https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Delta24OWASP - User contributions [en]2026-04-11T18:19:59ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=249236GSoC2019 Ideas2019-03-24T06:25:18Z<p>Delta24: /* Brief Explanation */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== Idea 1 Improving the Machine Learning chatbot: ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== Idea 2 Improving and building Lab challenges and write-ups: ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
'''Issue Tracking:'''<br />
<br />
Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. <br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo<br />
* Each feature comes with full functional unit and integration tests<br />
'''Getting started:'''<br />
* Get familiar with the architecture and code base of the application built on Django<br />
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.<br />
* Get familiar with the CI/CD process based on Travis-CI<br />
'''Knowledge Prerequisites:'''<br />
* Python, Django, Javascript, Unit/Integration testing.<br />
'''Potential Mentors:'''<br />
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader<br />
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader<br />
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader<br />
'''Option 1: Unit Tests - Difficulty: Easy'''<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests] <br />
* Complete Code Coverage Testing<br />
** Validate Tests exist for the following (create any that are missing):<br />
*** Finding, Test, Engagement, Reports, Endpoints <br />
*** Import from all scanners <br />
'''Option 2: Python3 Completion'''<br />
* DefectDojo is finishing up a migration to Python3<br />
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3<br />
* Ensure all features work<br />
* Travis testing works correctly<br />
'''Option 3: Scan 2.0 / Launch Containers'''<br />
<br />
Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product. <br />
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]<br />
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS<br />
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.<br />
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.<br />
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.<br />
<br />
''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''<br />
<br />
'''Expected Results:'''<br />
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal<br />
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges<br />
* Documentation how to configure or script the "Hacking Instructor" for challenges in general<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The OWASP SecureTea Project is a application designed to help Secure a person's laptop or computer / server with IoT (Internet Of Things) for notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows)<br />
. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring include Web Deface Detection<br><br />
Detection of malicious devices <br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
<br />
=== OWASP OWTF - Passive Online scanner improvements ===<br />
'''Brief Explanation'''<br />
<br />
OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy "Search for vulnerability" search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a '''script''' that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF '''without installing anything''', simply visiting a URL.<br />
<br />
This would be a normal OWTF interactive report where the user can:<br />
* Enter a target<br />
* Try passive plugins (only the parts that use no tools)<br />
* Play with boilerplate templates from the OWTF interactive report<br />
An old version of the passive online scanner is hosted at https://owtf.github.io/online-passive-scanner.<br />
<br />
'''LEGAL CLARIFICATION (Just in case!)''': The passive online scanner, simply makes OWTF passive testing '''through third party websites''' more accessible to anybody, however it is the user that must 1) click the link manually + 2) do something bad with that afterwards + 3) doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal [http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission More information about why this is not illegal here] (recommended reading!)<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code]/ES6 JavaScript code in all modified code and surrounding areas.'''<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== IoT Goat ==<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018]. <br />
<br />
===Idea 1: Insecure firmware web application ecosystem===<br />
'''Brief Explanation:'''<br />
<br />
A vulnerable web application, and backend API/web services deployed in OpenWrt containing critical vulnerabilities showcasing the traditional IoT problems.<br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Development of a simple web application user interface with web services and API's deployed locally on the OpenWrt firmware. Documented challenges of how to discover and remediate web software security vulnerabilities. The insecure web application services must contain the following vulnerabilities to be used with the IoT testing guide: <br />
* Command injection<br />
* SQL injection<br />
* Local file inclusion <br />
* XXE injection,Insufficient Authentication<br />
* Transfer sensitive data using insecure channels<br />
* Store sensitive data insecurely<br />
Vulnerable SOAP web services and REST API implementations are in-scope. <br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded and/or web development (nice to have)<br />
** Web application code can be developed using the following common embedded programming languages:<br />
*** Lua<br />
*** PHP<br />
*** C/C++<br />
*** JavaScript<br />
<br />
===Idea 2: Insecure network services===<br />
'''Brief Explanation:'''<br />
<br />
Deliberately insecure services configured within OpenWrt such as an miniupnp daemon configured with secure_mode off (Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from), to demonstrate a port mapping attack where an attacker from inside the network exposes a service that typically should be behind a LAN to the internet). <br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Documented challenges of how to discover and remediate insecure network service vulnerabilities. The network services can be inherently insecure or have insecure configurations that can be abused during the challenges.<br />
* Example of network insecure services include:<br />
** FTP<br />
** Telnet<br />
** miniupnpd<br />
** HTTP<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Network security<br />
<br />
===Idea 3: Insecure firmware build system===<br />
'''Brief Explanation:'''<br />
<br />
Develop custom firmware builds of the latest OpenWrt version (18.06) demonstrating the process of incorporating debug services/tools, misconfigurations, and usage of vulnerable software packages. <br />
<br />
''' Getting started '''<br />
* Review OpenWrt's developer guide to get familiar with creating custom firmware builds<br />
** https://openwrt.org/docs/guide-developer/start<br />
** https://openwrt.org/docs/guide-developer/build-system/install-buildsystem<br />
** https://github.com/openwrt/openwrt<br />
<br />
'''Expected Results:'''<br />
* Provide walkthrough examples of insecure design choices for building firmware. <br />
* Provide suggested mitigation security controls<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded development (C/C++)<br />
<br />
===Suggest your own ideas===<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
=== Mentors and Leaders ===<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
==OWASP Web Honeypot Project ==<br />
<br />
The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, Anglia Ruskin University is leading the collection, storage and analysis of threat intelligence data. <br />
<br />
https://www.owasp.org/index.php/OWASP_Honeypot_Project<br />
<br />
https://github.com/OWASP/Honeypot-Project/<br />
<br />
<br />
===Brief Explanation===<br />
The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them. <br><br />
<br />
The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed. <br><br />
<br />
===Idea===<br />
Project progression: <br />
* Honeypot software. The honeypot software that is to be provided to the community to place in their networks has been written. Honeypots are available in a variety of forms, to make deployment as flexible as possible and appeal to a diverse a user set as possible.<br />
* Collection software. The centralised collection software has been written and evaluated in a student driven proof-of-concept project. Honeypots have been attacked in a laboratory situation and have reported both the steps taken by the attacker and what they have attacked, back to the collection software.<br />
* Rollout to the Community. The project now needs a dedicated infrastructure platform in place that is available to the entire community to start collecting intelligence back from community deployed honeypots. This infrastructure will run the collector software, analysis programmes and provide a portal for communicating our finds and recommendations back to the community in a meaningful manner.<br />
* Going Forward. Toolkits and skills used by attackers do not stand still. As existing bugs are plugged, others open. Follow up stages for the project will be to create a messaging system to automatically update the community on findings of significant risk in their existing code that requires attention. <br />
<br />
<br />
===Expect Results ===<br />
<br />
Some of the ideas from last year's summit<br />
<br />
* Setup Proof of Concept to understand how Mod Security baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes).<br />
* Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in MosSecurity Audit Console, WAF-FLE, Fluent and bespoke scripts for single and multiple probes.<br />
* Develop a mechanism to convert from stored MySQL to JSON format.<br />
* Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.<br />
* Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.<br />
* Provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project(https://www.misp-project.org) to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.<br />
* Consider new alternatives for log transfer including the use of MLOGC-NG or other possible approaches.<br />
* Develop a new VM based honeypot/robe based on CRS v3.0.<br />
* Develop new alternative small footprint honeypot/probe formats utilising Docker & Raspberry Pi.<br />
* Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received.<br />
<br />
<br />
=== Students Requirements ===<br />
<br />
Some of the skills we are looking for:<br />
<br />
* Apache/Tomcat <br />
* Any experience of MISP<br />
* MySQL & JSON<br />
* ELK <br />
* STIX/TAXII<br />
* Python<br />
* ModSecurity/mlogc<br />
* OWASP Core RuleSet (CRS)<br />
* Linux<br />
* VM/Docker<br />
<br />
=== Mentors === <br />
<br />
* [mailto:adrian.winckles@owasp.org Adrian Winckles] - (OWASP Web Honeypot Project Leader) <br><br />
<br />
===Suggest your own ideas===<br />
<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
==OWASP Risk Assessment Framework ==<br />
Tool projects aim to assessment more than one or many web application using owasp risk rating mathodologies.<br />
https://github.com/OWASP/RiskAssessmentFramework<br />
<br />
'''Idea 1:''' make dashboard with databases and can assess many website based owasp risk rating mathodologies, create graph and report in pdf,word & excel format.<br />
=== Mentors === <br />
* [mailto:ade.putra@owasp.org Ade Yoseman] - <br></div>Delta24https://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=249235GSoC2019 Ideas2019-03-24T06:24:51Z<p>Delta24: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== Idea 1 Improving the Machine Learning chatbot: ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== Idea 2 Improving and building Lab challenges and write-ups: ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
'''Issue Tracking:'''<br />
<br />
Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. <br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo<br />
* Each feature comes with full functional unit and integration tests<br />
'''Getting started:'''<br />
* Get familiar with the architecture and code base of the application built on Django<br />
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.<br />
* Get familiar with the CI/CD process based on Travis-CI<br />
'''Knowledge Prerequisites:'''<br />
* Python, Django, Javascript, Unit/Integration testing.<br />
'''Potential Mentors:'''<br />
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader<br />
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader<br />
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader<br />
'''Option 1: Unit Tests - Difficulty: Easy'''<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests] <br />
* Complete Code Coverage Testing<br />
** Validate Tests exist for the following (create any that are missing):<br />
*** Finding, Test, Engagement, Reports, Endpoints <br />
*** Import from all scanners <br />
'''Option 2: Python3 Completion'''<br />
* DefectDojo is finishing up a migration to Python3<br />
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3<br />
* Ensure all features work<br />
* Travis testing works correctly<br />
'''Option 3: Scan 2.0 / Launch Containers'''<br />
<br />
Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product. <br />
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]<br />
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS<br />
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.<br />
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.<br />
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.<br />
<br />
''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''<br />
<br />
'''Expected Results:'''<br />
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal<br />
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges<br />
* Documentation how to configure or script the "Hacking Instructor" for challenges in general<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The OWASP SecureTea Project is a application designed to help Secure a person's laptop or computer / server with IoT (Internet Of Things) for notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows)<br />
. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring include Web Deface Detection<br><br />
Detection of malicious devices <br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
<br />
=== OWASP OWTF - Passive Online scanner improvements ===<br />
<br />
==== Brief Explanation ====<br />
OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy "Search for vulnerability" search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a '''script''' that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF '''without installing anything''', simply visiting a URL.<br />
<br />
This would be a normal OWTF interactive report where the user can:<br />
* Enter a target<br />
* Try passive plugins (only the parts that use no tools)<br />
* Play with boilerplate templates from the OWTF interactive report<br />
An old version of the passive online scanner is hosted at https://owtf.github.io/online-passive-scanner.<br />
<br />
'''LEGAL CLARIFICATION (Just in case!)''': The passive online scanner, simply makes OWTF passive testing '''through third party websites''' more accessible to anybody, however it is the user that must 1) click the link manually + 2) do something bad with that afterwards + 3) doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal [http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission More information about why this is not illegal here] (recommended reading!)<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code]/ES6 JavaScript code in all modified code and surrounding areas.'''<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== IoT Goat ==<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018]. <br />
<br />
===Idea 1: Insecure firmware web application ecosystem===<br />
'''Brief Explanation:'''<br />
<br />
A vulnerable web application, and backend API/web services deployed in OpenWrt containing critical vulnerabilities showcasing the traditional IoT problems.<br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Development of a simple web application user interface with web services and API's deployed locally on the OpenWrt firmware. Documented challenges of how to discover and remediate web software security vulnerabilities. The insecure web application services must contain the following vulnerabilities to be used with the IoT testing guide: <br />
* Command injection<br />
* SQL injection<br />
* Local file inclusion <br />
* XXE injection,Insufficient Authentication<br />
* Transfer sensitive data using insecure channels<br />
* Store sensitive data insecurely<br />
Vulnerable SOAP web services and REST API implementations are in-scope. <br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded and/or web development (nice to have)<br />
** Web application code can be developed using the following common embedded programming languages:<br />
*** Lua<br />
*** PHP<br />
*** C/C++<br />
*** JavaScript<br />
<br />
===Idea 2: Insecure network services===<br />
'''Brief Explanation:'''<br />
<br />
Deliberately insecure services configured within OpenWrt such as an miniupnp daemon configured with secure_mode off (Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from), to demonstrate a port mapping attack where an attacker from inside the network exposes a service that typically should be behind a LAN to the internet). <br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Documented challenges of how to discover and remediate insecure network service vulnerabilities. The network services can be inherently insecure or have insecure configurations that can be abused during the challenges.<br />
* Example of network insecure services include:<br />
** FTP<br />
** Telnet<br />
** miniupnpd<br />
** HTTP<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Network security<br />
<br />
===Idea 3: Insecure firmware build system===<br />
'''Brief Explanation:'''<br />
<br />
Develop custom firmware builds of the latest OpenWrt version (18.06) demonstrating the process of incorporating debug services/tools, misconfigurations, and usage of vulnerable software packages. <br />
<br />
''' Getting started '''<br />
* Review OpenWrt's developer guide to get familiar with creating custom firmware builds<br />
** https://openwrt.org/docs/guide-developer/start<br />
** https://openwrt.org/docs/guide-developer/build-system/install-buildsystem<br />
** https://github.com/openwrt/openwrt<br />
<br />
'''Expected Results:'''<br />
* Provide walkthrough examples of insecure design choices for building firmware. <br />
* Provide suggested mitigation security controls<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded development (C/C++)<br />
<br />
===Suggest your own ideas===<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
=== Mentors and Leaders ===<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
==OWASP Web Honeypot Project ==<br />
<br />
The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, Anglia Ruskin University is leading the collection, storage and analysis of threat intelligence data. <br />
<br />
https://www.owasp.org/index.php/OWASP_Honeypot_Project<br />
<br />
https://github.com/OWASP/Honeypot-Project/<br />
<br />
<br />
===Brief Explanation===<br />
The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them. <br><br />
<br />
The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed. <br><br />
<br />
===Idea===<br />
Project progression: <br />
* Honeypot software. The honeypot software that is to be provided to the community to place in their networks has been written. Honeypots are available in a variety of forms, to make deployment as flexible as possible and appeal to a diverse a user set as possible.<br />
* Collection software. The centralised collection software has been written and evaluated in a student driven proof-of-concept project. Honeypots have been attacked in a laboratory situation and have reported both the steps taken by the attacker and what they have attacked, back to the collection software.<br />
* Rollout to the Community. The project now needs a dedicated infrastructure platform in place that is available to the entire community to start collecting intelligence back from community deployed honeypots. This infrastructure will run the collector software, analysis programmes and provide a portal for communicating our finds and recommendations back to the community in a meaningful manner.<br />
* Going Forward. Toolkits and skills used by attackers do not stand still. As existing bugs are plugged, others open. Follow up stages for the project will be to create a messaging system to automatically update the community on findings of significant risk in their existing code that requires attention. <br />
<br />
<br />
===Expect Results ===<br />
<br />
Some of the ideas from last year's summit<br />
<br />
* Setup Proof of Concept to understand how Mod Security baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes).<br />
* Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in MosSecurity Audit Console, WAF-FLE, Fluent and bespoke scripts for single and multiple probes.<br />
* Develop a mechanism to convert from stored MySQL to JSON format.<br />
* Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.<br />
* Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.<br />
* Provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project(https://www.misp-project.org) to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.<br />
* Consider new alternatives for log transfer including the use of MLOGC-NG or other possible approaches.<br />
* Develop a new VM based honeypot/robe based on CRS v3.0.<br />
* Develop new alternative small footprint honeypot/probe formats utilising Docker & Raspberry Pi.<br />
* Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received.<br />
<br />
<br />
=== Students Requirements ===<br />
<br />
Some of the skills we are looking for:<br />
<br />
* Apache/Tomcat <br />
* Any experience of MISP<br />
* MySQL & JSON<br />
* ELK <br />
* STIX/TAXII<br />
* Python<br />
* ModSecurity/mlogc<br />
* OWASP Core RuleSet (CRS)<br />
* Linux<br />
* VM/Docker<br />
<br />
=== Mentors === <br />
<br />
* [mailto:adrian.winckles@owasp.org Adrian Winckles] - (OWASP Web Honeypot Project Leader) <br><br />
<br />
===Suggest your own ideas===<br />
<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
==OWASP Risk Assessment Framework ==<br />
Tool projects aim to assessment more than one or many web application using owasp risk rating mathodologies.<br />
https://github.com/OWASP/RiskAssessmentFramework<br />
<br />
'''Idea 1:''' make dashboard with databases and can assess many website based owasp risk rating mathodologies, create graph and report in pdf,word & excel format.<br />
=== Mentors === <br />
* [mailto:ade.putra@owasp.org Ade Yoseman] - <br></div>Delta24https://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=246729GSoC2019 Ideas2019-01-21T19:30:51Z<p>Delta24: added owtf</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF (draft)==<br />
Idea 1: <br />
<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
Idea 2: <br />
<br />
We want to extend the Machine learning chatbot functionality in SKF.<br />
* Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
* Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
* Extend the bot capability to reply what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
* Extend the bot to different platforms like Facebook, telegram, slack etc.<br />
** Now the working chatbot implementation for example is only for Gitter<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
OWASP Honeypot is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to add more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
...<br />
<br />
=== Roadmap ===<br />
<br />
...<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis<br />
* Docker<br />
* Database<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
TODO<br />
<br />
'''Expected Results:'''<br />
<br />
TODO<br />
<br />
''' Getting started: '''<br />
<br />
TODO<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
TODO<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
Notify by Twitter (done)<br><br />
Securetea Dashboard / Gui (done)<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
==='''Mentors '''=== <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
* [https://github.com/sananthu Ananthu S] - (Mentor)<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=239205OWASP OWTF2018-04-02T01:07:16Z<p>Delta24: /* Links */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| class="wikitable sortable" style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |[https://www.openhub.net/p/owasp-owtf/reviews/new Review this project]<br />
<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
=== '''The latest version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.3b OWTF 2.3b "MacinOWTF"].''' ===<br />
<br />
Project Leaders<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Links ==<br />
* [https://owtf.github.io#download OWASP OWTF Installation]<br />
* [https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
* [http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
* [http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
* [https://gitter.im/owtf/owtf OWASP OWTF Gitter Channel]<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2018 ! If you'd like to participate then see the [https://www.owasp.org/index.php/GSOC2018_Ideas OWASP Google Summer of Code 2018 Ideas page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Presentation and talks==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
[https://github.com/owtf/owtf/blob/develop/LICENSE.md LICENSE]<br />
<br />
== Openhub ==<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
==Classifications==<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" |[[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| colspan="2" align="center" |[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" |<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* April 6th, 2017 - [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"] is here!<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=239204OWASP OWTF2018-04-02T01:06:47Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| class="wikitable sortable" style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |[https://www.openhub.net/p/owasp-owtf/reviews/new Review this project]<br />
<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
=== '''The latest version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.3b OWTF 2.3b "MacinOWTF"].''' ===<br />
<br />
Project Leaders<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Links ==<br />
* [https://owtf.github.io#download OWASP OWTF Installation]<br />
* [https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
* [http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
* [http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
* [https://gitter.im/owtf/owtf OWASP OWTF Gitter Channel]<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2018 ! If you'd like to participate then see the [https://www.owasp.org/index.php/GSOC2018_Ideas OWASP Google Summer of Code 2018 Ideas page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Presentation and talks==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
<iframe src="//www.slideshare.net/slideshow/embed_code/key/5BOo24YsYCvXbO" width="595" height="485" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen></iframe><br />
<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
[https://github.com/owtf/owtf/blob/develop/LICENSE.md LICENSE]<br />
<br />
== Openhub ==<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
==Classifications==<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" |[[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| colspan="2" align="center" |[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" |<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* April 6th, 2017 - [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"] is here!<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=239203OWASP OWTF2018-04-02T01:05:29Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| class="wikitable sortable" style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |[https://www.openhub.net/p/owasp-owtf/reviews/new Review this project]<br />
<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
=== '''The latest version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.3b OWTF 2.3b "MacinOWTF"].''' ===<br />
<br />
Project Leaders<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Links ==<br />
* [https://owtf.github.io#download OWASP OWTF Installation]<br />
* [https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
* [http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
* [http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
* [https://gitter.im/owtf/owtf OWASP OWTF Gitter Channel]<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2018 ! If you'd like to participate then see the [https://www.owasp.org/index.php/GSOC2018_Ideas OWASP Google Summer of Code 2018 Ideas page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Presentation and talks==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
<iframe src="//www.slideshare.net/slideshow/embed_code/key/5BOo24YsYCvXbO" width="595" height="485" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe><br />
<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
[https://github.com/owtf/owtf/blob/develop/LICENSE.md LICENSE]<br />
<br />
== Openhub ==<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
==Classifications==<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" |[[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| colspan="2" align="center" |[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" |<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* April 6th, 2017 - [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"] is here!<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=239202OWASP OWTF2018-04-02T01:04:24Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| class="wikitable sortable" style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |[https://www.openhub.net/p/owasp-owtf/reviews/new Review this project]<br />
<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
=== '''The latest version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.3b OWTF 2.3b "MacinOWTF"].''' ===<br />
<br />
Project Leaders<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Links ==<br />
* [https://owtf.github.io#download OWASP OWTF Installation]<br />
* [https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
* [http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
* [http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
* [https://gitter.im/owtf/owtf OWASP OWTF Gitter Channel]<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2018 ! If you'd like to participate then see the [https://www.owasp.org/index.php/GSOC2018_Ideas OWASP Google Summer of Code 2018 Ideas page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Presentation and talks==<br />
<br />
<nowiki><iframe src="//www.slideshare.net/slideshow/embed_code/key/5BOo24YsYCvXbO" width="595" height="485" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe></nowiki> <nowiki><div style="margin-bottom:5px"> <strong> <a href="//www.slideshare.net/JerodBrennenCISSP/automating-security-testing-with-the-owtf" title="Automating Security Testing with the OWTF" target="_blank">Automating Security Testing with the OWTF</a></nowiki> <nowiki></strong></nowiki> from <nowiki><strong><a href="https://www.slideshare.net/JerodBrennenCISSP" target="_blank">Jerod Brennen</a></nowiki><nowiki></strong></nowiki> <nowiki></div></nowiki><br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
[https://github.com/owtf/owtf/blob/develop/LICENSE.md LICENSE]<br />
<br />
== Openhub ==<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
==Classifications==<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" |[[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| colspan="2" align="center" |[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" |<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* April 6th, 2017 - [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"] is here!<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=239201OWASP OWTF2018-04-02T00:54:27Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| class="wikitable sortable" style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |[https://www.openhub.net/p/owasp-owtf/reviews/new Review this project]<br />
<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
=== '''The latest version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.3b OWTF 2.3b "MacinOWTF"].''' ===<br />
<br />
Project Leaders<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Links ==<br />
* [https://owtf.github.io#download OWASP OWTF Installation]<br />
* [https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
* [http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
* [http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
* [https://gitter.im/owtf/owtf OWASP OWTF Gitter Channel]<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2018 ! If you'd like to participate then see the [https://www.owasp.org/index.php/GSOC2018_Ideas OWASP Google Summer of Code 2018 Ideas page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Presentation and talks==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
[https://github.com/owtf/owtf/blob/develop/LICENSE.md LICENSE]<br />
<br />
== Openhub ==<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
==Classifications==<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" |[[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| colspan="2" align="center" |[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" |<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* April 6th, 2017 - [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"] is here!<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=237499GSOC2018 Ideas2018-02-12T17:18:40Z<p>Delta24: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check OWASP Code Review Guide [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs:===<br />
'''Techincal writers'''<br />
<br />
===Expected Results:===<br />
* Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Move work in pdf and Adobe InDesign to GitBook format<br />
* Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, Adode InDesign<br />
<br />
===Proposals from student:===<br />
* Proposal on different formats to use to help increase the awareness and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
'''Mentors:'''<br />
* Gary Robinson [mailto:Gary.Robinson@owasp.org] - OWASP Code Review Guide Project Leader<br />
<br />
* Larry Conklin [mailto:Larry.Conklin@owasp.org] Larry Conklin - OWASP Code Review Guide Project Leader</div>Delta24https://wiki.owasp.org/index.php?title=User:Delta24&diff=236670User:Delta242018-01-08T09:54:42Z<p>Delta24: </p>
<hr />
<div>Grad student at Carnegie Mellon Univerisity! Interested in application security, cryptography and general vulnerability research. I try to participate in bug-bounty programs and CTFs.</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236669GSOC2018 Ideas2018-01-08T09:52:40Z<p>Delta24: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Zest Text Representation and Parser===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== SAMPLE: OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2016 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== REST API for the sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.<br />
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.<br />
<br />
Ideas on the project:<br />
Since the sandbox is written in python, you will be using Django to implement the api.<br />
The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter.<br />
However the communication between the two has to be over a secure channel.<br />
<br />
'''Expected Results:'''<br />
* A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.<br />
* PEP8 compliant code<br />
* Acceptable unit test coverage<br />
<br />
''' Getting started: '''<br />
Since this has been a popular project here's a suggestion on how to get started.<br />
* Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository<br />
* Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)<br />
* Read on what Docker and Vagrant are and take a look at their respective py-libraries<br />
* If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project) <br />
<br />
'''Knowledge Prerequisites:'''<br />
Python, test driven development, some idea what REST is, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders<br />
<br />
=== New CMS ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The CMS part of the project is really old and has accumulated a significant amount of technical debt.<br />
In addition many design decisions are either outdated or could be improved. <br />
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.<br />
The new cms can be written in python using Django.<br />
<br />
'''Expected Results:'''<br />
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.<br />
* REST endpoints in addition to classic ones<br />
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.<br />
* PEP 8 code<br />
<br />
''' Note: '''<br />
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.<br />
If you decide to take on this project contact us and we can agree on a list of routes.<br />
If you don't decide to take on this project contact us.<br />
Generally contact us, we like it when students have insightful questions and the community is active<br />
<br />
<br />
''' Getting Started: '''<br />
* Install and take a brief look around the old cms so you have an idea of the functionality needed<br />
* It's ok to scream in frustration<br />
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)<br />
<br />
'''Knowledge Prerequisites:'''<br />
Python, Django, what REST is, the technologies used, some security knowledge would be nice.<br />
<br />
'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders<br />
<br />
==OWASP Security Knowledge Framework==<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell'''<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
===Your idea / Getting started===<br />
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
===Expected Results===<br />
*Adding features to SKF project<br />
**https://github.com/blabla1337/skf-flask/issues/369<br />
**https://github.com/blabla1337/skf-flask/issues/367<br />
**https://github.com/blabla1337/skf-flask/issues/68<br />
**https://github.com/blabla1337/skf-flask/issues/95<br />
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
*Adding/updating knowledge base items<br />
*Adding CWE references to knowledgebase items<br />
**https://github.com/blabla1337/skf-flask/issues/35<br />
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated <br />
**https://github.com/blabla1337/skf-flask/issues/352<br />
===Knowledge Prerequisites===<br />
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0<br />
*For writing knowledgebase items only technical knowledge of application security is required<br />
*For writing / updating code examples you need to know a programming language along with secure development.<br />
*For writing the verification guide you need some penetration testing experience.<br />
'''Mentors:'''<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
* Create more modules to the framework (web, network, IoT, etc.)<br />
* Create more categories to the framework (already has scan and brute)<br />
* Create API for the framework<br />
* Optimize the core (speed, hardware usage, user-friendly...)<br />
* Research and new methods and IDS/IPS detections.<br />
* Create a benchmark with other competitors frameworks<br />
* Improve documentation, languages and create a video library<br />
* Create GUI<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Frontend Tech/Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well. Furthermore, the OWASP Juice Shop could greatly benefit from involvement of someone with UI/UX Design expertise. Individual product images would be lovely, too.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
* Iterative and incremental redesign of the UI/UX as well as the product image catalog<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
* Additional web and/or graphic design experience would be highly welcome<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236668GSOC2018 Ideas2018-01-08T09:16:02Z<p>Delta24: Added and edited the ideas for OWTF.</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Zest Text Representation and Parser===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== SAMPLE: OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2016 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== REST API for the sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.<br />
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.<br />
<br />
Ideas on the project:<br />
Since the sandbox is written in python, you will be using Django to implement the api.<br />
The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter.<br />
However the communication between the two has to be over a secure channel.<br />
<br />
'''Expected Results:'''<br />
* A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.<br />
* PEP8 compliant code<br />
* Acceptable unit test coverage<br />
<br />
''' Getting started: '''<br />
Since this has been a popular project here's a suggestion on how to get started.<br />
* Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository<br />
* Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)<br />
* Read on what Docker and Vagrant are and take a look at their respective py-libraries<br />
* If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project) <br />
<br />
'''Knowledge Prerequisites:'''<br />
Python, test driven development, some idea what REST is, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders<br />
<br />
=== New CMS ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The CMS part of the project is really old and has accumulated a significant amount of technical debt.<br />
In addition many design decisions are either outdated or could be improved. <br />
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.<br />
The new cms can be written in python using Django.<br />
<br />
'''Expected Results:'''<br />
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.<br />
* REST endpoints in addition to classic ones<br />
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.<br />
* PEP 8 code<br />
<br />
''' Note: '''<br />
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.<br />
If you decide to take on this project contact us and we can agree on a list of routes.<br />
If you don't decide to take on this project contact us.<br />
Generally contact us, we like it when students have insightful questions and the community is active<br />
<br />
<br />
''' Getting Started: '''<br />
* Install and take a brief look around the old cms so you have an idea of the functionality needed<br />
* It's ok to scream in frustration<br />
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)<br />
<br />
'''Knowledge Prerequisites:'''<br />
Python, Django, what REST is, the technologies used, some security knowledge would be nice.<br />
<br />
'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders<br />
<br />
==OWASP Security Knowledge Framework==<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell'''<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
===Your idea / Getting started===<br />
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
===Expected Results===<br />
*Adding features to SKF project<br />
**https://github.com/blabla1337/skf-flask/issues/369<br />
**https://github.com/blabla1337/skf-flask/issues/367<br />
**https://github.com/blabla1337/skf-flask/issues/68<br />
**https://github.com/blabla1337/skf-flask/issues/95<br />
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
*Adding/updating knowledge base items<br />
*Adding CWE references to knowledgebase items<br />
**https://github.com/blabla1337/skf-flask/issues/35<br />
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated <br />
**https://github.com/blabla1337/skf-flask/issues/352<br />
===Knowledge Prerequisites===<br />
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0<br />
*For writing knowledgebase items only technical knowledge of application security is required<br />
*For writing / updating code examples you need to know a programming language along with secure development.<br />
*For writing the verification guide you need some penetration testing experience.<br />
'''Mentors:'''<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
* Create more modules to the framework (web, network, IoT, etc.)<br />
* Create more categories to the framework (already has scan and brute)<br />
* Create API for the framework<br />
* Optimize the core (speed, hardware usage, user-friendly...)<br />
* Research and new methods and IDS/IPS detections.<br />
* Create a benchmark with other competitors frameworks<br />
* Improve documentation, languages and create a video library<br />
* Create GUI<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Frontend Tech/Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well. Furthermore, the OWASP Juice Shop could greatly benefit from involvement of someone with UI/UX Design expertise. Individual product images would be lovely, too.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
* Iterative and incremental redesign of the UI/UX as well as the product image catalog<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
* Additional web and/or graphic design experience would be highly welcome<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236667GSOC2018 Ideas2018-01-08T08:44:00Z<p>Delta24: Added OWTF</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Zest Text Representation and Parser===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== SAMPLE: OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2016 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
=== REST API for the sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.<br />
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.<br />
<br />
Ideas on the project:<br />
Since the sandbox is written in python, you will be using Django to implement the api.<br />
The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter.<br />
However the communication between the two has to be over a secure channel.<br />
<br />
'''Expected Results:'''<br />
* A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.<br />
* PEP8 compliant code<br />
* Acceptable unit test coverage<br />
<br />
''' Getting started: '''<br />
Since this has been a popular project here's a suggestion on how to get started.<br />
* Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository<br />
* Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)<br />
* Read on what Docker and Vagrant are and take a look at their respective py-libraries<br />
* If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project) <br />
<br />
'''Knowledge Prerequisites:'''<br />
Python, test driven development, some idea what REST is, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders<br />
<br />
=== New CMS ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The CMS part of the project is really old and has accumulated a significant amount of technical debt.<br />
In addition many design decisions are either outdated or could be improved. <br />
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.<br />
The new cms can be written in python using Django.<br />
<br />
'''Expected Results:'''<br />
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.<br />
* REST endpoints in addition to classic ones<br />
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.<br />
* PEP 8 code<br />
<br />
''' Note: '''<br />
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.<br />
If you decide to take on this project contact us and we can agree on a list of routes.<br />
If you don't decide to take on this project contact us.<br />
Generally contact us, we like it when students have insightful questions and the community is active<br />
<br />
<br />
''' Getting Started: '''<br />
* Install and take a brief look around the old cms so you have an idea of the functionality needed<br />
* It's ok to scream in frustration<br />
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)<br />
<br />
'''Knowledge Prerequisites:'''<br />
Python, Django, what REST is, the technologies used, some security knowledge would be nice.<br />
<br />
'''Mentors:''' [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders<br />
<br />
==OWASP Security Knowledge Framework==<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell'''<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
===Your idea / Getting started===<br />
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
===Expected Results===<br />
*Adding features to SKF project<br />
**https://github.com/blabla1337/skf-flask/issues/369<br />
**https://github.com/blabla1337/skf-flask/issues/367<br />
**https://github.com/blabla1337/skf-flask/issues/68<br />
**https://github.com/blabla1337/skf-flask/issues/95<br />
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
*Adding/updating knowledge base items<br />
*Adding CWE references to knowledgebase items<br />
**https://github.com/blabla1337/skf-flask/issues/35<br />
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated <br />
**https://github.com/blabla1337/skf-flask/issues/352<br />
===Knowledge Prerequisites===<br />
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0<br />
*For writing knowledgebase items only technical knowledge of application security is required<br />
*For writing / updating code examples you need to know a programming language along with secure development.<br />
*For writing the verification guide you need some penetration testing experience.<br />
'''Mentors:'''<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
* Create more modules to the framework (web, network, IoT, etc.)<br />
* Create more categories to the framework (already has scan and brute)<br />
* Create API for the framework<br />
* Optimize the core (speed, hardware usage, user-friendly...)<br />
* Research and new methods and IDS/IPS detections.<br />
* Create a benchmark with other competitors frameworks<br />
* Improve documentation, languages and create a video library<br />
* Create GUI<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Frontend Tech/Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well. Furthermore, the OWASP Juice Shop could greatly benefit from involvement of someone with UI/UX Design expertise. Individual product images would be lovely, too.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
* Iterative and incremental redesign of the UI/UX as well as the product image catalog<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
* Additional web and/or graphic design experience would be highly welcome<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Report enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
*HTML (pure static html here)<br />
*PDF<br />
*XML (for processing)<br />
*JSON (for processing)<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Distributed architecture===<br />
To be updated soon!</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=228519OWASP OWTF2017-04-08T18:54:15Z<p>Delta24: /* The latest version of OWASP OWTF is OWTF 2.1a "Chicken Korma". */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| class="wikitable sortable" style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
=== '''The latest version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"].''' ===<br />
<br />
Project Leaders<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Links ==<br />
* [https://owtf.github.io#download OWASP OWTF Installation]<br />
* [https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
* [http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
* [http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
* [https://gitter.im/owtf/owtf OWASP OWTF Gitter Channel]<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the OWASP Summer Code Sprint 2017! If you'd like to participate then see the [https://www.owasp.org/index.php/GSOC_2017_for_Students Summer Code Sprint 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Presentation and talks==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
[https://github.com/owtf/owtf/blob/develop/LICENSE.md LICENSE]<br />
<br />
== Openhub ==<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
==Classifications==<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" |[[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| colspan="2" align="center" |[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" |<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* April 6th, 2017 - [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"] is here!<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=228518OWASP OWTF2017-04-08T18:51:20Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| class="wikitable sortable" style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
=== '''The latest version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"].''' ===<br />
<br />
Project Leaders<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Links ==<br />
* [https://owtf.github.io#download OWASP OWTF Installation]<br />
* [https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
* [http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
* [http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
* OWASP OWTF Gitter Channel: [](<nowiki>https://gitter.im/owtf/owtf</nowiki>)<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the OWASP Summer Code Sprint 2017! If you'd like to participate then see the [https://www.owasp.org/index.php/GSOC_2017_for_Students Summer Code Sprint 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Presentation and talks==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
[https://github.com/owtf/owtf/blob/develop/LICENSE.md LICENSE]<br />
<br />
== Openhub ==<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
==Classifications==<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" |[[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| align="center" valign="top" width="50%" |<br />
|-<br />
| colspan="2" align="center" |[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" |<br />
|}<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* April 6th, 2017 - [https://github.com/owtf/owtf/releases/tag/v2.1a OWTF 2.1a "Chicken Korma"] is here!<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226562OWASP OWTF2017-02-21T00:57:02Z<p>Delta24: /* Project Leader */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226368OWASP OWTF2017-02-14T21:58:05Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
* [http://browserstack.com Browserstack] for providing a platform to test OWTF on multiple devices!<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226367OWASP OWTF2017-02-14T21:56:13Z<p>Delta24: /* Tested on Browserstack! */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226366OWASP OWTF2017-02-14T21:55:58Z<p>Delta24: /* Tested on Browserstack! */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
== Tested on Browserstack! ==<br />
<br />
| src="http://i.imgur.com/SjxT3ju.png" style="height=50px;width=50px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226365OWASP OWTF2017-02-14T21:55:12Z<p>Delta24: /* Openhub */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
== Tested on Browserstack! ==<br />
<br />
http://i.imgur.com/SjxT3ju.png <br />
| style="height=50px;width=50px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226364OWASP OWTF2017-02-14T21:54:20Z<p>Delta24: /* Openhub */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
Tested on Browserstack!<br />
----<br />
http://i.imgur.com/SjxT3ju.png <br />
| style="height=50px;width=50px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226363OWASP OWTF2017-02-14T21:53:52Z<p>Delta24: /* Openhub */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
Tested on Browserstack!<br />
----<br />
<br />
| http://i.imgur.com/SjxT3ju.png style="height=50px;width=50px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226362OWASP OWTF2017-02-14T21:53:40Z<p>Delta24: /* Openhub */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
Tested on Browserstack!<br />
<br />
----<br />
<br />
| http://i.imgur.com/SjxT3ju.png style="height=50px;width=50px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226361OWASP OWTF2017-02-14T21:53:18Z<p>Delta24: /* Openhub */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
Tested on Browserstack!<br />
<br />
| http://i.imgur.com/SjxT3ju.png style="height=50px;width=50px;" |<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226360OWASP OWTF2017-02-14T21:52:21Z<p>Delta24: /* Openhub */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
Tested on Browserstack!<br />
<br />
[img]http://i.imgur.com/SjxT3ju.png[/img]<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226359OWASP OWTF2017-02-14T21:51:03Z<p>Delta24: /* Openhub */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
<br />
Tested on Browserstack!<br />
----<br />
[https://d3but80xmlhqzj.cloudfront.net/production/images/static/header/header-logo.svg]<br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=226219OWASP OWTF2017-02-10T19:18:40Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2017! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2017%3A-Getting-started GSoC 2017 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
* [mailto:viyat001@gmail.com Viyat Bhalodia]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=226010GSOC2017 Ideas2017-02-05T16:16:07Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* ability to intercept the transactions<br />
* modify or replay transaction on the fly<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
* Create a browser instance and do the necessary login procedure<br />
* Handle the browser for the URI<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225968GSOC2017 Ideas2017-02-04T00:12:45Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed plugin architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225967GSOC2017 Ideas2017-02-04T00:12:21Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
'''https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed plugin architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225966GSOC2017 Ideas2017-02-04T00:11:16Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[ https://github.com/owtf/owtf ]Offensive Web Testing Framework (OWTF) is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed plugin architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225965GSOC2017 Ideas2017-02-04T00:10:36Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[Offensive Web Testing Framework (OWTF) https://github.com/owtf/owtf.git] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed plugin architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225964GSOC2017 Ideas2017-02-04T00:10:11Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[Offensive Web Testing Framework (OWTF)][https://github.com/owtf/owtf.git] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed plugin architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225959GSOC2017 Ideas2017-02-03T21:33:15Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[[Offensive Web Testing Framework (OWTF)]] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed plugin architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225958GSOC2017 Ideas2017-02-03T21:09:16Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[[Offensive Web Testing Framework (OWTF)]] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225957GSOC2017 Ideas2017-02-03T20:57:12Z<p>Delta24: /* OWASP OWTF - Report enhancement */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[[Offensive Web Testing Framework (OWTF)]] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on major rewrite of major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225956GSOC2017 Ideas2017-02-03T20:56:59Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[[Offensive Web Testing Framework (OWTF)]] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on major rewrite of major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current requester object (based on urllib, urllib2) with one based on the new urllib3 with support for a real headless browser instance. The simple requester as of now which is good for sending HTTP requests. It will be great to also have a headless browser factory inside the requester. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e creds or script or whatever)<br />
* Create a browser instance and do the necessary login stuff<br />
* Handle the browser to whosoever asked for it<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancement ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225952GSOC2017 Ideas2017-02-03T19:57:48Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[[Offensive Web Testing Framework (OWTF)]] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on major rewrite of major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* can be to intercept the transactions<br />
* modify on the fly or replay transactions<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: Design and implement a proxy plugin (middleware?) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225950GSOC2017 Ideas2017-02-03T19:20:32Z<p>Delta24: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
[[Offensive Web Testing Framework (OWTF)]] is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas given below focus on major rewrite of major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=216554OWASP OWTF2016-05-07T17:18:19Z<p>Delta24: /* News and Events */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* May 7th, 2016 - [http://blog.7-a.org/2016/05/owtf-20a-tikka-masala-released-plz-rt.html OWTF 2.0a "Tikka Masala" is here!]<br />
<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=216553OWASP OWTF2016-05-07T13:06:37Z<p>Delta24: /* What is OWTF? */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v2.0a OWTF 2.0a "Tikka Masala"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211769OWASP OWTF2016-03-25T03:51:18Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
* 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
* 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211768OWASP OWTF2016-03-25T03:50:01Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
Popularity:<br />
ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211698OWASP OWTF2016-03-24T07:53:35Z<p>Delta24: /* News and Events */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
Popularity:<br />
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* February 29th, 2016 - [https://summerofcode.withgoogle.com/organizations/ OWASP is selected for GSoC 2016 - OWTF is participating!] <br />
<br />
* July 10th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015_Progress_Reports#tab=Main OWTF got 3 slots in the OWASP Summer Code Sprint 2015!]<br />
<br />
* June 19th, 2015 - [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWTF is taking part in the OWASP Summer Code Sprint 2015]<br />
<br />
* October 15, 2014 - [http://blog.7-a.org/search?updated-max=2014-10-10T11:30:00%2B01:00&max-results=8 OWTF is taking part in the OWASP Winter Code Sprint!]<br />
<br />
* October 15, 2014 - [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart" released! - Fixed a major installation bug caused due to wrong handling of requirements by pip]<br />
<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211696OWASP OWTF2016-03-24T07:10:33Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
Popularity:<br />
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:<br />
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 10th]<br />
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 7th]<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211695OWASP OWTF2016-03-24T07:07:43Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
<br />
{{Social Media Links}}<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211694OWASP OWTF2016-03-24T07:06:40Z<p>Delta24: /* OWASP OWTF */</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
====OWTF is taking part in the Google Summer of Code 2016! If you'd like to participate then see the [https://github.com/owtf/owtf/wiki/Google-Summer-of-Code-2016%3A-Getting-started GSoC 2016 wiki page]!====<br />
<br />
{{Social Media Links}}<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211693OWASP OWTF2016-03-24T07:04:33Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
{{Social Media Links}}<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211692OWASP OWTF2016-03-24T07:02:48Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|right]]<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
{{Social Media Links}}<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24https://wiki.owasp.org/index.php?title=OWASP_OWTF&diff=211691OWASP OWTF2016-03-24T06:59:36Z<p>Delta24: </p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP OWTF==<br />
[[Image:OWTFLogo.png|center]]<br />
<br />
{{Social Media Links}}<br />
<br />
==Introduction==<br />
<br />
OWTF aims to make pen testing:<br />
<br />
* Aligned with OWASP Testing Guide + PTES + NIST<br />
* More efficient<br />
* More comprehensive<br />
* More creative and fun (minimise un-creative work)<br />
<br />
so that pentesters will have more time to<br />
<br />
* See the big picture and think out of the box<br />
* More efficiently find, verify and combine vulnerabilities<br />
* Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions<br />
* Perform more tactical/targeted fuzzing on seemingly risky areas<br />
* Demonstrate true impact despite the short timeframes we are typically given to test.<br />
<br />
==Description==<br />
You can see what OWASP OWTF is all about in the following video:{{#ev:youtube|H6Ut8U9a5KE}}<br />
<br />
OWASP OWTF 1.0 "Lionheart" - Brucon 2014 5x5: {{#ev:youtube|j2UoAsOLMB4}}<br />
<br />
OWASP AppSec EU 2013: Introducing OWASP OWTF 5x5: {{#ev:youtube|Vpca4-OlZqs}}<br />
<br />
For more videos please see the [http://www.youtube.com/user/owtfproject YouTube channel]<br />
<br />
==Licensing==<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWTF? ==<br />
<br />
OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.<br />
<br />
[https://owtf.github.io#download OWASP OWTF Installation]<br />
<br />
[https://github.com/owtf/owtf/releases OWASP OWTF Releases]<br />
<br />
The current version of OWASP OWTF is [https://github.com/owtf/owtf/releases/tag/v1.0.1 OWTF 1.0.1 "Lionheart"].<br />
<br />
[http://docs.owtf.org OWASP OWTF Documentation]<br />
<br />
[https://owtf.github.io/online-passive-scanner/ Try some of the OWTF features from your browser!]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Release OWASP OWTF Release blog posts]<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWASP OWTF Talk blog posts]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf OWASP OWTF Mailing List]<br />
<br />
[http://webchat.freenode.net/?channels=owtf OWASP OWTF IRC Channel: #owtf on Freenode]<br />
<br />
==Presentation==<br />
<br />
The following links provide access to materials for OWTF talks (video, slides, etc.):<br />
<br />
[http://blog.7-a.org/search/label/OWTF%20Talks OWTF Talks at 7-a.org]<br />
<br />
== Project Leader ==<br />
<br />
* [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren]<br />
* [mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju]<br />
<br />
== Related Projects ==<br />
<br />
<br />
== Openhub ==<br />
<br />
https://www.openhub.net/p/owasp-owtf<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* [https://owtf.github.io/#download Download now]<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_owtf Sign Up]<br />
<br />
== News and Events ==<br />
* October 5th 2014 - [http://blog.7-a.org/2014/10/owtf-10-lionheart-released.html OWTF 1.0 "Lionheart" released!]<br />
<br />
* September 26th 2014 - [http://blog.7-a.org/2014/09/owtf-10-lionheart-to-be-presented-brucon.html OWTF 1.0 "Lionheart" presented at Brucon!]<br />
<br />
* September 4th 2014 - [http://blog.7-a.org/2014/09/get-credits-help-owasp-meet-owasp.html - OWTF participating in OWASP Winter Code Sprint]<br />
<br />
* January 13th 2014 - [http://blog.7-a.org/2014/01/owtf-0450-winter-blizzard-released-plz.html OWTF 0.45.0 "Winter Blizzard" released!]<br />
<br />
*December 11th 2013 - [http://blog.7-a.org/2013/12/owasp-owtf-cfp-funds-contest-winners.html OWASP OWTF CFP funds contest WINNERS announced]<br />
<br />
*September 8th 2013 - [http://blog.7-a.org/2013/09/owasp-owtf-cfp-funds-contest.html OWASP OWTF CFP funds contest open!]<br />
<br />
*August 22nd-23rd 2013 - [https://appsec.eu/program/talk-teaser/ Introducing OWASP OWTF 5x5 @ OWASP AppSec EU]<br />
<br />
*August 9th 2013 - [http://blog.7-a.org/2013/08/owtf-030-summer-storm-ii-released-plz-rt.html OWTF 0.30 "Summer Storm II" released!]<br />
<br />
*July 1st 2013 - [http://blog.7-a.org/2013/07/owtf-020-summer-storm-i-released-plz-rt.html OWTF 0.20 "Summer Storm I" released!]<br />
<br />
*June 12th 2013 - [http://blog.7-a.org/2013/06/owasp-owtf-gsoc-selection-stats-and-poll.html OWASP OWTF GSoC Selection, Stats and Poll]<br />
<br />
*May 24th 2013 - [http://blog.7-a.org/2013/05/owasp-owtf-016-shady-citizen-released.html OWASP OWTF 0.16 "shady citizen" released, now working smoothly in Kali!]<br />
<br />
*April 22nd - May 3rd 2013 - [https://www.owasp.org/index.php/GSoC2013_Ideas Call for Student Proposals: OWASP OWTF will be part of the Google Summer of Code 2013]<br />
<br />
*April 24th 2013 - [http://www.securitybsides.org.uk/track_one.html Pentesting like a Grandmaster with OWASP OWTF to be presented at BSides London 2013]<br />
<br />
*February 26th 2013 - [http://blog.brucon.org/2013/02/the-5by5-race-is-on.html OWASP OWTF selected to be supported by Brucon 5x5]<br />
<br />
*September 26th 2012 - [http://2012.brucon.org/index.php/Schedule OWASP OWTF Workshop at Brucon]<br />
<br />
*September 24th 2012 - [http://blog.7-a.org/2012/09/owasp-owtf-015-brucon-released.html OWASP OWTF 0.15 BruCon released!]<br />
<br />
== In Print ==<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Flagship projects.jpg|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
OWTF documentation is hosted in the following resources:<br />
* [https://owtf.github.io/ Getting started]<br />
* [https://owtf.github.io/#download Downloading & Installation]<br />
* [http://docs.owtf.org OWASP OWTF Documentation]<br />
* [https://www.youtube.com/user/owtfproject/playlists OWTF Playlists with Demos/Talks on Youtube]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Join us on IRC (#owtf on Freenode)]<br />
* [http://www.slideshare.net/abrahamaranguren/presentations Some OWTF presentation slides]<br />
* [http://blog.7-a.org/search/label/OWTF%20Talks More OWTF Talk links]<br />
<br />
= Acknowledgements =<br />
==Volunteers==<br />
OWTF is developed by a worldwide [https://github.com/7a/owtf/blob/master/AUTHORS team] of volunteers.<br />
<br />
But we have also been helped by many organizations, either financially or through other means:<br />
<br />
* [http://www.owasp.org OWASP]<br />
* [http://www.elearnsecurity.com/ eLearnSecurity]<br />
* [http://www.google-melange.com/ Google]<br />
* [http://brucon.org BruCon]<br />
<br />
= Road Map and Getting Involved =<br />
OWTF attempts to solve the "penetration testers are never given enough time to test properly" problem, or in other words, OWTF = Test/Exploit ASAP, with this in mind, as of right now, the priorities are:<br />
* To improve security testing efficiency (i.e. test more in less time)<br />
* To improve security testing coverage (i.e. test more)<br />
* Gradually integrate the best tools<br />
* Unite the best tools and make them work together with the security tester<br />
* Remove or Reduce the need to babysit security tools during security assessments<br />
* Be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.<br />
* Help penetration testers save time on report writing<br />
<br />
Involvement in the development and promotion of OWTF is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* [https://github.com/owtf/owtf/pulls Send us a pull request]<br />
* [https://github.com/owtf/owtf/issues Give us feedback / suggestions / report bugs]<br />
* [http://webchat.freenode.net/?randomnick=1&channels=%23owtf&prompt=1&uio=MTE9MjM20f Talk to us on IRC (#owtf on Freenode)]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf_developers Join our OWTF developers mailing list]<br />
* [https://lists.owasp.org/mailman/listinfo/owasp_owtf Join the general OWTF mailing list]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_OWTF}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Delta24