https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Ken+van+WykOWASP - User contributions [en]2026-05-09T12:29:38ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=226645Projects/OWASP iGoat Project2017-02-23T10:11:31Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
iGoat can be downloaded here: http://code.google.com/p/owasp-igoat/<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Swaroop Yermalkar<br />
| leader_email1 = swaroop.sy@gmail.com<br />
| leader_username1 = <br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Jonathan Carter<br />
| contributor_email1 = jonathan.carter@owasp.org<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = iGoat v1.1<br />
| release_2 = iGoat v2.0<br />
| release_3 = iGoat v2.1<br />
| release_4 =iGoat v2.3<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=226638Projects/OWASP iGoat Project2017-02-23T01:00:33Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
iGoat can be downloaded here: http://code.google.com/p/owasp-igoat/<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Swaroop Yermalka<br />
| leader_email1 = swaroop.sy@gmail.com<br />
| leader_username1 = <br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Jonathan Carter<br />
| contributor_email1 = jonathan.carter@owasp.org<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = iGoat v1.1<br />
| release_2 = iGoat v2.0<br />
| release_3 = iGoat v2.1<br />
| release_4 =iGoat v2.3<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=210926OWASP iGoat Project2016-03-10T14:47:42Z<p>Ken van Wyk: </p>
<hr />
<div>= Main =<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div><br />
<br />
^^^ Rest assured the iGoat project is NOT inactive. We're merely finding it a new home on Github after its home on Google Code went away. Sorry for the inconvenience, but we most assuredly are working on a new release.<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
# Brief introduction to the problem.<br />
# Verify the problem by exploiting it.<br />
# Brief description of available remediations to the problem.<br />
# Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
NOTE: Please bear with us as we move this project over to Github. In the meantime, the current version is 2.3, and it can be downloaded here: https://drive.google.com/folderview?id=0B4JD0hBwn1-uZmJXU0pfdEUtdlE&usp=sharing<br />
<br />
= Framework =<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
= Status =<br />
<br />
The iGoat project was launched in May 2011. Version 2.3 was released on 20 November 2014. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
<br> __NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=210925OWASP iGoat Project2016-03-10T14:46:35Z<p>Ken van Wyk: </p>
<hr />
<div>= Main =<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div><br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
# Brief introduction to the problem.<br />
# Verify the problem by exploiting it.<br />
# Brief description of available remediations to the problem.<br />
# Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
NOTE: Please bear with us as we move this project over to Github. In the meantime, the current version is 2.3, and it can be downloaded here: https://drive.google.com/folderview?id=0B4JD0hBwn1-uZmJXU0pfdEUtdlE&usp=sharing<br />
<br />
= Framework =<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
= Status =<br />
<br />
The iGoat project was launched in May 2011. Version 2.3 was released on 20 November 2014. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
<br> __NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=210906OWASP iGoat Project2016-03-10T14:22:25Z<p>Ken van Wyk: </p>
<hr />
<div>= Main =<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div><br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
# Brief introduction to the problem.<br />
# Verify the problem by exploiting it.<br />
# Brief description of available remediations to the problem.<br />
# Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
The current version is 2.3, and it can be downloaded here: https://drive.google.com/folderview?id=0B4JD0hBwn1-uZmJXU0pfdEUtdlE&usp=sharing<br />
<br />
= Framework =<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
= Status =<br />
<br />
The iGoat project was launched in May 2011. Version 2.3 was released on 20 November 2014. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
<br> __NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=185650OWASP iGoat Project2014-11-20T14:06:26Z<p>Ken van Wyk: /* Status */</p>
<hr />
<div>= Main =<br />
<br />
<b>Welcome to the iGoat OWASP project home page.</b><br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
# Brief introduction to the problem.<br />
# Verify the problem by exploiting it.<br />
# Brief description of available remediations to the problem.<br />
# Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
iGoat can be downloaded here: http://code.google.com/p/owasp-igoat/<br />
<br />
= Framework =<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
= Status =<br />
<br />
The iGoat project was launched in May 2011. Version 2.3 was released on 20 November 2014. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
<br> __NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=User_talk:Ken_van_Wyk&diff=184234User talk:Ken van Wyk2014-10-29T11:22:31Z<p>Ken van Wyk: </p>
<hr />
<div>'''Welcome to ''OWASP''!'''<br />
We hope you will contribute much and well.<br />
You will probably want to read the [[Help:Contents|help pages]].<br />
Again, welcome and have fun! 21:41, 10 May 2011 (EDT)</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/Current&diff=172127Projects/OWASP iGoat Project/Releases/Current2014-04-09T20:35:35Z<p>Ken van Wyk: </p>
<hr />
<div> [[OWASP iGoat Project Source (2.1)] https://code.google.com/p/owasp-igoat/]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/Current&diff=172124Projects/OWASP iGoat Project/Releases/Current2014-04-09T20:21:09Z<p>Ken van Wyk: </p>
<hr />
<div> [[https://www.owasp.org/index.php/OWASP_iGoat_Project] OWASP iGoat project]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/Current&diff=172123Projects/OWASP iGoat Project/Releases/Current2014-04-09T20:20:33Z<p>Ken van Wyk: </p>
<hr />
<div> [[https://www.owasp.org/index.php/OWASP_iGoat_Project]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/Current&diff=172120Projects/OWASP iGoat Project/Releases/Current2014-04-09T20:18:03Z<p>Ken van Wyk: Redirected page to Projects/OWASP iGoat Project/Releases/iGoat v2.1</p>
<hr />
<div> #REDIRECT [[Projects/OWASP iGoat Project/Releases/iGoat v2.1]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=172119Projects/OWASP iGoat Project2014-04-09T20:17:00Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
iGoat can be downloaded here: http://code.google.com/p/owasp-igoat/<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Jonathan Carter<br />
| contributor_email1 = jonathan.carter@owasp.org<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = iGoat v1.1<br />
| release_2 = iGoat v2.0<br />
| release_3 = iGoat v2.1<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=172118OWASP iGoat Project2014-04-09T20:13:47Z<p>Ken van Wyk: </p>
<hr />
<div>= Main =<br />
<br />
<b>Welcome to the iGoat OWASP project home page.</b><br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
# Brief introduction to the problem.<br />
# Verify the problem by exploiting it.<br />
# Brief description of available remediations to the problem.<br />
# Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
iGoat can be downloaded here: http://code.google.com/p/owasp-igoat/<br />
<br />
= Framework =<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
= Status =<br />
<br />
The iGoat project was launched in May 2011. Version 2.1 was released on 9 April 2014. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
<br> __NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=GSoC2014_Ideas&diff=167777GSoC2014 Ideas2014-02-10T11:18:06Z<p>Ken van Wyk: </p>
<hr />
<div>==OWASP Project Requests==<br />
<br />
=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.<br />
New challenges need to be created in order to cover a broader set of vulnerabilities.<br />
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.<br />
<br />
Ideas on the project:<br />
<br />
* Simulated simple buffer overflows<br />
* SQL injections<br />
* Man in the middle simulation<br />
* Bypassing regular expression filtering<br />
* Your idea here<br />
<br />
'''Expected Results:'''<br />
<br />
New cool challenges<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities. <br />
<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== OWASP Hackademic Challenges - Source Code testing environment ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== OWASP Hackademic Challenges - Challenge Sandbox ===<br />
<br />
Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,<br />
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.<br />
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.<br />
<br />
Ideas on the project:<br />
<br />
''' *Administrator's point of view* '''<br />
<br />
Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).<br />
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.<br />
The student is expected to provide configuration scripts that do the above<br />
<br />
''' *Coder's Way* '''<br />
<br />
This is better explained with an example:<br />
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.<br />
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).<br />
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).<br />
<br />
''' * Your solution here * '''<br />
<br />
The above solutions are by no way complete,their intention is to start you thinking.<br />
This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.<br />
<br />
''' Expected results '''<br />
<br />
You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge<br />
<br />
=== OWASP Hackademic Challenges - CMS improvements ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.<br />
<br />
Ideas on this project:<br />
<br />
* ''' Template''' *<br />
<br />
Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love.<br />
It would be good if we had a new template with proper ui design.<br />
<br />
* '''Questionaire creation plugin''' *<br />
<br />
We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams.<br />
The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.<br />
<br />
* '''Ability to show different articles on the user's home screen''' <br />
<br />
Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.<br />
<br />
* '''Gamification of the user's progress''' *<br />
<br />
A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.<br />
<br />
* '''Ability to define series of challenges'''<br />
<br />
The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.<br />
<br />
* ''' Tagging of articles, users, challenges '''<br />
<br />
A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.<br />
Also the user should be able to search according to the tags.<br />
<br />
* '''Your idea here''' <br />
<br />
We welcome new ideas to make the project look awesome.<br />
<br />
'''Expected Results:'''<br />
<br />
New features and security improvements on the CMS part of the project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
===OWASP CSRF Guard===<br />
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].<br />
<br />
'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.<br />
<br />
'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary <br />
<br />
<br />
===OWASP PHP Security Project===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
<br />
'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.<br />
<br />
'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required. <br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary , Johanna Curiel<br />
<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.<br />
<br />
'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary <br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
=== OWASP OWTF - Zest support ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The Mozilla foundation has done great work with the Zest iniciative, this provides a great automated mechanism to replicate exploitation of security vulnerabilities in a format that makes tool communication easier: For example, ZAP supports Zest, so if OWTF can create a Zest script for a vulnerability in an automated fashion, this may in turn be easier to import into ZAP and other tools.<br />
<br />
[https://developer.mozilla.org/en-US/docs/Zest More information on Zest can be found here]<br />
<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Some previous exposure to security concepts, penetration testing, Python and development in general is important for this project.<br />
<br />
<br />
=== OWASP OWTF - Improved Plug-n-Hack support ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The Mozilla foundation has done great work with the Plug-n-Hack standard, this provides greatly improved interaction with the web browser.<br />
Although OWTF already supports Plug-n-Hack for MiTM purposes, there are many other features that could be implemented to leaverage Plug-n-Hack.<br />
The aim of this project would be to try to cover as much as possible from the Plug-n-Hack standard as relevant to OWTF.<br />
<br />
[https://www.youtube.com/watch?v=pYFtLA2yTR8 Please see this demo to see the newest Plug-n-Hack additions]<br />
<br />
[https://blog.mozilla.org/security/2013/08/22/plug-n-hack/ For more information about plug and hack please see this]<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
<br />
<br />
=== OWASP OWTF - Stateful Browser with configurable authentication ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:<br />
<br />
1) OWTF parameters<br />
<br />
2) Configuration files<br />
<br />
<br />
What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:<br />
* Basic authentication [https://github.com/7a/owtf/issues/9 Already implemented here]<br />
* Cookie based authentication<br />
* Form-based authentication<br />
<br />
Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy feature (already implemented).<br />
<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - SQL database ===<br />
<br />
'''Brief explanation:'''<br />
<br />
OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.<br />
* Keep the current text file format as an option<br />
* Add a database storage option using the sqlalchemy library <br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Reliability: Both with the sql database option and the text file options.<br />
* Test cases<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, sqlalchemy experience would be beneficial for this<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - Unit Test Framework ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - Python version upgrade and compatibility ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.<br />
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
===OWASP PCI TOOLKIT===<br />
[[File:Pci-toolkit-items-small.gif]]<br> OWASP PCI toolkit is an Open Source project built using Google Engine App, that will help organizations scope the PCI-DSS requirements for their System Components. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.<br />
<br />
In order to comply with this standard, organizations need to understand the PCI-DSS requirements. Many of these requirements use OWASP guidelines as their baseline.<br />
<br />
The OWASP PCI toolkit is a project focused on helping organization understand how OWASP guidelines apply to the PCI-DSS requirements.<br />
<br />
'''Expected results:'''<br />
<br />
4 complete modules built as a Google App Engine: <br />
http://pci-toolkit.appspot.com/<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Skill Level: Easy-Medium<br />
Python, HTML, CSS, Google App Engine.<br />
<br />
Affinity with financial institutions, Web security and credit card-online transactions<br />
<br />
'''OWASP project page:'''<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_PCI_Project<br />
<br />
Mentor: Johanna Curiel - emai: firstname.lastname@owasp.org<br />
<br />
<br />
=== OWASP iGoat ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Right now OWASP iGoat works fine as a full universal iOS app on iPhone and iPads up to iOS 6.x and Xcode 4.x. It needs to be updated to properly function under iOS 7.x and Xcode 5.x, which will require some code maintenance, GUI changes, and so on.<br />
<br />
Although it is primarily maintenance items that need the updating, the student will gain an intimate familiarity with how the iGoat platform works, including how to write and plug-in new exercise modules. Writing additional exercises, with all due credit, will also be encouraged in an optional second phase of this project.<br />
<br />
For background on OWASP iGoat please see: https://www.owasp.org/index.php/OWASP_iGoat_Project<br />
<br />
'''Expected results:'''<br />
<br />
* iGoat functions properly in all current aspects under iOS 7.x, compiled under Xcode 5.x.<br />
* All GUI, buttons, and other presentation layer aspects of iGoat are compliant with iOS 7.x look and feel.<br />
* (Optionally) write one or more new iGoat exercise modules, based on existing design descriptions to be provided by the project mentor.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
iOS app development in Xcode using Objective C will be quite necessary. Familiarity with iOS 7.x user interface updates additionally helpful.<br />
<br />
<br />
'''Mentor: Ken van Wyk - OWASP iGoat Project Leader - Contact: ken@krvw.com'''</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=GSoC2014_Ideas&diff=167776GSoC2014 Ideas2014-02-10T11:13:44Z<p>Ken van Wyk: </p>
<hr />
<div>==OWASP Project Requests==<br />
<br />
=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.<br />
New challenges need to be created in order to cover a broader set of vulnerabilities.<br />
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.<br />
<br />
Ideas on the project:<br />
<br />
* Simulated simple buffer overflows<br />
* SQL injections<br />
* Man in the middle simulation<br />
* Bypassing regular expression filtering<br />
* Your idea here<br />
<br />
'''Expected Results:'''<br />
<br />
New cool challenges<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities. <br />
<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== OWASP Hackademic Challenges - Source Code testing environment ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== OWASP Hackademic Challenges - Challenge Sandbox ===<br />
<br />
Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,<br />
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.<br />
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.<br />
<br />
Ideas on the project:<br />
<br />
''' *Administrator's point of view* '''<br />
<br />
Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).<br />
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.<br />
The student is expected to provide configuration scripts that do the above<br />
<br />
''' *Coder's Way* '''<br />
<br />
This is better explained with an example:<br />
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.<br />
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).<br />
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).<br />
<br />
''' * Your solution here * '''<br />
<br />
The above solutions are by no way complete,their intention is to start you thinking.<br />
This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.<br />
<br />
''' Expected results '''<br />
<br />
You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge<br />
<br />
=== OWASP Hackademic Challenges - CMS improvements ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.<br />
<br />
Ideas on this project:<br />
<br />
* ''' Template''' *<br />
<br />
Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love.<br />
It would be good if we had a new template with proper ui design.<br />
<br />
* '''Questionaire creation plugin''' *<br />
<br />
We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams.<br />
The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.<br />
<br />
* '''Ability to show different articles on the user's home screen''' <br />
<br />
Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.<br />
<br />
* '''Gamification of the user's progress''' *<br />
<br />
A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.<br />
<br />
* '''Ability to define series of challenges'''<br />
<br />
The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.<br />
<br />
* ''' Tagging of articles, users, challenges '''<br />
<br />
A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.<br />
Also the user should be able to search according to the tags.<br />
<br />
* '''Your idea here''' <br />
<br />
We welcome new ideas to make the project look awesome.<br />
<br />
'''Expected Results:'''<br />
<br />
New features and security improvements on the CMS part of the project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
===OWASP CSRF Guard===<br />
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].<br />
<br />
'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.<br />
<br />
'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary <br />
<br />
<br />
===OWASP PHP Security Project===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
<br />
'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.<br />
<br />
'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required. <br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary , Johanna Curiel<br />
<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.<br />
<br />
'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary <br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
=== OWASP OWTF - Zest support ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The Mozilla foundation has done great work with the Zest iniciative, this provides a great automated mechanism to replicate exploitation of security vulnerabilities in a format that makes tool communication easier: For example, ZAP supports Zest, so if OWTF can create a Zest script for a vulnerability in an automated fashion, this may in turn be easier to import into ZAP and other tools.<br />
<br />
[https://developer.mozilla.org/en-US/docs/Zest More information on Zest can be found here]<br />
<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Some previous exposure to security concepts, penetration testing, Python and development in general is important for this project.<br />
<br />
<br />
=== OWASP OWTF - Improved Plug-n-Hack support ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The Mozilla foundation has done great work with the Plug-n-Hack standard, this provides greatly improved interaction with the web browser.<br />
Although OWTF already supports Plug-n-Hack for MiTM purposes, there are many other features that could be implemented to leaverage Plug-n-Hack.<br />
The aim of this project would be to try to cover as much as possible from the Plug-n-Hack standard as relevant to OWTF.<br />
<br />
[https://www.youtube.com/watch?v=pYFtLA2yTR8 Please see this demo to see the newest Plug-n-Hack additions]<br />
<br />
[https://blog.mozilla.org/security/2013/08/22/plug-n-hack/ For more information about plug and hack please see this]<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
<br />
<br />
=== OWASP OWTF - Stateful Browser with configurable authentication ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:<br />
<br />
1) OWTF parameters<br />
<br />
2) Configuration files<br />
<br />
<br />
What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:<br />
* Basic authentication [https://github.com/7a/owtf/issues/9 Already implemented here]<br />
* Cookie based authentication<br />
* Form-based authentication<br />
<br />
Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy feature (already implemented).<br />
<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - SQL database ===<br />
<br />
'''Brief explanation:'''<br />
<br />
OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.<br />
* Keep the current text file format as an option<br />
* Add a database storage option using the sqlalchemy library <br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Reliability: Both with the sql database option and the text file options.<br />
* Test cases<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, sqlalchemy experience would be beneficial for this<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - Unit Test Framework ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - Python version upgrade and compatibility ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.<br />
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
===OWASP PCI TOOLKIT===<br />
[[File:Pci-toolkit-items-small.gif]]<br> OWASP PCI toolkit is an Open Source project built using Google Engine App, that will help organizations scope the PCI-DSS requirements for their System Components. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.<br />
<br />
In order to comply with this standard, organizations need to understand the PCI-DSS requirements. Many of these requirements use OWASP guidelines as their baseline.<br />
<br />
The OWASP PCI toolkit is a project focused on helping organization understand how OWASP guidelines apply to the PCI-DSS requirements.<br />
<br />
'''Expected results:'''<br />
<br />
4 complete modules built as a Google App Engine: <br />
http://pci-toolkit.appspot.com/<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Skill Level: Easy-Medium<br />
Python, HTML, CSS, Google App Engine.<br />
<br />
Affinity with financial institutions, Web security and credit card-online transactions<br />
<br />
'''OWASP project page:'''<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_PCI_Project<br />
<br />
Mentor: Johanna Curiel - emai: firstname.lastname@owasp.org<br />
<br />
<br />
=== OWASP iGoat ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Right now OWASP iGoat works fine as a full universal iOS app on iPhone and iPads up to iOS 6.x and Xcode 4.x. It needs to be updated to properly function under iOS 7.x and Xcode 5.x, which will require some code maintenance, GUI changes, and so on.<br />
<br />
<br />
For background on OWASP iGoat please see: https://www.owasp.org/index.php/OWASP_iGoat_Project<br />
<br />
'''Expected results:'''<br />
<br />
* iGoat functions properly in all current aspects under iOS 7.x, compiled under Xcode 5.x.<br />
* All GUI, buttons, and other presentation layer aspects of iGoat are compliant with iOS 7.x look and feel.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
iOS app development in Xcode using Objective C will be quite necessary. Familiarity with iOS 7.x user interface updates additionally helpful.<br />
<br />
<br />
'''Mentor: Ken van Wyk - OWASP iGoat Project Leader - Contact: ken@krvw.com'''</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=GSoC2014_Ideas&diff=167775GSoC2014 Ideas2014-02-10T11:12:37Z<p>Ken van Wyk: </p>
<hr />
<div>==OWASP Project Requests==<br />
<br />
=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.<br />
New challenges need to be created in order to cover a broader set of vulnerabilities.<br />
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.<br />
<br />
Ideas on the project:<br />
<br />
* Simulated simple buffer overflows<br />
* SQL injections<br />
* Man in the middle simulation<br />
* Bypassing regular expression filtering<br />
* Your idea here<br />
<br />
'''Expected Results:'''<br />
<br />
New cool challenges<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities. <br />
<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== OWASP Hackademic Challenges - Source Code testing environment ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.<br />
<br />
'''Expected Results:'''<br />
<br />
A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== OWASP Hackademic Challenges - Challenge Sandbox ===<br />
<br />
Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,<br />
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.<br />
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.<br />
<br />
Ideas on the project:<br />
<br />
''' *Administrator's point of view* '''<br />
<br />
Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).<br />
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.<br />
The student is expected to provide configuration scripts that do the above<br />
<br />
''' *Coder's Way* '''<br />
<br />
This is better explained with an example:<br />
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.<br />
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).<br />
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).<br />
<br />
''' * Your solution here * '''<br />
<br />
The above solutions are by no way complete,their intention is to start you thinking.<br />
This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.<br />
<br />
''' Expected results '''<br />
<br />
You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge<br />
<br />
=== OWASP Hackademic Challenges - CMS improvements ===<br />
<br />
''''Brief Explanation:'''<br />
<br />
The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.<br />
<br />
Ideas on this project:<br />
<br />
* ''' Template''' *<br />
<br />
Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love.<br />
It would be good if we had a new template with proper ui design.<br />
<br />
* '''Questionaire creation plugin''' *<br />
<br />
We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams.<br />
The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.<br />
<br />
* '''Ability to show different articles on the user's home screen''' <br />
<br />
Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.<br />
<br />
* '''Gamification of the user's progress''' *<br />
<br />
A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.<br />
<br />
* '''Ability to define series of challenges'''<br />
<br />
The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.<br />
<br />
* ''' Tagging of articles, users, challenges '''<br />
<br />
A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.<br />
Also the user should be able to search according to the tags.<br />
<br />
* '''Your idea here''' <br />
<br />
We welcome new ideas to make the project look awesome.<br />
<br />
'''Expected Results:'''<br />
<br />
New features and security improvements on the CMS part of the project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements. <br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
===OWASP WebGoatPHP===<br />
'''Description:'''<br />
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. <br />
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.<br />
<br />
If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).<br />
<br />
'''Expected Results:''' WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.<br />
<br />
'''Knowledge prerequisite:''' You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]<br />
<br />
===OWASP CSRF Guard===<br />
'''Description:''' [[Cross-Site_Request_Forgery_(CSRF)|CSRF]] is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at [http://www.cs.sunysb.edu/~rpelizzi/jcsrf.pdf].<br />
<br />
'''Expected Results:''' A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.<br />
<br />
'''Knowledge prerequisites:''' Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary <br />
<br />
<br />
===OWASP PHP Security Project===<br />
<br />
'''Description:'''<br />
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.<br />
<br />
'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.<br />
<br />
'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required. <br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary , Johanna Curiel<br />
<br />
===OWASP RBAC Project===<br />
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''. <br />
<br />
RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.<br />
<br />
Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time. <br />
<br />
OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.<br />
<br />
'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.<br />
<br />
'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.<br />
<br />
'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary <br />
<br />
'''Skill Level:''' Advanced<br />
<br />
For more info, visit [http://phprbac.net phprbac.net]<br />
<br />
=== OWASP OWTF - Zest support ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The Mozilla foundation has done great work with the Zest iniciative, this provides a great automated mechanism to replicate exploitation of security vulnerabilities in a format that makes tool communication easier: For example, ZAP supports Zest, so if OWTF can create a Zest script for a vulnerability in an automated fashion, this may in turn be easier to import into ZAP and other tools.<br />
<br />
[https://developer.mozilla.org/en-US/docs/Zest More information on Zest can be found here]<br />
<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Some previous exposure to security concepts, penetration testing, Python and development in general is important for this project.<br />
<br />
<br />
=== OWASP OWTF - Improved Plug-n-Hack support ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The Mozilla foundation has done great work with the Plug-n-Hack standard, this provides greatly improved interaction with the web browser.<br />
Although OWTF already supports Plug-n-Hack for MiTM purposes, there are many other features that could be implemented to leaverage Plug-n-Hack.<br />
The aim of this project would be to try to cover as much as possible from the Plug-n-Hack standard as relevant to OWTF.<br />
<br />
[https://www.youtube.com/watch?v=pYFtLA2yTR8 Please see this demo to see the newest Plug-n-Hack additions]<br />
<br />
[https://blog.mozilla.org/security/2013/08/22/plug-n-hack/ For more information about plug and hack please see this]<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
<br />
<br />
=== OWASP OWTF - Stateful Browser with configurable authentication ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:<br />
<br />
1) OWTF parameters<br />
<br />
2) Configuration files<br />
<br />
<br />
What we would like to do here is to leverage the [http://wwwsearch.sourceforge.net/mechanize/ powerful mechanize python library] and build at least support for the following authentication options:<br />
* Basic authentication [https://github.com/7a/owtf/issues/9 Already implemented here]<br />
* Cookie based authentication<br />
* Form-based authentication<br />
<br />
Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy feature (already implemented).<br />
<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - SQL database ===<br />
<br />
'''Brief explanation:'''<br />
<br />
OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.<br />
* Keep the current text file format as an option<br />
* Add a database storage option using the sqlalchemy library <br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Reliability: Both with the sql database option and the text file options.<br />
* Test cases<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, sqlalchemy experience would be beneficial for this<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - Unit Test Framework ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
<br />
=== OWASP OWTF - Python version upgrade and compatibility ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3.<br />
The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available.<br />
The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
'''Expected results:'''<br />
<br />
* Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org'''<br />
<br />
===OWASP PCI TOOLKIT===<br />
[[File:Pci-toolkit-items-small.gif]]<br> OWASP PCI toolkit is an Open Source project built using Google Engine App, that will help organizations scope the PCI-DSS requirements for their System Components. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.<br />
<br />
In order to comply with this standard, organizations need to understand the PCI-DSS requirements. Many of these requirements use OWASP guidelines as their baseline.<br />
<br />
The OWASP PCI toolkit is a project focused on helping organization understand how OWASP guidelines apply to the PCI-DSS requirements.<br />
<br />
'''Expected results:'''<br />
<br />
4 complete modules built as a Google App Engine: <br />
http://pci-toolkit.appspot.com/<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Skill Level: Easy-Medium<br />
Python, HTML, CSS, Google App Engine.<br />
<br />
Affinity with financial institutions, Web security and credit card-online transactions<br />
<br />
'''OWASP project page:'''<br />
<br />
https://www.owasp.org/index.php/Category:OWASP_PCI_Project<br />
<br />
Mentor: Johanna Curiel - emai: firstname.lastname@owasp.org<br />
<br />
<br />
=== OWASP iGoat ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Right now OWASP iGoat works fine as a full universal iOS app on iPhone and iPads up to iOS 6.x and Xcode 4.x. It needs to be updated to properly function under iOS 7.x and Xcode 5.x, which will require some code maintenance, GUI changes, and so on.<br />
<br />
<br />
For background on OWASP iGoat please see: [https://www.owasp.org/index.php/OWASP_iGoat_Project]<br />
<br />
'''Expected results:'''<br />
<br />
* iGoat functions properly in all current aspects under iOS 7.x, compiled under Xcode 5.x.<br />
* All GUI, buttons, and other presentation layer aspects of iGoat are compliant with iOS 7.x look and feel.<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
iOS app development in Xcode using Objective C will be quite necessary. Familiarity with iOS 7.x user interface updates additionally helpful.<br />
<br />
<br />
'''Mentor: Ken van Wyk - OWASP iGoat Project Leader - Contact: ken@krvw.com'''</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/iGoat_v1.0&diff=145946Projects/OWASP iGoat Project/Releases/iGoat v1.02013-02-26T20:03:27Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude><br />
| project_name = OWASP iGoat Project<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| release_name = iGoat v2.0<br />
| release_date = 26 February 2013<br />
| release_description = The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.<br />
| release_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
| release_download_link = http://owasp-igoat.googlecode.com/files/owasp-igoat-2.0.tar.bz2<br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| contributor_name[1-10] = <br />
| contributor_email[1-10] = <br />
| contributor_username[1-10] = <br />
<br />
| release_notes = http://code.google.com/p/owasp-igoat/issues/list<br />
<br />
| links_url[1-10] =<br />
| links_name[1-10] =<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/iGoat_v1.0&diff=145945Projects/OWASP iGoat Project/Releases/iGoat v1.02013-02-26T19:32:16Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude><br />
| project_name = OWASP iGoat Project<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| release_name = iGoat v2.0<br />
| release_date = 26 February 2012<br />
| release_description = The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.<br />
| release_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
| release_download_link = http://owasp-igoat.googlecode.com/files/owasp-igoat-2.0.tar.bz2<br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| contributor_name[1-10] = <br />
| contributor_email[1-10] = <br />
| contributor_username[1-10] = <br />
<br />
| release_notes = http://code.google.com/p/owasp-igoat/issues/list<br />
<br />
| links_url[1-10] =<br />
| links_name[1-10] =<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=145944OWASP iGoat Project2013-02-26T19:29:25Z<p>Ken van Wyk: </p>
<hr />
<div>= Main =<br />
<br />
<b>Welcome to the iGoat OWASP project home page.</b><br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
# Brief introduction to the problem.<br />
# Verify the problem by exploiting it.<br />
# Brief description of available remediations to the problem.<br />
# Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
iGoat can be downloaded here: http://code.google.com/p/owasp-igoat/<br />
<br />
= Framework =<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
= Status =<br />
<br />
The iGoat project was launched in May 2011. Version 2.0 released on 26 February 2013. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
<br> __NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=IOS_Developer_Cheat_Sheet&diff=134615IOS Developer Cheat Sheet2012-08-22T19:08:09Z<p>Ken van Wyk: Edited caveats re consumer grade local data storage to emphasize the risks.</p>
<hr />
<div>= Introduction =<br />
This document is written for iOS app developers and is intended to provide a set of basic pointers to vital aspects of developing secure apps for Apple’s iOS operating system. It follows the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Top 10 Risks] list.<br />
<br />
= Basics =<br />
From a user perspective, two of the best things one can do to protect her iOS device are: enable strong passwords, and [https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet refrain from jailbreaking the device]. For developers, both of these issues are problematic, as they are not verifiable within an app’s sandbox environment. (Apple previously had an API for testing devices to see if they are jailbroken, but that API was deprecated in 2010.) For enterprises, strong passwords, along with dozens of other security configuration attributes can be managed and enforced via a Mobile Device Management (MDM) product. Small businesses and individuals with multiple devices can use Apple’s iPhone Configuration Utility (http://www.apple.com/support/iphone/enterprise/) and Apple Configurator (available in the Mac App Store) to build secure configuration profiles and deploy them on multiple devices.<br />
<br />
= Remediation’s to OWASP Mobile Top 10 Risks =<br />
== Insecure Data Storage (M1) ==<br />
Without a doubt, the biggest risk faced by mobile device consumers comes from a lost or stolen device. The information stored on the device is thus exposed to anyone who finds or steals another person’s device. It is largely up to the apps on the device to provide adequate protection of any data they store. Apple’s iOS provides several mechanisms for protecting data. These built in protections are quite adequate for most consumer-grade information. For more stringent security requirements (e.g., financial data), additional protections beyond those provided by Apple can be built into an application.<br />
=== Remediations ===<br />
In general, an app should store locally only the data that is required to perform its functional tasks. This includes side channel data such as system logging (see M8 below). For any form of sensitive data, storing plaintext data storage in an app’s sandbox (e.g., ~/Documents/* ) should always be avoided. Consumer-grade sensitive data should be stored in secure containers using Apple-provided APIs.<br />
* Small amounts of consumer grade sensitive data, such as user authentication credentials, session tokens, etc., can be securely stored in the device’s Keychain (see Keychain Services Reference in Apple’s iOS Developer Library).<br />
* For larger, or more general types of consumer-grade data, Apple’s File Protection mechanism can safely be used (see NSData Class Reference for protection options).<br />
More data that exceeds normal consumer-grade sensitivity, if it absolutely must be stored locally, consider using a third party container encryption API that is not encumbered by the inherent weaknesses in Apple’s encryption (e.g., keying tied to user’s device passcode, which is often a 4-digit PIN). Freely available examples include SQLcipher (see http://sqlcipher.net). In doing this, proper key management is of utmost importance -- and beyond the scope of this document.<br />
<br />
== Weak Server Side Controls (M2) ==<br />
Although most server side controls are in fact necessary to handle on the server side — and as such we refer the reader to the [[Web Service Security Cheat Sheet]]—there are several things that can be done on the mobile that aid in the work to be done on the server.<br />
=== Remediations ===<br />
Design and implement the mobile client and the server to support a common set of security requirements. For example, information deemed sensitive on the server should be handled with equivalent due caution on the client side.<br />
Perform positive input validation and canonicalization on all client-side input data. Use regular expressions and other mechanisms to ensure that only allowable data may enter the application at the client end.<br />
Perform output encoding on untrusted data where feasible.<br />
<br />
== Insufficient Transport Layer Protection (M3) ==<br />
Exposing sensitive data to eavesdropping attacks is a common issue with all networked applications, and iOS mobile apps are no exception.<br />
=== Remediations ===<br />
Design and implement all apps under the assumption that they will be used on the most wide-open Wi-Fi networks on the planet.<br />
Make an inventory of all app data that must be protected while in transit. (Protections should include confidentiality as well as integrity.) The inventory should include authentication tokens, session tokens, as well as application data directly.<br />
Ensure SSL/TLS encryption is used when transmitting or receiving all inventoried data. (See CFNetwork Programming Guide.)<br />
Ensure your app only accepts properly validated SSL certificates. (CA chain validation is routinely disabled in testing environments; ensure your app has removed any such code prior to public release.)<br />
Verify through dynamic testing that all inventoried data is adequately protected throughout the operation of the app.<br />
Verify through dynamic testing that forged, self-signed, etc., certificates cannot be accepted by the app under any circumstances.<br />
<br />
== Client Side Injection (M4) ==<br />
Data injection attacks are as real in mobile apps as they are in web apps, although the attack scenarios tend to differ (e.g., exploiting URL schemes to send premium text messages or toll phone calls).<br />
=== Remediations ===<br />
In general, follow the same rules as a web app for input validation and output escaping.<br />
Canonicalize and positively validate all data input.<br />
Use parameterized queries, even for local SQLite/SQLcipher calls. <br />
When using URL schemes, take extra care in validating and accepting input, as any app on the device is able to call a URL scheme.<br />
When building a hybrid web/mobile app, keep the native/local capabilities of the app to a bare minimum required. That is, maintain control of all UIWebView content and pages, and prevent the user from accessing arbitrary, untrusted web content.<br />
== Poor Authorization and Authentication (M5) ==<br />
Although largely a server side control, some mobile features (e.g., unique device identifiers) and common uses can exacerbate the problems surrounding securely authenticating and authorizing users and other entities.<br />
=== Remediations ===<br />
In general follow the same rules as a web app for authentication and authorization.<br />
Never use a device identifier (e.g., UDID , IP number, MAC address, IMEI) to identify a user or session.<br />
Avoid when possible “out-of-band” authentication tokens sent to the same device as the user is using to log in (e.g., SMS to the same iPhone).<br />
Implement strong server side authentication, authorization, and session management (control # 4.1-4.6).<br />
Authenticate all API calls to paid resources (control 8.4).<br />
== Improper Session Handling (M6) ==<br />
Similarly, session handling is in general, principally a server task, but mobile devices tend to amplify traditional problems in unforeseen ways. For example, on mobile devices, “sessions” often last far longer than on traditional web applications.<br />
=== Remediations ===<br />
For the most part, follow sound session management practices as you would for a web application, with a few twists that are specific to mobile devices.<br />
Never use a device identifier (e.g., UDID, IP number, MAC address, IMEI) to identify a session. (Control 1.13)<br />
Use only tokens that can be quickly revoked in the event of a lost/stolen device, or compromised session.<br />
Protect the confidentiality and integrity of session tokens at all times (e.g., always use SSL/TLS when transmitting).<br />
Use only trustworthy sources for generating sessions.<br />
== Security Decisions via Untrusted Inputs (M7) ==<br />
While iOS does not give apps many channels for communicating among themselves, some exist—and can be abused by an attacker via data injection attacks, malicious apps, etc.<br />
=== Remediations ===<br />
The combination of input validation, output escaping, and authorization controls can be used against these weaknesses.<br />
Canonicalize and positively validate all input data, particularly at boundaries between apps.<br />
When using URL schemes, take extra care in validating and accepting input, as any app on the device is able to call a URL scheme.<br />
Contextually escape all untrusted data output, so that it cannot change the intent of the output itself.<br />
Verify the caller is permitted to access any requested resources. If appropriate, prompt the user to allow/disallow access to the requested resource.<br />
== Side Channel Data Leakage (M8) ==<br />
Side channels refer here to data I/O generally used for administrative or non-functional (directly) purposes, such as web caches (used to optimize browser speed), keystroke logs (used for spell checking), and similar. Apple’s iOS presents several opportunities for side channel data to inadvertently leak from an app, and that data is often available to anyone who has found or stolen a victim’s device. Most of these can be controlled programmatically in an app.<br />
=== Remediations ===<br />
Design and implement all apps under the assumption that the user’s device will be lost or stolen.<br />
Start by identifying all potential side channel data present on a device. These sources should include, at a bare minimum: web caches, keystroke logs, screen shots, system logs, and cut-and-paste buffers. Be sure to include any third party libraries used.<br />
Never include sensitive data (e.g., credentials, tokens, PII) in system logs.<br />
Control iOS’s screenshot behavior to prevent sensitive app data from being captured when an app is minimized.<br />
Disable keystroke logging for the most sensitive data, to prevent it from being stored in plaintext on the device.<br />
Disable cut-and-paste buffer for the most sensitive data, to prevent it from being leaked outside of the app.<br />
Dynamically test the app, including its data stores and communications channels, to verify that no sensitive data is being inappropriately transmitted or stored.<br />
== Broken Cryptography (M9) ==<br />
Although the vast majority of cryptographic weaknesses in software result from poor key management, all aspects of a crypto system should be carefully designed and implemented. Mobile apps are no different in that regard.<br />
=== Remediations ===<br />
Never “hard code” or store cryptographic keys where an attacker can trivially recover them. This includes plaintext data files, properties files, and compiled binaries.<br />
Use secure containers for storing crypto keys; alternately, build a secure key exchange system where the key is controlled by a secure server, and never stored locally on the mobile device.<br />
Use only strong crypto algorithms and implementations, including key generation tools, hashes, etc.<br />
Use platform crypto APIs when feasible; use trusted third party code when not.<br />
Consumer-grade sensitive data should be stored in secure containers using Apple-provided APIs.<br />
* Small amounts of data, such as user authentication credentials, session tokens, etc., can be securely stored in the device’s Keychain (see Keychain Services Reference in Apple’s iOS Developer Library).<br />
* For larger, or more general types of data, Apple’s File Protection mechanism can safely be used (see NSData Class Reference for protection options).<br />
To more securely protect static data, consider using a third party encryption API that is not encumbered by the inherent weaknesses in Apple’s encryption (e.g., keying tied to user’s device passcode, which is often a 4-digit PIN). Freely available examples include SQLcipher (see http://sqlcipher.net).<br />
<br />
== Sensitive Information Disclosure (M10) ==<br />
All sorts of sensitive data can leak out of iOS apps. Among other things to remember at all times, each app’s compiled binary code is available on the device, and can be reverse engineered by a determined adversary.<br />
=== Remediations ===<br />
Anything that must truly remain private should not reside on the mobile device; keep private information (e.g., algorithms, proprietary information) on the server.<br />
If private information must be present on a mobile device, ensure it remains in process memory and is never unprotected if it is stored on the device.<br />
Never hard code or otherwise trivially store passwords, session tokens, etc.<br />
Strip binaries prior to shipping, and be aware that compiled executable files can still be reverse engineered.<br />
<br />
= References and Further Reading =<br />
<br />
OWASP Top 10 Mobile Risks presentation, Appsec USA, Minneapolis, MN, 23 Sept 2011. Jack Mannino, Mike Zusman, and Zach Lanier.<br />
<br />
“iOS Security”, Apple, May 2012, http://images.apple.com/iphone/business/docs/iOS_Security_May12.pdf <br />
<br />
“Deploying iPhone and iPad: Apple Configurator”, Apple, March 2012, http://images.apple.com/iphone/business/docs/iOS_Apple_Configurator_Mar12.pdf <br />
<br />
“iPhone OS: Enterprise Deployment Guide”, Apple, 2010, http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf <br />
<br />
“iPhone in Business”, Apple resources, http://www.apple.com/iphone/business/resources/ <br />
<br />
Apple iOS Developer website.<br />
<br />
"iOS Application (in)Security", MDSec - May 2012, http://www.mdsec.co.uk/research/iOS_Application_Insecurity_wp_v1.0_final.pdf<br />
<br />
= Authors and Primary Editors =<br />
<br />
Ken van Wyk ken[at]krvw.com<br />
<br />
= Other Cheatsheets =<br />
{{Cheatsheet_Navigation}}<br />
<br />
[[Category:Cheatsheets]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/iGoat_v1.0&diff=127125Projects/OWASP iGoat Project/Releases/iGoat v1.02012-03-30T14:02:03Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude><br />
| project_name = OWASP iGoat Project<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| release_name = iGoat v1.2<br />
| release_date = 29 March 2012<br />
| release_description = The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.<br />
| release_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
| release_download_link = http://code.google.com/p/owasp-igoat/downloads/detail?name=owasp-igoat-1.2.tar.bz2&can=2&q=<br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| contributor_name[1-10] = <br />
| contributor_email[1-10] = <br />
| contributor_username[1-10] = <br />
<br />
| release_notes = http://code.google.com/p/owasp-igoat/issues/list<br />
<br />
| links_url[1-10] =<br />
| links_name[1-10] =<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/iGoat_v1.0&diff=127124Projects/OWASP iGoat Project/Releases/iGoat v1.02012-03-30T14:01:26Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude><br />
| project_name = OWASP iGoat Project<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| release_name = iGoat v1.2<br />
| release_date = 29 March 2012<br />
| release_description = The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.<br />
| release_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
| release_download_link = http://code.google.com/p/owasp-igoat/downloads/detail?name=owasp-igoat-1.0.tar.bz2&can=2&q=<br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| contributor_name[1-10] = <br />
| contributor_email[1-10] = <br />
| contributor_username[1-10] = <br />
<br />
| release_notes = http://code.google.com/p/owasp-igoat/issues/list<br />
<br />
| links_url[1-10] =<br />
| links_name[1-10] =<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=127122OWASP iGoat Project2012-03-30T14:00:50Z<p>Ken van Wyk: </p>
<hr />
<div>==== Main ====<br />
Welcome to the iGoat OWASP project home page.<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
1 - Brief introduction to the problem.<br />
<br />
2 - Verify the problem by exploiting it.<br />
<br />
3 - Brief description of available remediations to the problem.<br />
<br />
4 - Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
<br />
Framework<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
<br />
Status<br />
<br />
The iGoat project was launched in May 2011. Version 1.2 released on 29 March 2012. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project/Roadmap&diff=116155OWASP iGoat Project/Roadmap2011-08-23T14:08:06Z<p>Ken van Wyk: </p>
<hr />
<div>*Short term goals:<br />
*Medium term goals:<br />
#Build and integrate additional lessons iteratively, on an as-needed basis.<br />
#Maintain and update iGoat for new iOS and Xcode versions, as appropriate.<br />
*Long term goals:<br />
#Expand iGoat to a Universal app (fully compatible with iPad and other iOS devices).<br />
#Merge in other content, such as instructional videos and such (Possibly externally hosted).<br />
<br />
*Finished:<br />
#Design and build the basic iGoat foundation, with a modular approach to including lessons.<br />
#Integrate several initial lessons into the iGoat framework. <br />
#Complete documentation, including HOWTOs for installing/building iGoat, and building new lessons.<br />
#Improved user interface.<br />
#Added SQLcipher exercise.</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/iGoat_v1.0&diff=116154Projects/OWASP iGoat Project/Releases/iGoat v1.02011-08-23T13:27:21Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template: <includeonly>{{{1}}}</includeonly><noinclude>Release About</noinclude><br />
| project_name = OWASP iGoat Project<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| release_name = iGoat v1.1<br />
| release_date = 23 August 2011<br />
| release_description = The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.<br />
| release_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
| release_download_link = http://code.google.com/p/owasp-igoat/downloads/detail?name=owasp-igoat-1.0.tar.bz2&can=2&q=<br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| contributor_name[1-10] = <br />
| contributor_email[1-10] = <br />
| contributor_username[1-10] = <br />
<br />
| release_notes = http://code.google.com/p/owasp-igoat/issues/list<br />
<br />
| links_url[1-10] =<br />
| links_name[1-10] =<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=116153Projects/OWASP iGoat Project2011-08-23T13:26:30Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Sean Eidemiller (KRvW Associates)<br />
| contributor_email1 = sean@krvw.com<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = iGoat v1.1<br />
| release_2 = <br />
| release_3 =<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=116152OWASP iGoat Project2011-08-23T13:25:15Z<p>Ken van Wyk: </p>
<hr />
<div>==== Main ====<br />
Welcome to the iGoat OWASP project home page.<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
1 - Brief introduction to the problem.<br />
<br />
2 - Verify the problem by exploiting it.<br />
<br />
3 - Brief description of available remediations to the problem.<br />
<br />
4 - Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
<br />
Framework<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
<br />
Status<br />
<br />
The iGoat project was launched in May 2011. Version 1.1 released on 23 August 2011. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project/Releases/Current&diff=112241Projects/OWASP iGoat Project/Releases/Current2011-06-16T07:00:02Z<p>Ken van Wyk: Created page with "http://code.google.com/p/owasp-igoat/"</p>
<hr />
<div>http://code.google.com/p/owasp-igoat/</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=112228Projects/OWASP iGoat Project2011-06-16T05:58:37Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Sean Eidemiller (KRvW Associates)<br />
| contributor_email1 = sean@krvw.com<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = 1.0 released 15 June 2011<br />
| release_2 = <br />
| release_3 =<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=112226Projects/OWASP iGoat Project2011-06-16T05:57:45Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Sean Eidemiller (KRvW Associates)<br />
| contributor_email1 = sean@krvw.com<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = 1.0 released 15 June 2011, see http://code.google.com/p/owasp-igoat/<br />
| release_2 = <br />
| release_3 =<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=112225Projects/OWASP iGoat Project2011-06-16T05:56:25Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_download_page = http://code.google.com/p/owasp-igoat/<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Sean Eidemiller (KRvW Associates)<br />
| contributor_email1 = sean@krvw.com<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = http://code.google.com/p/owasp-igoat/<br />
| links_name[1-10] = Download and src repository<br />
<br />
| release_1 = 1.0 released 15 June 2011, see http://code.google.com/p/owasp-igoat/<br />
| release_2 = <br />
| release_3 =<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=112224Projects/OWASP iGoat Project2011-06-16T05:55:33Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_download_page = http://code.google.com/p/owasp-igoat/<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Sean Eidemiller (KRvW Associates)<br />
| contributor_email1 = sean@krvw.com<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = 1.0 released 15 June 2011, see http://code.google.com/p/owasp-igoat/<br />
| release_2 = <br />
| release_3 =<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=112222OWASP iGoat Project2011-06-16T05:54:05Z<p>Ken van Wyk: </p>
<hr />
<div>==== Main ====<br />
Welcome to the iGoat OWASP project home page.<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
1 - Brief introduction to the problem.<br />
<br />
2 - Verify the problem by exploiting it.<br />
<br />
3 - Brief description of available remediations to the problem.<br />
<br />
4 - Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
<br />
Framework<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
<br />
Status<br />
<br />
The iGoat project was launched in May 2011. Version 1.0 released on 15 June 2011. Source repository and download site:<br />
<br />
http://code.google.com/p/owasp-igoat/<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=110304OWASP iGoat Project2011-05-12T18:26:02Z<p>Ken van Wyk: </p>
<hr />
<div>==== Main ====<br />
Welcome to the iGoat OWASP project home page.<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
1 - Brief introduction to the problem.<br />
<br />
2 - Verify the problem by exploiting it.<br />
<br />
3 - Brief description of available remediations to the problem.<br />
<br />
4 - Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
<br />
Framework<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader (Ken van Wyk, ken@krvw.com) to find out how they can contribute to future releases of iGoat.<br />
<br />
<br />
Status<br />
<br />
The iGoat project was launched in May 2011. As of this writing (12 May 2011), we're expecting a first release in June 2011.<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=110301OWASP iGoat Project2011-05-12T18:18:59Z<p>Ken van Wyk: </p>
<hr />
<div>==== Main ====<br />
Welcome to the iGoat OWASP project home page.<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.<br />
<br />
The lessons are laid out in the following steps:<br />
<br />
1 - Brief introduction to the problem.<br />
<br />
2 - Verify the problem by exploiting it.<br />
<br />
3 - Brief description of available remediations to the problem.<br />
<br />
4 - Fix the problem by correcting and rebuilding the iGoat program.<br />
<br />
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.<br />
<br />
iGoat is free software, released under the GPLv3 license.<br />
<br />
<br />
Framework<br />
<br />
iGoat has been designed and built to be a foundation on which to build a series of iOS security lessons. The initial iGoat release will include a handful of lessons to work through, but one of the aims of the project is to build a community of developers to help build out additional lessons over time -- much as WebGoat has before it.<br />
<br />
Interested contributors are encouraged to contact the project leader to find out how they can contribute to future releases of iGoat.<br />
<br />
<br />
Status<br />
<br />
The iGoat project was launched in May 2011. As of this writing (12 May 2011), we're expecting a first release in June 2011.<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=OWASP_iGoat_Project&diff=110300OWASP iGoat Project2011-05-12T18:11:07Z<p>Ken van Wyk: </p>
<hr />
<div>==== Main ====<br />
Welcome to the iGoat OWASP project home page.<br />
<br />
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.<br />
<br />
==== Project About ====<br />
{{:Projects/OWASP iGoat Project | Project About}}<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
<br />
<br />
[[Category:OWASP_Project|iGoat Project]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:OWASP_Alpha_Quality_Tool]]</div>Ken van Wykhttps://wiki.owasp.org/index.php?title=Projects/OWASP_iGoat_Project&diff=110243Projects/OWASP iGoat Project2011-05-11T19:35:19Z<p>Ken van Wyk: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude><br />
<br />
| project_name = OWASP iGoat Project<br />
<br />
| project_home_page = OWASP iGoat Project<br />
<br />
| project_description = The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.<br />
<br />
Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.<br />
<br />
Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.<br />
<br />
| project_license = [http://www.gnu.org/licenses/gpl-3.0.html GPL v3] <br />
<br />
| leader_name1 = Kenneth R. van Wyk<br />
| leader_email1 = ken@krvw.com<br />
| leader_username1 = Ken van Wyk<br />
<br />
| leader_name[2-10] =<br />
| leader_email[2-10] =<br />
| leader_username[2-10] = <br />
<br />
| contributor_name1 = Sean Eidemiller (KRvW Associates)<br />
| contributor_email1 = sean@krvw.com<br />
| contributor_username1 = <br />
<br />
| contributor_name[2-10] = <br />
| contributor_email[2-10] = <br />
| contributor_username[2-10] = <br />
<br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-igoat-project<br />
| project_road_map = https://www.owasp.org/index.php/OWASP_iGoat_Project/Roadmap<br />
| links_url[1-10] = <br />
| links_name[1-10] = <br />
<br />
| release_1 = June 2011 (expected)<br />
| release_2 = <br />
| release_3 =<br />
| release_4 =<br />
<!--- The line below is for GPC usage only. Please do not edit it ---><br />
| project_about_page = Projects/OWASP_iGoat_Project<br />
}}</div>Ken van Wyk