://ipsec.pl/ Paweł Krawczyk]<br />
* Gunnar Peterson<br />
<br />
<br />
== Other Cheatsheets ==<br />
<br />
{{Cheatsheet_Navigation_Body}}<br />
<br />
|}<br />
<br />
[[Category:Cheatsheets]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=193259OWASP Passfault2015-04-13T18:35:09Z<p>Cam Morris: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* JetBrains has donated professional licenses for [https://www.jetbrains.com/idea/ IntelliJ IDEA]. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=193258OWASP Passfault2015-04-13T18:34:02Z<p>Cam Morris: /* Getting Involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* Intellij has donated professional licenses for IDEA. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If contribute significantly to the project contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA by JetBrains] (Thanks JetBrains!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=193233OWASP Passfault2015-04-13T15:01:43Z<p>Cam Morris: /* Getting Involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* Intellij has donated professional licenses for IDEA. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If you are developer, contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA] (Thanks IntelliJ!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=193232OWASP Passfault2015-04-13T14:59:02Z<p>Cam Morris: /* Getting Involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* Intellij has donated professional licenses for IDEA. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap below<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If you are developer, contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA] (Thanks IntelliJ!)<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=193231OWASP Passfault2015-04-13T14:58:35Z<p>Cam Morris: /* Getting Involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* Intellij has donated professional licenses for IDEA. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap below<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If you are developer, contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA] (Thanks IntelliJ!)<br />
<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=193230OWASP Passfault2015-04-13T14:55:33Z<p>Cam Morris: /* Road Map and Getting Involved */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* Intellij has donated professional licenses for IDEA. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
<br />
= Getting Involved =<br />
* Join the [http://https://lists.owasp.org/mailman/listinfo/passfault OWASP Passfault Mailing list]<br />
* See the Roadmap below<br />
* Peruse the [https://github.com/c-a-m/passfault/issues open issues]<br />
* Fork the code on [https://github.com/c-a-m/passfault github].<br />
* If you are developer, contact the project leader for a [https://www.jetbrains.com/idea/features/editions_comparison_matrix.htm professional license of IntelliJ IDEA] (Thanks IntelliJ!)<br />
<br />
<br />
= Roadmap =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=193227OWASP Passfault2015-04-13T14:41:21Z<p>Cam Morris: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
* Intellij has donated professional licenses for IDEA. If you are developing on OWASP Passfault contact the project leader and be sure to get a license!<br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault/Roadmap&diff=190243Projects/OWASP Passfault/Roadmap2015-02-24T21:44:04Z<p>Cam Morris: /* Release 0.9 */</p>
<hr />
<div><br />
<br />
== Release 0.8 ==<br />
Goal: preparation for ESAPI<br />
* More meaningful word lists<br />
** Frequency lists: build lists of the most common words, names. (Done for English, Spainish)<br />
** Improved configuration of finders and wordlists<br />
<br />
== Release 0.9 ==<br />
* UI improvements<br />
* Fix backlog of issues<br />
* experiment with configuration of wordlists<br />
<br />
== Release 1.0 ==<br />
Goals: Enterprise Ready<br />
- UI improvements for learning better password strategies<br />
- Easier to configure and run, not requiring a developer to wire things up.<br />
<br />
== Other Important Goals ==<br />
* Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/<br />
* OS system integration: <br />
** Linux<br />
*** running passwd on linux runs passfault<br />
*** apt-get install passfault<br />
** Windows<br />
* Document each pattern finder on the OWASP wiki.<br />
* JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.<br />
* Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.<br />
<br />
For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=190242OWASP Passfault2015-02-24T21:36:31Z<p>Cam Morris: /* Ohloh */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
https://www.ohloh.net/p/passfault<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=190241OWASP Passfault2015-02-24T21:36:20Z<p>Cam Morris: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Password_Storage_Cheat_Sheet]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=190240OWASP Passfault2015-02-24T21:35:39Z<p>Cam Morris: /* Classifications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=190239OWASP Passfault2015-02-24T21:34:32Z<p>Cam Morris: /* Classifications */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=190238OWASP Passfault2015-02-24T21:28:17Z<p>Cam Morris: Cleaned up links</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
''Your Passwords don't Suck, its your Policies'' <br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 ZDNet]]<br />
<br />
''Redefining Password Strength and Creation''<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength MidsizeInsider, IBM]]<br />
<br />
''How long would it take to crack your password''<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190208GSoC2015 Ideas2015-02-24T16:32:51Z<p>Cam Morris: /* Passfault for Javascript via GWT */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter. The really cool result of this project will be that passwords can be analyzed client-side, and it will be easy for any web-page to use it.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault core code<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootstrap code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190161GSoC2015 Ideas2015-02-23T22:23:18Z<p>Cam Morris: /* Passfault for Linux */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter. The really cool result of this project will be that passwords can be analyzed client-side, and it will be easy for any web-page to use it.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault core code<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootloading code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190149GSoC2015 Ideas2015-02-23T19:08:24Z<p>Cam Morris: /* Passfault for Javascript via GWT */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter. The really cool result of this project will be that passwords can be analyzed client-side, and it will be easy for any web-page to use it.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault core code<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootloading code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190148GSoC2015 Ideas2015-02-23T19:00:47Z<p>Cam Morris: /* Passfault for Javascript via GWT */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault core code<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootloading code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190147GSoC2015 Ideas2015-02-23T18:59:19Z<p>Cam Morris: /* Passfault for Linux */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP Passfault has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault code base<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootloading code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' Cam Morris - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190146GSoC2015 Ideas2015-02-23T18:24:18Z<p>Cam Morris: /* Passfault for Javascript via GWT */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP Passfault has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available to every Linux administrator. It would offer a replacement of the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password threshold (with reasonable defaults)<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' Cam Morris - OWASP Passfault Project Leader (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP Passfault has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault code base<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootloading code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' Cam Morris - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190145GSoC2015 Ideas2015-02-23T18:23:38Z<p>Cam Morris: /* Passfault for Linux */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP Passfault has the potential to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available to every Linux administrator. It would offer a replacement of the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password threshold (with reasonable defaults)<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' Cam Morris - OWASP Passfault Project Leader (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP Passfault has the _potential_ to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault code base<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootloading code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' Cam Morris - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=GSoC2015_Ideas&diff=190144GSoC2015 Ideas2015-02-23T18:22:10Z<p>Cam Morris: Added Passfault projects</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== Web Sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Source Code testing environment - Defensive Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Student performance analytics ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.<br />
<br />
'''Expected Results:'''<br />
<br />
A page to view performance metrics of differenct students.<br />
( Hackalytics )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML, javascript. Some understanding of analytics.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New Template ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
We need a cool new template since the old one is getting pretty old.<br />
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).<br />
<br />
'''Expected Results:'''<br />
<br />
A new template.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Gamification ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.<br />
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.<br />
<br />
'''Expected Results:'''<br />
<br />
Gamification of the platform. ( Hackademicification )<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Css, HTML, javascript and/or the tools you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.<br />
We'd be happy to help you get it done.<br />
<br />
'''Expected Results:'''<br />
<br />
Features we didn't know we needed. ;-)<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in whatever tools and languages you plan on using.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP WebGoat .NET - Vulnerable Website ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features<br />
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview<br />
<br />
'''Expected Results:'''<br />
<br />
We want to add more modules such as <br />
*WebSockets<br />
*CSRF challenge<br />
*Finalise testing an upgrade to the .NET framework 4.5<br />
*Retest and clean up actual modules<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders<br />
<br />
<br />
==OWASP WebGoatPHP==<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP PureCaptcha==<br />
===OWASP PureCaptcha===<br />
'''Description:''' <br />
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.<br />
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.<br />
<br />
'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.<br />
<br />
'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns<br />
<br />
==OWASP PHP Framework==<br />
===OWASP PHP Framework===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.<br />
<br />
'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.<br />
<br />
'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
<br />
==OWASP RBAC Project==<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.<br />
<br />
'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns<br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
<br />
==OWASP PHP Widgets==<br />
===OWASP PHP Widgets===<br />
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).<br />
<br />
<br />
'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.<br />
<br />
'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
<br />
==OWASP Seraphimdroid==<br />
<br />
'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.<br />
<br />
<br />
'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.<br />
<br />
'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.<br />
<br />
'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]<br />
<br />
== OWASP OWTF ==<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Advanced Plug-able Report Module ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== OTG Web Testing Tool Integration ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Enterprise Integrations - Reporting ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Enterprise Integrations - Transport ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a number of "execution modes", which are simply a reference to the transport protocol (REST, SOAP, thrift). There are a number of protocols that are popular in enterprises that we don't currently support, but could. This would simplify integration for many organizations who already use a set of approved communication protocols. This project would be primarily integration work and testing with a number of well-known systems integration / transport protocols and mechanisms. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been proposed are: <br />
* Kafka<br />
* RabbitMQ<br />
* ActiveMQ<br />
* Avro<br />
* Protobuf<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. Some familiarity with distributed systems in general and message brokers in particular would be helpful.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Dashboard UI ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor provides a solid base of functionality to applications, but does not currently do a good job of presenting the resulting data. We are attacking that issue on 2 fronts. We plan to create a custom UI (this project) as well as various integrations to standard tools/formats for reporting to existing display systems. This project will involve creating the default/standard UI for the AppSensor project. As part of the project, you will learn about the domain model, iterating your mockup designs and share those with the project leader(s) and the community for feedback. We don't have an existing product, so you will have lots of responsibility for the design and implementation, as well as significant input to the decision around the technology stack.<br />
<br />
'''Expected Results:'''<br />
<br />
A modern, usable UI will be built that will have at least the following features (though there are many more features to build) : <br />
* Basic Dashboard UI (the UI for the OPS wall)<br />
* Search<br />
* Policy Management (edit server configuration)<br />
<br />
Source code and associated tests for the UI will be created, along with the associated end user documentation for how to setup and configure the system. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable with UI design and development, particularly building dashboards. Comfortable with Java (with some assistance). Basic familiarity with security concepts related to intrusion detection and prevention as this is the basic domain.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
=== Trend Monitoring Analysis Engine ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
AppSensor currently supports a basic policy-driven analysis engine to determine if a series of events represents an attack (if a user triggers 5 of this type of event in 10 minutes, it's an attack). While this supports many use cases, there are times when it would be helpful to know trending information. If a particular function of the application begins to see 10 times its normal amount of traffic, that might represent an attack. This project would add an additional analysis engine to support "trend monitoring". Development of this feature would require some initial research on alternative implementation strategies, followed by the development and testing of the feature in AppSensor. <br />
<br />
'''Expected Results:'''<br />
<br />
The project should produce: <br />
* A trend monitoring analysis engine to be used either in place of or in addition to the existing policy-driven analysis engine<br />
* Associated configuration mechanism to specify the trending rules/policy<br />
* A small full sample demo application showing usage of the trend monitoring feature<br />
<br />
Source code and associated tests for the feature will be created, along with the associated end user documentation for how to setup and configure it. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing.<br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Passfault for Linux ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP Passfault has the _potential_ to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available to every Linux administrator. It would offer a replacement of the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password threshold (with reasonable defaults)<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' Cam Morris - OWASP Passfault Project Leader (Development)<br />
<br />
=== Passfault for Javascript via GWT ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP Passfault has the _potential_ to be the best password policy available. However, it's only available to java developers. This effort will make OWASP Passfault available as a javascript library. The javascript library will be generated by GWT and made consumable by GWT Exporter.<br />
<br />
'''Expected Results:'''<br />
* GWT compiled Javascript derived from the OWASP Passfault code base<br />
* javascript accessible APIs exported by GWT Exporter<br />
* javascript bootloading code to load wordlists<br />
* scripted build with the excellent Gradle build tool<br />
* (Stretch goal) Wrap everything up in a JQuery Plugin<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript<br />
* Java<br />
* (Nice to know) Gradle<br />
* (Nice to know) JQuery<br />
* (Nice to know) GWT<br />
<br />
'''Mentors:''' Cam Morris - OWASP Passfault Project Leader (Development)</div>Cam Morrishttps://wiki.owasp.org/index.php?title=User:Cam_Morris&diff=189938User:Cam Morris2015-02-18T17:49:55Z<p>Cam Morris: </p>
<hr />
<div>Project leader for [[OWASP Passfault]], Software Security Specialist, and Java Programmer<br />
<br />
G+ https://plus.google.com/+CamMorris/posts<br><br />
LinkedIn http://www.linkedin.com/in/cammer/</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault/Releases/Last_Reviewed_Release&diff=189934Projects/OWASP Passfault/Releases/Last Reviewed Release2015-02-18T17:34:51Z<p>Cam Morris: Created page with "https://github.com/c-a-m/passfault/releases/tag/v0.7"</p>
<hr />
<div>https://github.com/c-a-m/passfault/releases/tag/v0.7</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault/Releases/Current&diff=189933Projects/OWASP Passfault/Releases/Current2015-02-18T17:34:18Z<p>Cam Morris: Created page with "https://github.com/c-a-m/passfault/releases"</p>
<hr />
<div>https://github.com/c-a-m/passfault/releases</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault&diff=189932Projects/OWASP Passfault2015-02-18T17:33:37Z<p>Cam Morris: </p>
<hr />
<div>{{Template:Project About<br />
| project_name =OWASP Passfault<br />
| project_home_page =OWASP_Passfault<br />
| project_description =Passfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.<br />
| project_license = http://www.apache.org/licenses/LICENSE-2.0.txt Apache Software License v2 (ASLv2)<br />
| leader_name1 =Cam Morris<br />
| leader_email1 =cam.morris@owasp.org<br />
| presentation_link = https://www.youtube.com/watch?v=LPTUpGGgKLk<br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/passfault<br />
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Passfault/Roadmap<br />
| release_1 = https://github.com/c-a-m/passfault/releases/<br />
| release_2 = https://github.com/c-a-m/passfault/releases/tag/v0.7<br />
}}</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault/Roadmap&diff=189930Projects/OWASP Passfault/Roadmap2015-02-18T17:27:11Z<p>Cam Morris: </p>
<hr />
<div><br />
<br />
== Release 0.8 ==<br />
Goal: preparation for ESAPI<br />
* More meaningful word lists<br />
** Frequency lists: build lists of the most common words, names. (Done for English, Spainish)<br />
** Improved configuration of finders and wordlists<br />
<br />
== Release 0.9 ==<br />
Goal: UI improvment<br />
* experiment with configuration of wordlists<br />
<br />
== Release 1.0 ==<br />
Goals: Enterprise Ready<br />
- UI improvements for learning better password strategies<br />
- Easier to configure and run, not requiring a developer to wire things up.<br />
<br />
== Other Important Goals ==<br />
* Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/<br />
* OS system integration: <br />
** Linux<br />
*** running passwd on linux runs passfault<br />
*** apt-get install passfault<br />
** Windows<br />
* Document each pattern finder on the OWASP wiki.<br />
* JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.<br />
* Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.<br />
<br />
For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault/Roadmap&diff=189928Projects/OWASP Passfault/Roadmap2015-02-18T17:23:38Z<p>Cam Morris: /* Release 0.8 */</p>
<hr />
<div><br />
<br />
== Release 0.8 ==<br />
Goal: preparation for ESAPI<br />
* More meaningful word lists<br />
** Frequency lists: build lists of the most common words, names. (Done for English, Spainish)<br />
** Improved configuration of finders and wordlists<br />
<br />
== Release 1.0 ==<br />
Goals: Enterprise Ready<br />
- UI improvements for learning better password strategies<br />
- Easier to configure and run, not requiring a developer to wire things up.<br />
<br />
== Other Important Goals ==<br />
* Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/<br />
* Document each pattern finder on the OWASP wiki.<br />
* JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.<br />
* Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.<br />
<br />
For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault/Roadmap&diff=189926Projects/OWASP Passfault/Roadmap2015-02-18T17:21:45Z<p>Cam Morris: /* Release 1.0 */</p>
<hr />
<div><br />
<br />
== Release 0.8 ==<br />
Goal: preparation for ESAPI<br />
* More meaningful word lists<br />
** Frequency lists: build lists of the most common words, names<br />
* ESAPI Authenticator Decorator<br />
** Implement an ESAPI Authenticator that will enhance an existing authenticator with passfault implementing the "verifyPasswordStrength" method.<br />
** A volunteer force from university of Florida has built this. All that remains is to get it into ESAPI.<br />
<br />
== Release 1.0 ==<br />
Goals: Enterprise Ready<br />
- UI improvements for learning better password strategies<br />
- Easier to configure and run, not requiring a developer to wire things up.<br />
<br />
== Other Important Goals ==<br />
* Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/<br />
* Document each pattern finder on the OWASP wiki.<br />
* JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.<br />
* Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.<br />
<br />
For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=189915OWASP Passfault2015-02-18T17:02:53Z<p>Cam Morris: /* Acknowledgements */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 "Your Passwords don't Suck, its your Policies" - ZDNet]]<br />
<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength "Redefining Password Strength and Creation" - MidsizeInsider, IBM]]<br />
<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ "How long would it take to crack your password" - Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* New Jersey Institute of Technology students contributed to release 0.8 (Highlander):<br />
** Michael Glassman<br />
** Georgina Matias<br />
** Scott Sands <br />
** Brandon Lyew <br />
** Kevin Sealy <br />
** Llina Ljoljevski<br />
* University of Florida Students contibuted to release 0.7 (Gator):<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault<br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=189906OWASP Passfault2015-02-18T16:38:00Z<p>Cam Morris: /* FAQs */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 "Your Passwords don't Suck, its your Policies" - ZDNet]]<br />
<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength "Redefining Password Strength and Creation" - MidsizeInsider, IBM]]<br />
<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ "How long would it take to crack your password" - Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
* GETs are blocked so no urls will have accidental passwords stored in the logs<br />
* passwords are read directly from the input stream to prevent parsing into Java Strings<br />
* the memory is cleared as soon as analysis is complete.<br />
* HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* University of Florida Students:<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault <br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=188994OWASP Passfault2015-02-03T23:58:20Z<p>Cam Morris: /* Articles */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 "Your Passwords don't Suck, its your Policies" - ZDNet]]<br />
<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength "Redefining Password Strength and Creation" - MidsizeInsider, IBM]]<br />
<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ "How long would it take to crack your password" - Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
** GETs are blocked so no urls will have accidental passwords stored in the logs<br />
** passwords are read directly from the input stream to prevent parsing into Java Strings<br />
** the memory is cleared as soon as analysis is complete.<br />
** HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* University of Florida Students:<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault <br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=178590OWASP Passfault2014-07-11T23:42:31Z<p>Cam Morris: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
[[File:Passfault-prezi-thumbnail.png|link=https://www.youtube.com/watch?v=LPTUpGGgKLk]]<br />
<br />
== Articles ==<br />
<br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 "Your Passwords don't Suck, its your Policies" - ZDNet]]<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength "Redefining Password Strength and Creation" - MidsizeInsider, IBM]]<br />
[[https://turnlevel.com/2012/05/09/for-better-password-policies-owasp-passfault/ "For Better Password Policies" - Turnlevel, Partnet]]<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ "How long would it take to crack your password" - Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/passfault<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
** GETs are blocked so no urls will have accidental passwords stored in the logs<br />
** passwords are read directly from the input stream to prevent parsing into Java Strings<br />
** the memory is cleared as soon as analysis is complete.<br />
** HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* University of Florida Students:<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault <br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=Projects/OWASP_Passfault/Roadmap&diff=170058Projects/OWASP Passfault/Roadmap2014-03-13T21:57:58Z<p>Cam Morris: </p>
<hr />
<div><br />
<br />
== Release 0.8 ==<br />
Goal: preparation for ESAPI<br />
* More meaningful word lists<br />
** Frequency lists: build lists of the most common words, names<br />
* ESAPI Authenticator Decorator<br />
** Implement an ESAPI Authenticator that will enhance an existing authenticator with passfault implementing the "verifyPasswordStrength" method.<br />
** A volunteer force from university of Florida has built this. All that remains is to get it into ESAPI.<br />
<br />
== Release 1.0 ==<br />
Goal: Enterprise Ready, working with ESAPI<br />
<br />
== Other Important Goals ==<br />
* Javascript library generated by GWT and GWT Export. Do you know GWT? Please help us build a javascript version of passfault using GWT Exporter: https://code.google.com/p/gwt-exporter/<br />
* Document each pattern finder on the OWASP wiki.<br />
* JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password.<br />
* Wordlists: We can always use better word lists. Contact us on the mailing list if you want to help.<br />
<br />
For current bugs and smaller tasks see the issues list on github: https://github.com/c-a-m/passfault/issues?state=open</div>Cam Morrishttps://wiki.owasp.org/index.php?title=User:Cam_Morris&diff=170003User:Cam Morris2014-03-12T21:46:15Z<p>Cam Morris: </p>
<hr />
<div>Project leader for OWASP Passfault, Software Security Specialist, and Java Programmer<br />
<br />
G+ https://plus.google.com/+CamMorris/posts<br><br />
LinkedIn http://www.linkedin.com/in/cammer/</div>Cam Morrishttps://wiki.owasp.org/index.php?title=User:Cam_Morris&diff=170002User:Cam Morris2014-03-12T21:45:46Z<p>Cam Morris: </p>
<hr />
<div>Project leader for OWASP Passfault<br />
Software Security Specialist and Java Programmer<br />
<br />
G+ https://plus.google.com/+CamMorris/posts<br><br />
LinkedIn http://www.linkedin.com/in/cammer/</div>Cam Morrishttps://wiki.owasp.org/index.php?title=File:Passfault-header.png&diff=167312File:Passfault-header.png2014-02-04T16:13:13Z<p>Cam Morris: Cam Morris uploaded a new version of &quot;File:Passfault-header.png&quot;</p>
<hr />
<div>Header for OWASP Passfault front page</div>Cam Morrishttps://wiki.owasp.org/index.php?title=OWASP_Passfault&diff=167297OWASP Passfault2014-02-04T15:50:07Z<p>Cam Morris: changed banner image</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Passfault-header.png|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Passfault==<br />
<br />
OWASP Passfault evaluates the strength of passwords accurately enough to predict the time to crack. It makes creating passwords and password policies significantly more intuitive and simple. Passwords don't have to be annoying!<br />
<br />
<br />
==Introduction==<br />
OWASP Passfault is more ...<br />
; Accurate : Measures the size of password patterns and identifies more weak passwords, yet allows strong passwords that don't match traditional password policies<br />
; Informative : Provides detailed analysis of the password and sub patterns within the password, so users quickly learn how to make strong passwords without training.<br />
; Simple : Presents the password strength as the "time to crack" to help communicate the risk of poor paswords, providing the incentive to create stronger passwords.<br />
; Powerful : Empowers administrators to know and control the strength and risk of the organization's passwords.<br />
<br />
<br />
==Description==<br />
<br />
When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the ''size of the patterns and combinations of patterns''. The end result is a more academic and accurate measurement of password strength.<br />
<br />
When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: '''the number of passwords found in the password patterns'''. This measurement is made more intuitive and meaningful with an estimated time to crack.<br />
<br />
<br />
<br />
==Licensing==<br />
OWASP Passfault is free to use. It is licensed under the [[http://www.apache.org/licenses/LICENSE-2.0 Apache License version 2.0]] .<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
== What is Passfault? ==<br />
<br />
OWASP Passfault provides:<br />
<br />
* Password Strength Evaluation<br />
* Password Policy Replacement<br />
<br />
<br />
== Presentation ==<br />
<br />
Presentation given at OWASP SnowFROC 2012 in Denver:<br />
[[File:Passfault-prezi-thumbnail.png|link=http://prezi.com/erdwjqhjyngm/owasp-passfault-better-password-policies/]]<br />
<br />
<br />
== Articles ==<br />
<br />
[[http://www.zdnet.com/blog/identity/your-passwords-dont-suck-its-your-policies/482 "Your Passwords don't Suck, its your Policies" - ZDNet]]<br />
[[http://midsizeinsider.com/en-us/article/passfault-redefining-password-strength "Redefining Password Strength and Creation" - MidsizeInsider, IBM]]<br />
[[https://turnlevel.com/2012/05/09/for-better-password-policies-owasp-passfault/ "For Better Password Policies" - Turnlevel, Partnet]]<br />
[[http://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/ "How long would it take to crack your password" - Naked Security, Sophos]]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
== Quick Download ==<br />
<br />
[[https://github.com/c-a-m/passfault/releases downloads]]<br />
<br />
<br />
== Demo Page ==<br />
[[https://passfault.appspot.com/password_strength.html demo site]]<br />
<br />
<br />
== Project Leader ==<br />
<br />
[[User:Cam_Morris|Cam Morris]]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[Password_Storage_Cheat_Sheet]]<br />
<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Apache-feather-small.gif|link=http://www.apache.org/licenses/LICENSE-2.0.html]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://github.com/c-a-m/passfault]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==Demo Site==<br />
; Does the Demo Site capture or log passwords?<br />
: No, of course not<br />
<br />
; How can I be sure the Demo Site doesn't capture or log passwords?<br />
: You can't, There is no way to verify what is uploaded to appspot (google is hosting the demo site) However, you can look at the code: https://github.com/c-a-m/passfault/blob/master/jsonService/src/main/java/org/owasp/passfault/web/PassfaultServlet.java We took the following steps to ensure the passwords don't get logged:<br />
** GETs are blocked so no urls will have accidental passwords stored in the logs<br />
** passwords are read directly from the input stream to prevent parsing into Java Strings<br />
** the memory is cleared as soon as analysis is complete.<br />
** HTTPS is required on this URL (using the appspot domain)<br />
To be extra cautious, download the code and execute it locally. (See the readme) https://github.com/c-a-m/passfault/blob/master/README.txt<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWASP Passfault is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Cam Morris<br />
* University of Florida Students:<br />
** Neeti Pathak<br />
** Carlos Vasquez<br />
** Chelsea Metcalf<br />
** Yang Ou<br />
<br />
==Others==<br />
* Partnet Inc. has donated paid labor on OWASP Passfault <br />
<br />
= Road Map and Getting Involved =<br />
{{:Projects/OWASP_Passfault/Roadmap}}<br />
<br />
<br />
=Project About=<br />
{{:Projects/OWASP_Passfault}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Cam Morrishttps://wiki.owasp.org/index.php?title=File:Passfault-header.png&diff=167295File:Passfault-header.png2014-02-04T15:48:13Z<p>Cam Morris: Header for OWASP Passfault front page</p>
<hr />
<div>Header for OWASP Passfault front page</div>Cam Morris