OWASP - User contributions [en]

ZAPpingTheTop10

2019-10-08T12:26:28Z

Rick.mitchell:

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.</p>

<p>''A complete mapping for the 2013 edition of the OWASP Top 10 can be found [https://www.owasp.org/index.php/ZAPpingTheTop10-2013 here].''</p>

<p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A2-Broken_Authentication | A2 Broken Authentication]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A3-Sensitive_Data_Exposure | A3 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A4-XML_External_Entities_(XXE) | A4 XML External Entities (XXE)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> Active scan rules [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A5-Broken_Access_Control | A5 Broken Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A6-Security_Misconfiguration | A6 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10-2017_A7-Cross-Site_Scripting_(XSS) | A7 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> There are two outstanding issues that are relevant to this Top 10 entry: [https://github.com/zaproxy/zaproxy/issues/4112 Insecure deserialization active scanner] & [https://github.com/zaproxy/zaproxy/issues/4509 Java Serialization Handling]</td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated / Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and "attacks" which are potential sources/causes for logging and alerting. </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

ZAPpingTheTop10

2019-10-08T12:25:43Z

Rick.mitchell:

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.</p>

<p>''A complete mapping for the 2013 edition of the OWASP Top 10 can be found [https://www.owasp.org/index.php/ZAPpingTheTop10-2013 here].''</p>

<p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A2-Broken_Authentication | A2 Broken Authentication]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A3-Sensitive_Data_Exposure | A3 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A4-XML_External_Entities_(XXE) | A4 XML External Entities (XXE)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> Active scan rules [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A5-Broken_Access_Control | A5 Broken Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A6-Security_Misconfiguration | A6 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10-2017_A7-Cross-Site_Scripting_(XSS) | A7 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> There are two outstanding issues that are relevant to this Top 10 entry: [https://github.com/zaproxy/zaproxy/issues/4112 Insecure deserialization active scanner] & [https://github.com/zaproxy/zaproxy/issues/4509 Java Serialization Handling]</td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated / Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and "attacks" which are potential sources/causes for logging and alerting. </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

April 2019

2019-04-25T16:58:31Z

Rick.mitchell: Fixed worldclock date to align with other content

Meeting Date:
April 29

Meeting Time:
11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=4&day=29&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]

Meeting Location:
Remote

Virtual:
[https://zoom.us/j/282821949 Zoom Meeting Link] Meeting ID: 282 821 949 - [https://zoom.us/u/kvUg3969 local dial in numbers]

AGENDA

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES
[https://docs.google.com/document/d/1F5fAPcRlTg9FiRoABCM7fwx02bB94kNFiBwbNDkyLo4/edit?usp=sharing March 2019 Minutes]

REPORTS

OLD BUSINESS

NEW BUSINESS

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

ADJOURNMENT

==Old Business==
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]

==New Business==
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]

OWASP Xenotix XSS Exploit Framework

2019-04-01T12:25:27Z

Rick.mitchell: Add abandonment note

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:20px;" |

==OWASP Xenotix XSS Exploit Framework==
<span style="color:#ff0000">
'''NOTE: PROJECT DEVELOPMENT AND SUPPORT IS DISCONTINUED'''
<br>
* https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework#owasp-xenotix-xss-exploit-framework
<br></span>

[[Image:Xen6.png|left|550px]]
'''OWASP Xenotix XSS Exploit Framework''' is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Low False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be.
It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks.

<paypal>OWASP Xenotix XSS Exploit Framework</paypal>

== LICENSING ==
OWASP Xenotix XSS Exploit Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:175px;border-right: 1px dotted gray;padding-right:25px;" |

== PRESENTATIONS ==

'''DEFCON DCG Banglore 2013'''
*Presentation: [http://www.slideshare.net/ajin25/pwning-with-xss-from-alert-to-reverse-shell-defcon-banglore-2013 OWASP Xenotix XSS Exploit Framework v4 ]

'''BlackHat Europe Arsenal 2013'''
*Presentation: [https://www.dropbox.com/s/o8adyvtngbszq32/blackhat.zip OWASP Xenotix XSS Exploit Framework v3 ]

'''Nulcon Goa 2013'''
*Presentation: [http://www.slideshare.net/ajin25/owasp-xenotix-xss-exploit-framework-v3-nullcon-goa-2013 OWASP Xenotix XSS Exploit Framework v3 ]
: [[Media: Xenotixxssexploitframeworkbyajinabraham-130820064955-phpapp02.pdf | Download PDF ]]

'''ClubHack 2012'''
*Presentation: [http://www.slideshare.net/ajin25/xenotix-xss-exploit-framework-clubhack-2012 OWASP Xenotix XSS Exploit Framework v2]

== PROJECT LEADER ==

Ajin Abraham | [https://twitter.com/ajinabraham @ajinabraham]

== PROJECT WEBSITE ==

*http://xenotix.in

== AWARDS ==

[[Image:ToolsWatch2014.png |180px | thumb | left |link=http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2014]]
[[Image:ToolsWatch2013.png |180px | thumb | left |link=http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ | Top 5th Security Tool of 2013]]
[[Image:CSPF.jpg |180px | thumb | left | Recommended by CSPF]]

| valign="top" style="padding-left:25px;width:175px;" |

== QUICK DOWNLOAD ==

[[Image:Dwd.png |200px| link=https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework]]

== NEWS AND EVENTS ==
* [19 Mar 2014] Xenotix XSS Exploit Framework V6.2 is Released
* [14 Jan 2015] [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2014, voted by ToolsWatch Readers]
* [14 Sept 2014] Xenotix XSS Exploit Framework V6 is Released
* [14 Feb 2014] Xenotix XSS Exploit Framework V5 is Released
* [16 Dec 2013] [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top 5th Security tool of 2013, voted by ToolsWatch Readers]
* [10 Nov 2013] [http://holisticinfosec.org/toolsmith/pdf/november2013.pdf OWASP Xenotix in ISSA Journal]
* [01 Nov 2013] [http://holisticinfosec.blogspot.in/2013/11/toolsmith-owasp-xenotix-xss-exploit.html Toolsmith Tool of the Month]

== RELATED PROJECTS ==

* [[OWASP_Xelenium_Project]]
* [[ZAP]]
* [[OWASP_XSSER]]

== CLASSIFICATIONS ==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Features =

<div style="font-size:120%;border:none;margin: 0;color:#000">

'''SCANNER MODULES'''

*GET Request Fuzzer
*POST Request Fuzzer
*Advanced Request Fuzzer
*OAuth 1.0a Request Scanner
*DOM Scanner
**DOM XSS Analyzer
**Local DOM XSS Analyzer
*Hidden Parameter Detector

'''INFORMATION GATHERING MODULES'''

*WAF Fingerprinting
*Victim Fingerprinting
**IP to Location
**IP to GeoLocation
*Network
**Network IP (WebRTC)
**Ping Scan
**Port Scan
**Internal Network Scan
*Browser
**Fingerprinting
**Features Detector
** HSTS+ CSP Visited Sites Grabber

'''EXPLOITATION MODULES'''

*Send Message
*Cookie Thief
*Keylogger
*HTML5 DDoSer
*Load File
*Grab Page Screenshot
*JavaScript Shell
*Reverse HTTP WebShell
*Metasploit Browser Exploit
*Social Engineering
**Phisher
**Tabnabbing
**Live WebCam Screenshot
**Download Spoofer
**Geolocation HTML5 API
**Java Applet Drive-By (Windows)
**Java Applet Drive-By Reverse Shell (Windows)
**HTA Network Configuration (Windows, IE)
**HTA Drive-By (Windows, IE)
**HTA Drive-By Reverse Shell (Windows, IE)
*Firefox Addons
**Reverse TCP Shell Addon (Windows, Persistent)
**Reverse TCP Shell Addon (Linux, Persistent)
**Session Stealer Addon (Persistent)
**Keylogger Addon (Persistent)
**DDoSer Addon (Persistent)
**Linux Credential File Stealer Addon (Persistent)
**Drop and Execute Addon (Persistent)

'''AUXILIARY MODULES'''
*WebKit Developer Tools
*Encoder/Decoder
*JavaScript Encoders
**JSFuck 6 Char Encoder
**jjencode Encoder
**aaencode Encoder
*JavaScript Beautifier
*Hash Calculator
*Hash Detector
*View Injected JavaScript
*View XSS Payloads

'''XENOTIX SCRIPTING ENGINE'''
* Xenotix API
* IronPython Scripting Support
* Trident and Gecko Web Engine Support

</div>

= Conference Talks =

<div style="font-size:120%;border:none;margin: 0;color:#000">

''' NULLCON GOA 2013 '''

{{#ev:youtube|J1phYXmLX8w}}

''' CLUBHACK 2012 '''

{{#ev:youtube|NYZLP0q7-y4}}

</div>

= Screenshots =

{|
|-
|
[[Image:POST_SCANNER.png|500px|thumb|right|Xenotix POST Request Scanner]]
|
[[Image:XENOTIX INFO.png|500px|thumb|left|Xenotix Information Gathering Modules]]
|-
|
[[Image:XENOTIX EXPLOITATION.png|thumb|500px|right|Xenotix Exploitation Modules]]
|
[[Image:Scripting.png|thumb|500px|left|Xenotix Scripting Engine]]
|}

=Downloads=

== Downloads ==
<div style="font-size:120%;border:none;margin: 0;color:#000">

Get Xenotix Binaries: https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework
= Documentation =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Check: https://www.youtube.com/playlist?list=PLX3EwmWe0cS80ls3TsNiukQD0hfZjLHnP

</div>

= Roadmap =

<div style="font-size:120%;border:none;margin: 0;color:#000">
''' WHAT'S NEW! '''
==V6.2 Changes==
* Added more Payloads
* New Info Gathering Module HSTS+CSP Visited Sites Detection
* Bug Fix Hash Calculator
* Bug Fix - Get Fuzzer
* Bug Fix IP2Geolocation
==V6.1 Changes==
* Bug Fixes
* Updated QuickPHP Server
* Local DOM XSS Analyzer
==V6 Changes==
{{#ev:youtube|RhGVuus_NJw}}
* Intelli Fuzzer
* Context Based Fuzzer
* Blind Fuzzer
* HTA Network Configuration
* HTA Drive-By
* HTA Drive-By Reverse Shell
* JSFuck 6 Char Encoder
* jjencode Encoder
* aaencode Encoder
* IP to Location
* IP to GeoLocation
* IP Hinting
* Download Spoofer
* HTML5 Geolocation API
* Reverse TCP Shell Addon (Linux)
* OAuth 1.0a Request Scanner
* 4800+ Payloads
* SSL Error Fixed

==V5 Changes==
* Xenotix Scripting Engine
* Xenotix API
* V4.5 Bug Fixes
* GET Network IP (Information Gathering)
* QR Code Generator for Xenotix xook
* HTML5 WebCam Screenshot(Exploitation Module)
* HTML5 Get Page Screenshot (Exploitation Module)
* Find Feature in View Source.
* Improved Payload Count to 1630
* Name Changes

==V4.5 Changes==

* JavaScript Beautifier
* Pause and Resume support for Scan
* Jump to Payload
* Cookie Support for POST Request
* Cookie Support and Custom Headers for Header Scanner
* Added TRACE method Support
* Improved Interface
* Better Proxy Support
* WAF Fingerprinting
* Load Files <exploitation module>
* Hash Calculator
* Hash Detector
</div>

= XSS Cheat Sheet =

[[Image:Xss_protection.png|center]]

The Ultimate XSS Protection Cheat Sheet for Developers is a compilation of information available on XSS Protection from various organization, researchers, websites, and from our own experience.
This document follows a simple language and justifying explanations that helps a developer to implement the correct XSS defense and to build a secure web application that prevents XSS vulnerability and Post XSS attacks. It will also discuss about the existing methods or functions provided by various programming languages to mitigate XSS vulnerability. This document will be updated regularly in order to include updated and correct in information in the domain of XSS Protection.

VIEW: [https://docs.google.com/viewer?srcid=0B_Ci-1YbMqshWUtlaGRyLVBVd28&pid=explorer&efh=false&a=v&chrome=false&embedded=true THE ULTIMATE XSS PROTECTION CHEAT SHEET FOR DEVELOPERS on Google Docs]

[[Media:Xenotix_XSS_Protection_CheatSheet_For_Developers.pdf| Download PDF from owasp.org]]

= Goodies =
== Xenotix Hoodies ==
[[Image:Xenotix_front.jpg]][[Image:Xenotix_back.jpg]]

== Purchase ==
Buy Xenotix Hoodies from Paypal [http://opensecurity.in/xenotix-hoodies/ BUY NOW]
= Get Involved =

<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of Xenotix is highly encouraged!

Here are some of the ways you can help:

==Support Us==

*Twitter Page: [https://twitter.com/Xenotix Xenotix on Twitter]
*Facebook Page: [https://www.facebook.com/xenotix Xenotix on Facebook]
*Official Page: [[http://www.opensecurity.in/owasp-xenotix-xss-exploit-framework-v4-2013 Xenotix @ OpenSecurity]]

==Feedback & Queries==

* Do you have any issues with it?
* Do you find any design flows or errors?
* Do you need help in using it?
* Do you have something to tell about it?

Then please use this form: https://docs.google.com/forms/d/1RpUhQvuHGvPTl7Gi-EXzecidGvJwKpsRaY9-MeXm1ro/viewform

==Development==

Are you a developer? Do you have some cool ideas to contribute? Get in touch via '''ajin [DOT] abraham [AT] owasp.org'''
If you actively contribute to Xenotix then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]
[[Category:OWASP_Project|Xenotix XSS Exploit Framework Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]] [[Category:OWASP_Download]]

Category:Vulnerability Scanning Tools

2019-04-01T12:22:34Z

Rick.mitchell: Removing Xenotix which has been abandon

== Description ==

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as [[Cross-site scripting]], [[SQL Injection]], [[Command Injection]], [[Path Traversal]] and insecure server configuration. This category of tools is frequently referred to as [https://www.techopedia.com/definition/30958/dynamic-application-security-testing-dast Dynamic Application Security Testing] (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP [[Benchmark]] project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

Here we provide a list of vulnerability scanning tools currently available in the market.

<br> '''Disclaimer:''' The tools listing in the table below are presented in alphabetical order. <b>OWASP does not endorse any of the Vendors or Scanning Tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think this information is incomplete or incorrect, please send an e-mail to our [mailto:owasp_ha_vulnerability_scanner_project@lists.owasp.org mailing list] and we will make every effort to correct this information.</b>

OWASP is aware of the [http://sectooladdict.blogspot.com/ '''Web Application Vulnerability Scanner Evaluation Project (WAVSEP)'''. WAVSEP] is completely unrelated to OWASP and we do not endorse its results, nor any of the DAST tools it evaluates. However, the results provided by WAVSEP may be helpful to someone interested in researching or selecting free and/or commercial DAST tools for their projects. This project has far more detail on DAST tools and their features than this OWASP DAST page.

== Tools Listing ==

{{:Template:OWASP Tool Headings}}
{{OWASP Tool Info || tool_name = [http://www.acunetix.com/ Acunetix WVS] || tool_owner = Acunetix || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.ibm.com/us-en/marketplace/application-security-on-cloud Application Security on Cloud] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www-03.ibm.com/software/products/en/appscan-standard AppScan] || tool_owner = IBM || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/ App Scanner] || tool_owner = Trustwave || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/appspider/ AppSpider] || tool_owner = Rapid7 || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://apptrana.indusface.com/basic/ AppTrana Website Security Scan] || tool_owner = AppTrana || tool_licence = Free || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www.arachni-scanner.com/ Arachni] || tool_owner = Arachni|| tool_licence = Free for most use cases || tool_platforms = Most platforms supported}}
{{OWASP Tool Info || tool_name = [https://www.scanmyserver.com/ AVDS] || tool_owner = Beyond Security || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS }}
{{OWASP Tool Info || tool_name = [https://www.blueclosure.com BlueClosure BC Detect] || tool_owner = BlueClosure || tool_licence = Commercial, 2 weeks trial || tool_platforms = Most platforms supported}}
{{OWASP Tool Info || tool_name = [http://www.portswigger.net/ Burp Suite] || tool_owner = PortSwiger || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Most platforms supported }}
{{OWASP Tool Info || tool_name = [https://contrastsecurity.com Contrast] || tool_owner = Contrast Security || tool_licence = Commercial / Free (Full featured for 1 App) || tool_platforms = SaaS or On-Premises }}
{{OWASP Tool Info || tool_name = [https://detectify.com/ Detectify] || tool_owner = Detectify || tool_licence = Commercial || tool_platforms = SaaS }}
{{OWASP Tool Info || tool_name = [http://www.digifort.se/en/scanner Digifort- Inspect] || tool_owner = Digifort|| tool_licence = Commercial || tool_platforms = SaaS }}
{{OWASP Tool Info || tool_name = [https://www.edgescan.com/ edgescan] || tool_owner = edgescan|| tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www.gamasec.com/Gamascan.aspx GamaScan] || tool_owner = GamaSec || tool_licence = Commercial || tool_platforms = Windows }}
{{OWASP Tool Info || tool_name = [http://rgaucher.info/beta/grabber/ Grabber] || tool_owner = Romain Gaucher || tool_licence = Open Source || tool_platforms = Python 2.4, BeautifulSoup and PyXML}}
{{OWASP Tool Info || tool_name = [https://gravityscan.com/ Gravityscan] || tool_owner = Defiant, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://sourceforge.net/p/grendel/code/ci/c59780bfd41bdf34cc13b27bc3ce694fd3cb7456/tree/ Grendel-Scan] || tool_owner = David Byrne || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.golismero.com GoLismero] || tool_owner = GoLismero Team || tool_licence = GPLv2.0 || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.ikare-monitoring.com/ IKare] || tool_owner = ITrust || tool_licence = Commercial || tool_platforms = N/A }}
{{OWASP Tool Info || tool_name = [https://www.htbridge.com/immuniweb/ ImmuniWeb] || tool_owner = High-Tech Bridge || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [https://www.indusface.com/index.php/products/web-application-scanning Indusface Web Application Scanning] || tool_owner = Indusface || tool_licence = Commercial / Free Trial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www.nstalker.com/ N-Stealth] || tool_owner = N-Stalker || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://www.tenable.com/products/tenable-io/web-application-scanning/ Nessus] || tool_owner = Tenable || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.mavitunasecurity.com/ Netsparker] || tool_owner = MavitunaSecurity || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.rapid7.com/products/nexpose-community-edition.jsp Nexpose] || tool_owner = Rapid7 || tool_licence = Commercial / Free (Limited Capability)|| tool_platforms = Windows/Linux}}
{{OWASP Tool Info || tool_name = [http://www.cirt.net/nikto2 Nikto] || tool_owner = CIRT || tool_licence = Open Source|| tool_platforms = Unix/Linux}}
{{OWASP Tool Info || tool_name = [http://www.milescan.com/ ParosPro] || tool_owner = MileSCAN || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://probely.com Probe.ly] || tool_owner = Probe.ly || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/proxy.html Proxy.app] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.qualys.com/products/qg_suite/was/ QualysGuard] || tool_owner = Qualys || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ Retina] || tool_owner = BeyondTrust || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.orvant.com Securus] || tool_owner = Orvant, Inc || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.whitehatsec.com/home/services/services.html Sentinel] || tool_owner = WhiteHat Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [http://www.parasoft.com/products/article.jsp?articleId=3169&redname=webtesting&referred=webtesting SOATest] || tool_owner = Parasoft || tool_licence = Commercial || tool_platforms = Windows / Linux / Solaris}}
{{OWASP Tool Info || tool_name = [https://www.tinfoilsecurity.com Tinfoil Security] || tool_owner = Tinfoil Security, Inc. || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = SaaS or On-Premises}}
{{OWASP Tool Info || tool_name = [https://www.trustwave.com/external-vulnerability-scanning.php Trustkeeper Scanner] || tool_owner = Trustwave SpiderLabs || tool_licence = Commercial || tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [https://subgraph.com/vega/ Vega] || tool_owner = Subgraph || tool_licence = Open Source || tool_platforms = Windows, Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [http://wapiti.sourceforge.net/ Wapiti] || tool_owner = Informática Gesfor || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
{{OWASP Tool Info || tool_name = [https://www.defensecode.com/webscanner.php Web Security Scanner] || tool_owner = DefenseCode || tool_licence = Commercial || tool_platforms = On-Premises}}
{{OWASP Tool Info || tool_name = [http://www.tripwire.com/it-security-software/enterprise-vulnerability-management/web-application-vulnerability-scanning/ WebApp360] || tool_owner = TripWire || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [https://webcookies.org WebCookies] || tool_owner = WebCookies || tool_licence = Free|| tool_platforms = SaaS}}
{{OWASP Tool Info || tool_name = [http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991#.Uuf0KBAo4iw WebInspect] || tool_owner = HP || tool_licence = Commercial || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.websecurify.com/desktop/webreaver.html WebReaver] || tool_owner = Websecurify || tool_licence = Commercial || tool_platforms = Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.german-websecurity.com/en/products/webscanservice/product-details/overview/ WebScanService] || tool_owner = German Web Security || tool_licence = Commercial || tool_platforms = N/A}}
{{OWASP Tool Info || tool_name = [https://suite.websecurify.com/ Websecurify Suite] || tool_owner = Websecurify || tool_licence = Commercial / Free (Limited Capability) || tool_platforms = Windows, Linux, Macintosh}}
{{OWASP Tool Info || tool_name = [http://www.sensepost.com/research/wikto/ Wikto] || tool_owner = Sensepost || tool_licence = Open Source || tool_platforms = Windows}}
{{OWASP Tool Info || tool_name = [http://www.w3af.org/ w3af] || tool_owner = w3af.org || tool_licence = GPLv2.0 || tool_platforms = Linux and Mac}}
{{OWASP Tool Info || tool_name = [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Zed Attack Proxy] || tool_owner = OWASP || tool_licence = Open Source || tool_platforms = Windows, Unix/Linux and Macintosh}}
|}

== References ==

*[[Source_Code_Analysis_Tools | SAST Tools]] - OWASP page with similar information on Static Application Security Testing (SAST) Tools
*[[Free for Open Source Application Security Tools]] - OWASP page that lists the Commercial Dynamic Application Security Testing (DAST) tools we know of that are free for Open Source
*http://sectooladdict.blogspot.com/ - Web Application Vulnerability Scanner Evaluation Project (WAVSEP)
*http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria - v1.0 (2009)
*http://www.slideshare.net/lbsuto/accuracy-and-timecostsofwebappscanners - White Paper: Analyzing the Accuracy and Time Costs of WebApplication Security Scanners - By Larry Suto (2010)
*http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html - NIST home page which links to: NIST Special Publication 500-269: Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 (21 August, 2007)
*http://www.softwareqatest.com/qatweb1.html#SECURITY - A list of Web Site Security Test Tools. (Has both DAST and SAST tools)

[[Category:OWASP_Tools_Project]]

OWASP Zed Attack Proxy Project

2019-02-21T20:26:30Z

Rick.mitchell: Ohloh > Open Hub

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

====ZAP 2.7.0 is now available!====

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}} 
{{#ev:youtube|ztfgip-UhWw}}

|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy
}}

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== Donate to ZAP ==
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy }}</div>

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />[https://www.owasp.org/index.php/User:Ricardo.Pereira Ricardo Pereira] [mailto:ricardo.pereira@owasp.org @]

[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:rick.mitchell+wiki@owasp.org @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Open Hub Stats ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| cellpadding="2" width="200"
|-
| rowspan="2" align="center" width="50%" valign="top" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" width="50%" valign="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| align="center" width="50%" valign="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [https://segment.com/ Segment]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 has been released (Nov 2017), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0

It requires Java 8 (minimum) and supports Selenium 3.

==Release 2.8.0==
ZAP 2.8.0 does not yet have a planned release date, but is likely to be around the beginning of 2018 or (more likely) the middle of 2018.
</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

GSoC2019 Ideas

2019-02-20T13:31:38Z

Rick.mitchell: Tweak heading format

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]

==OWASP-SKF (draft)==
Idea 1:

Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be

easily deployed.

In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and

a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the

vulnerabilities in their own code.
* For example we have now around 20 lab challenges in Docker container build in Python:
** A Local File Inclusion Docker app example:
*** https://github.com/blabla1337/skf-labs/tree/master/LFI
** A write-up example:
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their

labs running. Of course they can download it and build it themselves from source by pulling the original repository.

Idea 2:

We want to extend the Machine learning chatbot functionality in SKF.
* Create a desktop version of the chatbot. Where people can install the setup file on their local machine.
* Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.
* Extend the bot capability to reply what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.
* Extend the bot to different platforms like Facebook, telegram, slack etc.
** Now the working chatbot implementation for example is only for Gitter

== OWASP DefectDojo ==
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.

Option 1: Unit Tests - Difficulty: Easy
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.
* The project needs additional unit tests to ensure that new code functions properly.
Option 2: Feature Enhancement - Difficulty: Varies
* The functionality of DefectDojo is constantly expanding.
* Feature enhancements offer programming challenges for all levels of experience.
Option 3: Pull Request Review - Difficulty: Moderate - Hard
* Test pull requests and provide feedback on code.

== OHP (OWASP Honeypot) ==

OWASP Honeypot is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.

=== Getting Start ===

It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to add more modules and optimize the core.

=== Technologies ===

Currently we are using

* Docker
* Python
* MongoDB
* TShark
* Flask
* ChartJS
* And more linux services

=== Expected Results ===
...

=== Roadmap ===

...

=== Students Requirements ===

* Python
* Packet Analysis
* Docker
* Database

=== Mentors and Leaders ===

* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like!

To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''

=== Challenge Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Hacking Instructor ===

'''Brief Explanation:'''

While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.

''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''

'''Expected Results:'''
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges
* Documentation how to configure or script the "Hacking Instructor" for challenges in general

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

=== Juice Shop Mobile ===

'''Brief Explanation:'''

A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.

''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''

''' Getting started '''
* Get familiar with the architecture and code base of the application's RESTful backend
* Get familiar with Native App developement
* Get familiar with Mobile vulnerabilities

'''Expected Results:'''
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP-Securetea Tools Project ==
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -
https://github.com/OWASP/SecureTea-Project/blob/master/README.md

===Brief Explanation===
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT.

===Idea===
Below roadmap and expect results you can choose to improve Securetea Project .
if any bugs please help to fix it

===Roadmap===
See Our Roadmap<br>
https://github.com/OWASP/SecureTea-Project#roadmap<br>
Notify by Twitter (done)<br>
Securetea Dashboard / Gui (done)<br>

===Expect Results ===
<br>
Securetea Protection /firewall<br>
Securetea Antivirus<br>
Notify by Whatsapp<br>
Notify by SMS Alerts<br>
Notify by Line<br>
Notify by Telegram<br>
Intelligent Log Monitoring<br>
Login History<br>
=== Students Requirements ===

* Python
* Javascript
* Angular and NodeJS/Express
* Database
* Linux

=== Mentors ===

* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br>
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)
* [https://github.com/sananthu Ananthu S] - (Mentor)

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP iGoat (draft) ==
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.

'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security

== OWASP Seraphimdroid ==

=== Idea 1: Anomaly detection of device state ===
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors

=== Idea 2: On device machine learning of maliciousness of an app ===
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious.

=== Idea 3: Enhansing privacy features ===
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledge base should be extending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

=== Active Scanning WebSockets ===
: '''Brief Explanation:'''
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* An pluggable infrastructure that allows us to active scan websockets
:* Converting the relevant existing scan rules to work with websockets
:* Implementing new websocket specific scan rules
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated Authentication Detection and Configuration ===
: '''Brief Explanation:'''
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>
: This is time consuming and error prone.
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* Detect login and registration pages
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

GSoC2019 Ideas

2019-02-04T14:12:24Z

Rick.mitchell: Formatting tweaks

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]

==OWASP-SKF (draft)==
Idea 1:

Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be

easily deployed.

In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and

a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the

vulnerabilities in their own code.
* For example we have now around 20 lab challenges in Docker container build in Python:
** A Local File Inclusion Docker app example:
*** https://github.com/blabla1337/skf-labs/tree/master/LFI
** A write-up example:
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their

labs running. Of course they can download it and build it themselves from source by pulling the original repository.

Idea 2:

We want to extend the Machine learning chatbot functionality in SKF.
* Create a desktop version of the chatbot. Where people can install the setup file on their local machine.
* Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.
* Extend the bot capability to reply what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.
* Extend the bot to different platforms like Facebook, telegram, slack etc.
** Now the working chatbot implementation for example is only for Gitter

== OWASP DefectDojo ==
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.

Option 1: Unit Tests - Difficulty: Easy
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.
* The project needs additional unit tests to ensure that new code functions properly.
Option 2: Feature Enhancement - Difficulty: Varies
* The functionality of DefectDojo is constantly expanding.
* Feature enhancements offer programming challenges for all levels of experience.
Option 3: Pull Request Review - Difficulty: Moderate - Hard
* Test pull requests and provide feedback on code.

== OHP (OWASP Honeypot) ==

OWASP Honeypot is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.

=== Getting Start ===

It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to add more modules and optimize the core.

=== Technologies ===

Currently we are using

* Docker
* Python
* MongoDB
* TShark
* Flask
* ChartJS
* And more linux services

=== Expected Results ===
...

=== Roadmap ===

...

=== Students Requirements ===

* Python
* Packet Analysis
* Docker
* Database

=== Mentors and Leaders ===

* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like!

To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''

=== Challenge Pack 2019 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Hacking Instructor ===

'''Brief Explanation:'''

TODO

'''Expected Results:'''

TODO

''' Getting started: '''

TODO

'''Knowledge Prerequisites:'''

TODO

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP-Securetea Tools Project ==
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -
https://github.com/OWASP/SecureTea-Project/blob/master/README.md

===Brief Explanation===
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT.

===Idea===
Below roadmap and expect results you can choose to improve Securetea Project .
if any bugs please help to fix it

===Roadmap===
See Our Roadmap<br>
https://github.com/OWASP/SecureTea-Project#roadmap<br>
Notify by Twitter (done)<br>
Securetea Dashboard / Gui (done)<br>

===Expect Results ===
<br>
Securetea Protection /firewall<br>
Securetea Antivirus<br>
Notify by Whatsapp<br>
Notify by SMS Alerts<br>
Notify by Line<br>
Notify by Telegram<br>
Intelligent Log Monitoring<br>
Login History<br>
=== Students Requirements ===

* Python
* Javascript
* Angular and NodeJS/Express
* Database
* Linux

==='''Mentors '''===

* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br>
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)
* [https://github.com/sananthu Ananthu S] - (Mentor)

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP iGoat (draft) ==
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.

'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security

== OWASP Seraphimdroid ==

=== Idea 1: Anomaly detection of device state ===
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors

=== Idea 2: On device machine learning of maliciousness of an app ===
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious.

=== Idea 3: Enhansing privacy features ===
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledge base should be extending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

=== Active Scanning WebSockets ===
: '''Brief Explanation:'''
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* An pluggable infrastructure that allows us to active scan websockets
:* Converting the relevant existing scan rules to work with websockets
:* Implementing new websocket specific scan rules
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated Authentication Detection and Configuration ===
: '''Brief Explanation:'''
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>
: This is time consuming and error prone.
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
: This project will be a continuation of the work that was started as part of last year's GSoC.
: '''Expected Results:'''
:* Detect login and registration pages
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible
: '''Getting Started:'''
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
: '''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

OWASP Zed Attack Proxy Project

2018-10-30T15:45:11Z

Rick.mitchell: Update rightnav donate button

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

====ZAP 2.7.0 is now available!====

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy
}}

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== Donate to ZAP ==
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy }}</div>

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />[https://www.owasp.org/index.php/User:Ricardo.Pereira Ricardo Pereira] [mailto:ricardo.pereira@owasp.org @]

[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:rick.mitchell+wiki@owasp.org @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| cellpadding="2" width="200"
|-
| rowspan="2" align="center" width="50%" valign="top" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" width="50%" valign="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| align="center" width="50%" valign="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [https://segment.com/ Segment]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 has been released (Nov 2017), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0

It requires Java 8 (minimum) and supports Selenium 3.

==Release 2.8.0==
ZAP 2.8.0 does not yet have a planned release date, but is likely to be around the beginning of 2018 or (more likely) the middle of 2018.
</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

Abuse Case Cheat Sheet

2018-09-25T18:46:08Z

Rick.mitchell: Minor changes to the second half of the document.

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

__TOC__{{TOC hidden}}

= Introduction =

Often when the security level of an application is mentioned in requirements, the following ''expressions'' are meet:
* ''The application must be secure''.
* ''The application must defend against all attacks targeting this category of application''.
* ''The application must defend against attacks from the OWASP TOP 10''
* ...

These security requirements are too generic and useless for a development team...

To build a secure application, from an pragmatic point of view, it is important to identify the attacks which the application must defend against according to its business and technical context.

= Objective =

The objective of this cheat sheet is to provide a explanation about what an '''Abuse Case''' is, why abuse cases are important when considering the security of an application and, finally, to provide a proposal for a pragmatic approach to built a list of abuse cases and track them for every feature planned to be implemented as part of an application whatever project mode used (waterfall or agile).

'''Important note about this Cheat Sheet:'''
<pre>
The main objective is to provide a pragmatic approach in order to allow a company or a project team to start building and handling the list of abuse cases and then customize the elements proposed to its context/culture in order to, finally, build its own method.

This cheat sheet can be seen like a getting started tutorial.</pre>

= Context & approach =

== Why clearly identify the attacks? ==

Clearly identifying the attacks against which the application must defend is essential in order to enable the following steps in a project or sprint:
* Evaluate the business risk for each of the identified attacks in order perform a selection according to the business risk and the project/sprint budget.
* Derive security requirements and add them into the project specification or sprint's user stories acceptance criteria.
* Estimate the overhead to provision in the initial project/sprint charge that will be necessary to implement the countermeasures.
* About countermeasures: Allow the project team to define them and in which location they are appropriate (network, infrastructure, code...) to be positioned.

== Notion of Abuse Case ==

In order to help build the list of attacks, the notion of '''Abuse Case''' exists.

An '''Abuse Case''' can be defined as:

<pre>A way to use a feature that was not expected by the implementer, allowing an attacker to influence the feature or outcome of use of the feature based on the attacker action (or input).</pre>

Synopsys define an '''Abuse Case'' like this:

<pre>Misuse and abuse cases describe how users misuse or exploit the weaknesses of controls in software features to attack an application.
This can lead to tangible business impact when a direct attack against business functionalities, which may bring in revenue or provide positive user experience, are attacked.
Abuse cases can also be an effective way to drive security requirements that lead to proper protection of these critical business use cases.</pre>

Synopsys source: https://www.synopsys.com/blogs/software-security/abuse-cases-can-drive-security-requirements/

Another definition of Abuse Case by Cigital: https://cigital.com/papers/download/misuse-bp.pdf

== How to define the list of Abuse Cases? ==

There are many different ways to define the list of abuse cases for a feature (that can be mapped to a user story in agile mode).

The project [[OWASP_SAMM_Project|OWASP Open SAMM]] proposes the following approach in the ''Activity A'' of the Security Practice ''Threat Assessment'' for the Maturity level 2:

<pre>
Further considering the threats to the organization, conduct a more formal analysis to determine potential misuse or abuse of functionality. Typically, this process begins with identification of normal usage scenarios, e.g. use-case diagrams if available.

If a formal abuse-case technique isn’t used, generate a set of abuse-cases for each scenario by starting with a statement of normal usage and brainstorming ways in which the statement might be negated, in whole or in part. The simplest way to get started is to insert the word “no” or “not” into the usage statement in as many ways as possible, typically around nouns and verbs. Each usage scenario should generate several possible abuse-case statements.

Further elaborate the abuse-case statements to include any application-specific concerns based on the business function of the software. The ultimate goal is for the completed set of abuse statements to form a model for usage patterns that should be disallowed by the software. If desired, these abuse cases can be combined with existing threat models.

After initial creation, abuse-case models should be updated for active projects during the design phase. For existing projects, new requirements should be analyzed for potential abuse, and existing projects should opportunistically build abuse-cases for established functionality where practical.
</pre>

Open SAMM source: [[SAMM_-_Threat_Assessment_-_2|Threat Assessment Level 2 Actvity A]]

Another way to achieve the building of the list can be the following (more ground and collaborative oriented):

Make a workshop that includes people with the following profiles:
* '''Business analyst''': Will be the business key people that will describe each feature from a business point of view.
* '''Risk analyst''': Will be the company's risk personnel that will evaluate the business risk from a proposed attack (sometimes it is the '''Business analyst''' depending on the company).
* '''Offsensive guy (Pentester or Application Security guy with offensive mindset)''': Will be the ''attacker'' that will propose all attacks that he can perform on the business feature that will be presented to him. If the company does not have this profile then it is possible to ask an intervention of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 offensives guys (ex: 1 Pentester + 1 AppSec) in order to increase the number of possible attacks that will be identified and considered.
* '''Technical leaders of the projects''': Will be the project technical people and will allow technical exchange about attacks and countermeasures identified during the workshop.
* '''Quality assurance analyst or functional tester''': Personnel that may have a good sense of how the application/functionality is intended to work (positive testing) and what things cause it to fail (failure cases).

During this workshop (duration will depend on the size of the feature list, but 4 hours is a good start) all business features that will be part of the project or the sprint will be processed. The output of the workshop will be a list of attacks (abuse cases) for all business features. All abuse cases will have a risk rating that will allow for filtering and prioritization.

It is important to take in account '''Technical''' and '''Business''' kind of abuse cases and mark them accordingly.

''Example:''

* Technical flagged abuse case: Add Cross Site Scripting injection into a comment input field.
* Business flagged abuse case: Ability to modify arbitrary the price of an article in a online shop prior to pass an order causing the user to pay a lower amount for the wanted article.

== When to define the list of Abuse Cases? ==

On agile project, the definition workshop must be made after the meeting in which User Stories are associated to a Sprint.

On waterfall project, the definition workshop must be made when business feature to implements are identified and known by the business.

Whatever the mode of project used (agile or waterfall), the abuse cases selected to be addressed must become security requirements in each feature specification section (waterfall) or User Story acceptance criteria (agile) in order to allow additional cost/effort evaluation, identification and implementation of the countermeasures.

Each abuse case must have a unique identifier in order to allow tracking of its handling in the whole project/sprint, details about this point will be given in the proposal section.

An example of unique ID can be '''ABUSE_CASE_001'''.

The following schema provide an overview of the chaining of the different steps involved (from left to right):

[[File:ABUSE_CASE_CS_CHAINING_SCHEMA.png|center]]

= Proposal =

The proposal will use the workshop explained in previous section and will focus on the output of the workshop.

== Step 1: Preparation of the workshop ==

First, even if it seems obvious, the key business people must be sure to know, understand and be able to explain the business features that will be processed during the workshop.

Secondly, create a new Microsoft Excel file (you can also use Google Sheets or any other similar software) with the following sheets (or tabs):
* '''FEATURES'''
** Will contain a table with the list of business features planned for the workshop.
* '''ABUSE CASES'''
** Will contain a table with all abuse cases identified during the workshop.
* '''COUNTERMEASURES'''
** Will contain a table with the list of countermeasure possible (light description) imagined for the abuse cases identified.
** This sheet is not mandatory but it can be useful to know if, for an abuse case, a fix is easy to implement and then can impact the risk rating.
** Countermeasure can be identified by the AppSec profile guy during the workshop because an AppSec guy must be able to perform attacks but also to build or identify defenses (it is not always the case for the Pentester profile guy because this profile generally focus on attack side only, so, the combination Pentester + AppSec is very efficient to have a 360 degree view).

This is the representation of each sheet along with a example of content that will be filled during the workshop:

''FEATURES'' sheet:

{| class="wikitable"
! style="text-align: center; font-weight:bold;" | Feature unique ID
! style="text-align: center; font-weight:bold;" | Feature name
! style="text-align: center; font-weight:bold;" | Feature short description
|-
| FEATURE_001
| DocumentUploadFeature
| Allow user to upload document along a message
|}

''COUNTERMEASURES'' sheet:

{| class="wikitable"
! style="text-align: center; font-weight:bold;" | Countermeasure unique ID
! style="text-align: center; font-weight:bold;" | Countermeasure short description
! style="text-align: center; font-weight:bold;" | Countermeasure help/hint
|-
| DEFENSE_001
| Validate the uploaded file by loading it into a parser
| Use advice from the OWASP Cheat Sheet about file upload
|}

''ABUSE CASES'' sheet:

{| class="wikitable"
! style="text-align: center; font-weight:bold;" | Abuse case unique ID
! style="text-align: center; font-weight:bold;" | Feature ID impacted
! style="text-align: center; font-weight:bold;" | Abuse case's attack description
! style="text-align: center; font-weight:bold;" | Attack referential ID (if applicable)
! style="text-align: center; font-weight:bold;" | CVSS V3 risk rating (score)
! style="text-align: center; font-weight:bold;" | CVSS V3 string
! style="text-align: center; font-weight:bold;" | Kind of abuse case
! style="text-align: center; font-weight:bold;" | Countermeasure ID applicable
! style="text-align: center; font-weight:bold;" | Handling decision (To Address or Risk Accepted)
|-
| ABUSE_CASE_001
| FEATURE_001
| Upload Office file with malicious macro in charge of dropping a malware
| CAPEC-17
| HIGH (7.7)
| CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H
| Technical
| DEFENSE_001
| To Address
|}

== Step 2: During the workshop ==

Use the spreadsheet to review all the features.

For each feature, follow this flow:
# Key business people explain the current feature from a business point of view.
# Offensive guys propose and explain a set of attacks that they can perform against the feature.
# For each attack proposed:
## Appsec guys propose a countermeasure and a preferred set up location (infrastructure, network, code, design...).
## Technical people give feedback about the feasibility of the proposed countermeasure.
## Offsensive guy use the CVSS v3 (or other standard) calculator to determine a risk rating. (ex: https://www.first.org/cvss/calculator/3.0 )
## Risk key people accept/increase/decrease the rating to have final one that match the real business impact for the company.
# Business, Risk and Technical key peoples find a consensus and filter the list of abuses for the current feature to keep ones that must be addressed and flag them accordingly in the ''ABUSE CASES'' sheet ('''if risk is accepted then add a comment to explain why''').
# Pass to next feature...

If the presence of offensive guys is not possible then you can use the following references to identify the applicable attacks on your features:
* '''OWASP Automated Threats to Web Applications''': https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
* '''OWASP Testing Guide''': https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
* '''OWASP Mobile Testing Guide''': https://github.com/OWASP/owasp-mstg
* '''Common Attack Pattern Enumeration and Classification (CAPEC)''': https://capec.mitre.org/

Important note on attacks and countermeasure knowledge base(s):
<pre>
With the time and across projects, you will obtain your own dictionary of attacks and countermeasures that are applicable to the kind of application in your business domain.
This dictionary will speed up the future workshops in a significant way.
To promote the creation of this dictionary, you can, at the end of the project/sprint, gather the list of attacks and countermeasures identified in a central location (wiki, database, file...) that will be used during the next workshop in combination with the input of the offensive guys.</pre>

== Step 3: After the workshop ==

The spreadsheet contains (at this stage) the list of all abuse cases that must be handled and, potentially (depending on the capacity) corresponding countermeasures.

Now, there 2 remaining task:
# Key business people must update the specification of each feature (waterfall) or the User Story of each feature (agile) to include the associated abuse cases as Security Requirements (waterfall) or Acceptance Criteria (agile).
# Key technical people must evaluate the overhead in terms of charge/effort to take into account the countermeasure.

== Step 4: During implementation - Abuse cases handling tracking ==

In order to track the handling of all the abuse cases, the following approach can be used:

If one or several abuse cases are handled at:
* '''Design, Infrastructure or Network level'''
** Put a marker in the documentation or schema to indicate that ''This design/network/infrastructure take into account the abuse cases ABUSE_CASE_001, ABUSE_CASE_002, ABUSE_CASE_xxx''.
* '''Code level'''
** Put a special comment in the classes/scripts/modules to indicate that ''This class/module/script take into account the abuse cases ABUSE_CASE_001, ABUSE_CASE_002, ABUSE_CASE_xxx''.
** Dedicated annotation like <code>@AbuseCase(ids={"ABUSE_CASE_001","ABUSE_CASE_002"})</code> can be used to facilitate tracking and allow identification into integrated development environment.

Using this way, it becomes possible (via some minor scripting) to identify where the the abuse cases are addressed.

== Step 5: During implementation - Abuse cases handling validation ==

As abuse cases are defined, it is possible to put in place automated or manual validations to ensure that:
* All the selected abuse cases are handled.
* An abuse case is correctly/completely handled.

Validations can be of the following kinds:

* Automated (run regularly at commit, daily or weekly in the Continuous Integration Jobs of the project):
** Custom audit rules in Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST) tools.
** Dedicated unit, integration or functional security oriented tests.
** ...
* Manual:
** Security code review between project's peers during the design or implementation.
** Provide the list of all abuse cases addressed to pentesters in order that they valid the protection efficiency for each abuse case during an intrusion test against the application (pentester will validate that the attacks identified are no longer effective and will also try to find other possible attacks).
** ...

Add automated tests also allow teams to track that countermeasures against the abuse cases are still effective/in place during maintenance or bug fixing phase of a project (prevent accidental removal/disabling). It is also useful when Continuous Delivery approach is used (https://continuousdelivery.com/) to ensure that all abuse cases protections are in place before opening access to the application.

= Sources of the schemas =

All schemas were created using https://www.draw.io/ site and exported (as PNG image) for integration into this article.

All XML descriptor files for each schema are available below (using XML description, modification of the schema is possible using DRAW.IO site):

[[Media:ABUSE_CASE_CS_SCHEMA.zip|Schemas descriptors archive]]

= Authors and Primary Editors =

Author: Dominique Righetto - dominique.righetto@owasp.org <br>
Editors: https://www.owasp.org/index.php?title=Abuse_Case_Cheat_Sheet&action=history

= Other Cheatsheets =

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]

Abuse Case Cheat Sheet

2018-09-25T18:14:08Z

Rick.mitchell: Minor changes from the start up to the "Proposition" section. Added QA/Functional tester to team.

__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

__TOC__{{TOC hidden}}

= Introduction =

Often when the security level of an application is mentioned in requirements, the following ''expressions'' are meet:
* ''The application must be secure''.
* ''The application must defend against all attacks targeting this category of application''.
* ''The application must defend against attacks from the OWASP TOP 10''
* ...

These security requirements are too generic and useless for a development team...

To build a secure application, from an pragmatic point of view, it is important to identify the attacks which the application must defend against according to its business and technical context.

= Objective =

The objective of this cheat sheet is to provide a explanation about what an '''Abuse Case''' is, why abuse cases are important when considering the security of an application and, finally, to provide a proposal for a pragmatic approach to built a list of abuse cases and track them for every feature planned to be implemented as part of an application whatever project mode used (waterfall or agile).

'''Important note about this Cheat Sheet:'''
<pre>
The main objective is to provide a pragmatic approach in order to allow a company or a project team to start building and handling the list of abuse cases and then customize the elements proposed to its context/culture in order to, finally, build its own method.

This cheat sheet can be seen like a getting started tutorial.</pre>

= Context & approach =

== Why clearly identify the attacks? ==

Clearly identifying the attacks against which the application must defend is essential in order to enable the following steps in a project or sprint:
* Evaluate the business risk for each of the identified attacks in order perform a selection according to the business risk and the project/sprint budget.
* Derive security requirements and add them into the project specification or sprint's user stories acceptance criteria.
* Estimate the overhead to provision in the initial project/sprint charge that will be necessary to implement the countermeasures.
* About countermeasures: Allow the project team to define them and in which location they are appropriate (network, infrastructure, code...) to be positioned.

== Notion of Abuse Case ==

In order to help build the list of attacks, the notion of '''Abuse Case''' exists.

An '''Abuse Case''' can be defined as:

<pre>A way to use a feature that was not expected by the implementer, allowing an attacker to influence the feature or outcome of use of the feature based on the attacker action (or input).</pre>

Synopsys define an '''Abuse Case'' like this:

<pre>Misuse and abuse cases describe how users misuse or exploit the weaknesses of controls in software features to attack an application.
This can lead to tangible business impact when a direct attack against business functionalities, which may bring in revenue or provide positive user experience, are attacked.
Abuse cases can also be an effective way to drive security requirements that lead to proper protection of these critical business use cases.</pre>

Synopsys source: https://www.synopsys.com/blogs/software-security/abuse-cases-can-drive-security-requirements/

Another definition of Abuse Case by Cigital: https://cigital.com/papers/download/misuse-bp.pdf

== How to define the list of Abuse Cases? ==

There are many different ways to define the list of abuse cases for a feature (that can be mapped to a user story in agile mode).

The project [[OWASP_SAMM_Project|OWASP Open SAMM]] proposes the following approach in the ''Activity A'' of the Security Practice ''Threat Assessment'' for the Maturity level 2:

<pre>
Further considering the threats to the organization, conduct a more formal analysis to determine potential misuse or abuse of functionality. Typically, this process begins with identification of normal usage scenarios, e.g. use-case diagrams if available.

If a formal abuse-case technique isn’t used, generate a set of abuse-cases for each scenario by starting with a statement of normal usage and brainstorming ways in which the statement might be negated, in whole or in part. The simplest way to get started is to insert the word “no” or “not” into the usage statement in as many ways as possible, typically around nouns and verbs. Each usage scenario should generate several possible abuse-case statements.

Further elaborate the abuse-case statements to include any application-specific concerns based on the business function of the software. The ultimate goal is for the completed set of abuse statements to form a model for usage patterns that should be disallowed by the software. If desired, these abuse cases can be combined with existing threat models.

After initial creation, abuse-case models should be updated for active projects during the design phase. For existing projects, new requirements should be analyzed for potential abuse, and existing projects should opportunistically build abuse-cases for established functionality where practical.
</pre>

Open SAMM source: [[SAMM_-_Threat_Assessment_-_2|Threat Assessment Level 2 Actvity A]]

Another way to achieve the building of the list can be the following (more ground and collaborative oriented):

Make a workshop that includes people with the following profiles:
* '''Business analyst''': Will be the business key people that will describe each feature from a business point of view.
* '''Risk analyst''': Will be the company's risk personnel that will evaluate the business risk from a proposed attack (sometimes it is the '''Business analyst''' depending on the company).
* '''Offsensive guy (Pentester or Application Security guy with offensive mindset)''': Will be the ''attacker'' that will propose all attacks that he can perform on the business feature that will be presented to him. If the company does not have this profile then it is possible to ask an intervention of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 offensives guys (ex: 1 Pentester + 1 AppSec) in order to increase the number of possible attacks that will be identified and considered.
* '''Technical leaders of the projects''': Will be the project technical people and will allow technical exchange about attacks and countermeasures identified during the workshop.
* '''Quality assurance analyst or functional tester''': Personnel that may have a good sense of how the application/functionality is intended to work (positive testing) and what things cause it to fail (failure cases).

During this workshop (duration will depend on the size of the feature list, but 4 hours is a good start) all business features that will be part of the project or the sprint will be processed. The output of the workshop will be a list of attacks (abuse cases) for all business features. All abuse cases will have a risk rating that will allow for filtering and prioritization.

It is important to take in account '''Technical''' and '''Business''' kind of abuse cases and mark them accordingly.

''Example:''

* Technical flagged abuse case: Add Cross Site Scripting injection into a comment input field.
* Business flagged abuse case: Ability to modify arbitrary the price of an article in a online shop prior to pass an order causing the user to pay a lower amount for the wanted article.

== When to define the list of Abuse Cases? ==

On agile project, the definition workshop must be made after the meeting in which User Stories are associated to a Sprint.

On waterfall project, the definition workshop must be made when business feature to implements are identified and known by the business.

Whatever the mode of project used (agile or waterfall), the abuse cases selected to be addressed must become security requirements in each feature specification section (waterfall) or User Story acceptance criteria (agile) in order to allow additional cost/effort evaluation, identification and implementation of the countermeasures.

Each abuse case must have a unique identifier in order to allow tracking of its handling in the whole project/sprint, details about this point will be given in the proposal section.

An example of unique ID can be '''ABUSE_CASE_001'''.

The following schema provide an overview of the chaining of the different steps involved (from left to right):

[[File:ABUSE_CASE_CS_CHAINING_SCHEMA.png|center]]

= Proposition =

The proposal will use the workshop explained in previous section and will focus on the output of the workshop.

== Step 1: Preparation of the workshop ==

First, even if it is obvious, the business key people must be sure to know, understand and be able to explain the business features that will be processed during the workshop.

Secondly, create a new Microsoft Excel file (you can also use Google Sheet or any other similar software) with the following sheets:
* '''FEATURES'''
** Will contains a table with the list of business features planned for the workshop.
* '''ABUSE CASES'''
** Will contains a table with all identified abuse cases during the workshop.
* '''COUNTERMEASURES'''
** Will contains a table with the list of countermeasure possibles (light description) imagined for the abuse cases identified.
** This sheet is not mandatory but it can be usefull to know if, for an abuse case, a fix is easy to implements and then can impact the risk rating.
** Countermeasure can be identified by the AppSec profile guy during the workshop because an AppSec guy must be able to perform attacks but also to build defenses (it is not always the case for the Pentester profile guy because this profile generally focus on attack side only, so, the combination Pentester + AppSec is very efficient to have a 360 degree view).

This is the representation of each sheets along a example of content that will be filled during the workshop:

''FEATURES'' sheet:

{| class="wikitable"
! style="text-align: center; font-weight:bold;" | Feature unique ID
! style="text-align: center; font-weight:bold;" | Feature name
! style="text-align: center; font-weight:bold;" | Feature short description
|-
| FEATURE_001
| DocumentUploadFeature
| Allow user to upload document along a message
|}

''COUNTERMEASURES'' sheet:

{| class="wikitable"
! style="text-align: center; font-weight:bold;" | Countermeasure unique ID
! style="text-align: center; font-weight:bold;" | Countermeasure short description
! style="text-align: center; font-weight:bold;" | Countermeasure help/hint
|-
| DEFENSE_001
| Validate the uploaded file by loading it into a parser
| Use advice from the OWASP Cheat Sheet about file upload
|}

''ABUSE CASES'' sheet:

{| class="wikitable"
! style="text-align: center; font-weight:bold;" | Abuse case unique ID
! style="text-align: center; font-weight:bold;" | Feature ID impacted
! style="text-align: center; font-weight:bold;" | Abuse case's attack description
! style="text-align: center; font-weight:bold;" | Attack referential ID (if applicable)
! style="text-align: center; font-weight:bold;" | CVSS V3 risk rating (score)
! style="text-align: center; font-weight:bold;" | CVSS V3 string
! style="text-align: center; font-weight:bold;" | Kind of abuse case
! style="text-align: center; font-weight:bold;" | Countermeasure ID applicable
! style="text-align: center; font-weight:bold;" | Handling decision (To Address or Risk Accepted)
|-
| ABUSE_CASE_001
| FEATURE_001
| Upload Office file with malicious macro in charge of dropping a malware
| CAPEC-17
| HIGH (7.7)
| CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H
| Technical
| DEFENSE_001
| To Address
|}

== Step 2: During the workshop ==

Use the Excel file to review all the features.

For each feature, follow this flow:
# Business key people explain the current feature from a business point of view.
# Offensive guys propose and explain a set of attacks that they can perform against the feature.
# For each attacks proposed:
## Offensive guys propose a countermeasure and a preferred set up location (infrastructure, network, code, design...).
## Technical key peoples of the project give feedback about the feasability of the proposed countermeasure.
## Offsensive guy use the CVSS v3 calculator to determine a risk rating: https://www.first.org/cvss/calculator/3.0
## Risk key people accept/increase/decrease the rating to have final one that match the real business impact for the company.
# Business, Risk and Technical key peoples find a consensus and filter the list of abuses for the current feature to keep ones that must be addressed and flag them accordingly in the ''ABUSE CASES'' sheet ('''if risk is accepted then add a comment to explain why''').
# Pass to next feature...

If the presence of offensive guys is not possible then you can use the following referential/guide of attacks to identify the applicable attacks on your features:
* '''OWASP Automated Threats to Web Applications''': https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
* '''OWASP Testing Guide''': https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
* '''OWASP Mobile Testing Guide''': https://github.com/OWASP/owasp-mstg
* '''Common Attack Pattern Enumeration and Classification (CAPEC)''': https://capec.mitre.org/

Important note on attacks and countermeasure knowledge base:
<pre>
With the time and accross projects, you will obtains your own dictionary of attacks and countermeasures that are applicable to the kind of application of your business domain.
This dictionary will speed up the further workshops in a significant way.
To promote the creation of this dictionary, you can, at the end of the project/sprint, gather the list of attacks and countermeasures identified in a central location (wiki, database, file...) that will be used during the next workshop in combination with the input of the offensive guys.</pre>

== Step 3: After the workshop ==

The Excel file contain, at this stage, the list of all abuse cases that must be handled and, potentially how, depending on the capacity to found countermeasures.

Now, there 2 remaining task:
# Business key people must update specification of each feature (waterfall) or the User Story of each feature (agile) to include the associated abuse cases as Security Requirements (waterfall) or Acceptance Criterias (agile).
# Technical key peoples must evaluate the overhead in terms of charge/effort to take in account the countermeasure.

== Step 4: During implementation - Abuse cases handling tracking ==

In order to track the handling of all the abuse cases keep in the selection, the following approach can be used:

If one or several abuse cases are handled at:
* '''Design, Infrastructure or Network level'''
** Put a marker in the documentation or schema to indicate that ''This design/network/infrastructure take in account the abuse cases ABUSE_CASE_001, ABUSE_CASE_002, ABUSE_CASE_xxx''.
* '''Code level'''
** Put a special comment in the classes/scripts/modules to indicate that ''This class/module/script take in account the abuse cases ABUSE_CASE_001, ABUSE_CASE_002, ABUSE_CASE_xxx''.
** Dedicated annotation like <code>@AbuseCase(ids={"ABUSE_CASE_001","ABUSE_CASE_002"})</code> can be used to faciliate tracking and allow identification into integrated developement environment.

Using this way, it become possible (via some minor scripting) to identify where the the abuse cases are addressed.

== Step 5: During implementation - Abuse cases handling validation ==

As abuse cases are defined, it is possible to put in place automated or manual validations to ensure that:
* All the selected abuse cases are handled.
* A abuse case is correctly handled.

Validations can be of the following kinds:

* Automated (run regularly at commit, daily or weekly in the Continous Integration Jobs of the project):
** Custom audit rules in Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST) tools.
** Dedicated unit, integration or functional security oriented tests.
** ...
* Manual:
** Security code review between project's peer during the design or the implementation.
** Provide the list of all abuse cases addressed to pentesters in order that they valid the protection efficiency for each abuse case during an intrusion test against the application (pentester will validate that the attacks identified are not longer effective and will also try to find another possible attacks).
** ...

Add automated tests allow also to track that countermeasures against the abuse cases are still effective/in place during maintenance or bug fixing phase of a project (prevent accidental removal/disabling). It is also usefull when Continuous Delivery approach is used (https://continuousdelivery.com/) in to ensure that all abuse cases protections are in place before to open expected access to the application.

= Sources of the schemas =

All schemas has been created using https://www.draw.io/ site and exported, as PNG image, for being integrated into this article.

All XML descriptors files for each schema are available below (using XML description, modification of the schema is possible using DRAW.IO site):

[[Media:ABUSE_CASE_CS_SCHEMA.zip|Schemas descriptors archive]]

= Authors and Primary Editors =

Dominique Righetto - dominique.righetto@owasp.org

= Other Cheatsheets =

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]

OWASP Project Reviews 2018

2018-06-13T12:10:41Z

Rick.mitchell: Minor tweak

=== '''<u>[[Project Reviews Guideline|Overview of Project Reviews:]]</u>''' ===
OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship. The purpose of this assessment is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document. The review process begins with an initial self-assessment done by the project leader and reviewed by Harold Blankenship. Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. I have included a [https://docs.google.com/document/d/1NQSHshTxK1AWTkD4WgYluxSafgO-XGDHZnwE9Qvt7TE/edit '''Sample of a Project Assessmen'''t] for your review and consideration.

'''OWASP Project Reviews @ APPSEC USA 2018'''
* Harold Blankenship (Director of Projects and Technology)

'''OWASP Volunteers:'''

We need volunteers for the AppSec EU 2018 Reviews. Please contact [mailto://project-reviews@owasp.org the Project Review team] to volunteer

'''Description of Scope of Work:'''

'''Lab to Flagship Status'''

OWASP Juiceshop Project

OWASP DefectDojo Project

'''Incubator to Lab Status'''

OWASP Glue Tool Project

=== '''<u>OWASP Project Health Checks:</u>''' ===
'''Review Forms:''' [https://docs.google.com/a/owasp.org/document/d/1jUXt9M9u9Kq1JLaDSdbh6s0p5G_EqFSoaKpzDRures4/edit?usp=sharing Code Health Check] [https://docs.google.com/a/owasp.org/document/d/1aDdcBm3v-DMraVKmsBiNA4YzBmlGFLvOddj5nvPd--Q/edit?usp=sharing Tool Health Check] [https://docs.google.com/a/owasp.org/document/d/17kJlpupi2nmKKRMMBpxgyj1JWxvt23iT8fWULm4SW6k/edit?usp=sharing Documentation Health Check]

'''Lab Projects:'''

[[OWASP Hackademic Challenges Project|OWASP Hackademic Challenges Project]]

[[OWASP Mantra - Security Framework|OWASP Mantra Security Framwork]]

[[:Category:OWASP Security Ninjas AppSec Training Program|OWASP Security Ninjas AppSec Training Program]]

OWASP Security Knowledge Framework Project

'''Lab Documentation Projects:'''

[[OWASP Application Security Guide For CISOs Project|OWASP Application Security Guide for Cisos Project]]

[[OWASP CISO Survey|OWASP Cisco Survey]]

'''Incubator Projects'''

Graduation Project: OWASP Mobile Security Testing Guide Project

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project - Response on needed on request to get an external host

https://www.owasp.org/index.php/OWASP_WASC_Distributed_Web_Honeypots_Project - No updates since 2015

https://www.owasp.org/index.php/OWASP_Faux_Bank_Project - No updates since 2015

https://www.owasp.org/index.php/OWASP_Droid10_Project - No updates since March 15

https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection - no updates since 2015 and no repository still in salesforge

https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project - No updates since 2015 still using salesforge

https://www.owasp.org/index.php/OWASP_WebSpa_Project - no updates since March 2015 last update in salesforge 2/21/2016

https://www.owasp.org/index.php/OWASP_Rainbow_Maker_Project - Last release 12/11/2015 and no updates since May 2015

https://www.owasp.org/index.php/Category:OWASP_.NET_Project - No updates March 23, 2016

https://www.owasp.org/index.php/OWASP_WASC_Web_Hacking_Incidents_Database_Project - no updated since March 12, 2015

https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project - no updates since january 2015

https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide#tab=Main - No updates since April 2016 - no updates to guide

https://www.owasp.org/index.php/OWASP_RFP-Criteria - no updates since March 2016

https://www.owasp.org/index.php/Category:OWASP_Top_10_fuer_Entwickler - no real updates on news since 2013 some updates to the wiki

Talk:Individual Member

2018-05-01T11:51:39Z

Rick.mitchell: Added comment

The LinkedIn Group link is broken...404. [[User:Rick.mitchell|Rick.mitchell]] ([[User talk:Rick.mitchell|talk]]) 06:51, 1 May 2018 (CDT)

ZAPpingTheTop10

2018-04-26T19:53:07Z

Rick.mitchell: Grammar tweak

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.</p>

<p>''A complete mapping for the 2013 edition of the OWASP Top 10 can be found [https://www.owasp.org/index.php/ZAPpingTheTop10-2013 here].''</p>

<p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A2-Broken_Authentication | A2 Broken Authentication]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A3-Sensitive_Data_Exposure | A3 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A4-XML_External_Entities_(XXE) | A4 XML External Entities (XXE)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> Active scan rules [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A5-Broken_Access_Control | A5 Broken Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A6-Security_Misconfiguration | A6 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10-2017_A7-Cross-Site_Scripting_(XSS) | A7 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> There are two outstanding issues that are relevant to this Top 10 entry: [https://github.com/zaproxy/zaproxy/issues/4112 Insecure deserialization active scanner] & [https://github.com/zaproxy/zaproxy/issues/4509 Java Serialization Handling]</td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated / Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and "attacks" which are potential sources/causes for logging and alerting. </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

ZAPpingTheTop10

2018-04-26T19:51:19Z

Rick.mitchell: Lead-in adjustment

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.</p>

<p>''A complete mapping for the 2013 edition of the OWASP Top 10 can be found [https://www.owasp.org/index.php/ZAPpingTheTop10-2013 here].''</p>

<p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A2-Broken_Authentication | A2 Broken Authentication]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A3-Sensitive_Data_Exposure | A3 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A4-XML_External_Entities_(XXE) | A4 XML External Entities (XXE)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> Active scan rules [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A5-Broken_Access_Control | A5 Broken Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A6-Security_Misconfiguration | A6 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10-2017_A7-Cross-Site_Scripting_(XSS) | A7 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> There are currently two outstanding issue that are relevant to this Top 10 entry: [https://github.com/zaproxy/zaproxy/issues/4112 Insecure deserialization active scanner] & [https://github.com/zaproxy/zaproxy/issues/4509 Java Serialization Handling]</td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated / Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and "attacks" which are potential sources/causes for logging and alerting. </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

ZAPpingTheTop10

2018-04-26T19:49:36Z

Rick.mitchell: Added A10 and A8 details.

= ZAPping the OWASP Top 10 =

'''''This content is currently a work in progress (as of Dec-2017)''''', complete mapping for the 2013 edition of the OWASP Top 10 can be found [https://www.owasp.org/index.php/ZAPpingTheTop10-2013 here].

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.

</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A2-Broken_Authentication | A2 Broken Authentication]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A3-Sensitive_Data_Exposure | A3 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A4-XML_External_Entities_(XXE) | A4 XML External Entities (XXE)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> Active scan rules [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A5-Broken_Access_Control | A5 Broken Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A6-Security_Misconfiguration | A6 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10-2017_A7-Cross-Site_Scripting_(XSS) | A7 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> There are currently two outstanding issue that are relevant to this Top 10 entry: [https://github.com/zaproxy/zaproxy/issues/4112 Insecure deserialization active scanner] & [https://github.com/zaproxy/zaproxy/issues/4509 Java Serialization Handling]</td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated / Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and "attacks" which are potential sources/causes for logging and alerting. </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

OWASP Zed Attack Proxy Project

2018-04-17T17:09:58Z

Rick.mitchell:

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

====ZAP 2.7.0 is now available!====

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy
}}

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== Donate to OWASP ==
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation
|target=_blank
|budget=Other (Website Donation) }}</div>

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />[https://www.owasp.org/index.php/User:Ricardo.Pereira Ricardo Pereira] [mailto:ricardo.pereira@owasp.org @]

[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:rick.mitchell+wiki@owasp.org @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| width="50%" valign="center" align="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| width="50%" valign="center" align="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 has been released (Nov 2017), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0

It requires Java 8 (minimum) and supports Selenium 3.

==Release 2.8.0==
ZAP 2.8.0 does not yet have a planned release date, but is likely to be around the beginning of 2018 or (more likely) the middle of 2018.
</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

GSOC2018 Ideas

2018-03-19T13:54:18Z

Rick.mitchell: /* Backslash Powered Scanner */

'''OWASP Foundation has been selected as an organization to be part of the GOOGLE SUMMER CODE 2018'''

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.
===Active Scanning WebSockets===
:'''Brief Explanation:'''
:
:ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.
:
:We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.
:
:'''Expected Results:'''
:* An plugable infrastructure that allows us to active scan websockets
:* Converting the relevant existing scan rules to work with websockets
:* Implementing new websocket specific scan rules
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== React Handling ===
:'''Brief Explanation:'''
:
:ZAP doesnt understand React applications as well as it should be able to.
:
:It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.
:
:'''Expected Results:'''
:* ZAP able to explore React applications more effectively
:* ZAP able to attack React applications more effectively
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backslash Powered Scanner ===
:'''Brief Explanation:'''
:
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)
:
:''' Expected Results '''
:* Extend ZAP's active scanner to leverage Backslash type scanning. (Including adapting some of the existing scan rules to leverage the new component.)
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:: '''Note''' This issue was previously undertaken, however, only partial progress was made. The [https://github.com/zaproxy/zap-extensions/pull/1014 Pull Request] is still open and can be built upon. The 2018 effort needs to ensure the code builds and is successfully put to use in some of the existing scan rules and unit tests.
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be very useful.
:
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated authentication detection and configuration ===
:'''Brief Explanation:'''
:
:Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>
:
:This is time consuming and error prone.
:
:Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
:
:'''Expected Results:'''
:* Detect login and registration pages
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:'''Brief Explanation:'''
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:'''Expected Results:'''
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Develop Bamboo Addon ===
:'''Brief Explanation:'''
:
:It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]
:
:For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].
:
:'''Expected Results:'''
:
:A Bamboo addon that supports:
:* Spidering (using the traditional and Ajax spiders)
:* Active Scanning
:* Authentication
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our Development Rules and Guidelines
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2018 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Frontend Technology Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target client-architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, testing and building

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== UI/Graphics Design Update ===

'''Brief Explanation:'''

The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.

'''Expected Results:'''
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons
* <del>Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop</del> ([https://github.com/bkimminich/juice-shop/issues/315 #315] in progress)
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way

''' Getting started: '''
* Get familiar with the existing HTML views and CSS of the frontend
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites

'''Knowledge Prerequisites:'''
* Strong web and graphic design experience
* Sophisticated HTML and CSS experience

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP Security Knowledge Framework - Chatbot machine learning feature==

=== Brief Explanation ===
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.

The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.

The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.

=== Expected Results ===
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.
# A Chatbot (using existing frameworks) to:
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.
## Based on enriched query fetch relevant information from knowledge base and return.
# An integration to some chat system like Gitter.im, IRC, Slack etc.

=== Knowledge Prerequisites ===
* Programming languages:
** OWASP-SKF API is build in Python 3.6/3.7
** OWASP-SKF Frontend is build with Angular 4 TS
* Machine learning enthusiastic/interest

=== Proposal from student ===
* We want to ask from the student to write a proposal on how to approach the problem we described.
'''Mentors''':

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]

==OWASP Nettacker==
===Brief Explanation===
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).

===Getting started===

* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.

'''A Better Penetration Testing Automated Framework'''

===Expected Results===
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.

===Knowledge Prerequisites===

* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.
* Good knowledge of computer security (and penetration testing)
* Knowledge of OS (Linux, Windows, Mac...) and Services
* Familiar with IDS/IPS/Firewalls and ...
* To develop the API you should be familiar with HTTP, Database...

===Mentors===
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP CSRF Protector ==
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form.
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===
'''Brief explanation:'''

The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.

Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;

The goal of this project would be to:
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues]
'''Expected results:'''
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)

'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]
== OWASP BLT (Bug Logging Tool) ==
===Brief Explanation:===

BLT lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

Check OWASP WIKI PAGE [https://www.owasp.org/index.php/OWASP_Bug_Logging_Tool] for some reference;

===Expected Results:===
* Fuse app to allow easy bug reporting from phone.
* BUG cryptocurrency rewarded for each bug reported - requires a way to verify bugs are valid and not duplicates
* Allow for companies to do private (paid) bug bounties
* allow for bug reporting via email
* build a referral program
* integrate an idea / suggestion feature

===Knowledge Prerequisite:===
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Fusetools will be used for the app and C++ (Bitcoin based) or Ethereum will be used for the cryptocurrency part.

===Proposals from student:===
* Proposal on new features
* Recommendations on how to use social applications to promote OWASP BLT

'''Mentors:'''
* Sean Auriti [https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @]
* Sourav Badami [https://www.owasp.org/index.php/User:Souravbadami Sourav Badami] [mailto:souravbadami@gmail.com @]

==OWASP RailsGoat - 2017 OWASP Top Ten==

===Brief Explanation:===
Add support for multiple OWASP Top Ten versions, such as 2017 and 2010.
Currently RailsGoat supports only the 2013 version of OWASP Top Ten.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that supports additional version(s) of OWASP Top Ten
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 305 [https://github.com/OWASP/railsgoat/issues/305] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Sri Harsha Gajavalli [mailto:sriharsha.g15@iiits.in] - OWASP RailsGoat Mentor
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, Mentor"
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Capture-The-Flag RailsGoat Image Creation Automation==

===Brief Explanation:===
Create automation to build a Capture-The-Flag competition (CTF) image (VM, ISO, etc) which contains everything needed, such as [Operating System, Rails Stack, RailsGoat], so RailsGoat can easily be used in more Capture-The-Flag competitions.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that automates the process of building RailsGoat CTF images.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 306 [https://github.com/OWASP/railsgoat/issues/306] has more details.

===Knowledge Prerequisite:===
* Some background in creating VMs/ISOs would be helpful.
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Matt Robinson [mailto:brimstone@the.narro.ws] - OWASP RailsGoat Mentor
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Merge "Security on Rails" book's lunchedin examples into RailsGoat==

===Brief Explanation:===
Merge "Security on Rails" book's lunchedin examples into RailsGoat. Need to get permission from publisher. @jasnow got permission previously.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* More teaching RailsGoat examples based on "Security on Rails" book's lunchedin project.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 307 [https://github.com/OWASP/railsgoat/issues/307] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security
would be useful, but not essential.

'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Add Devise Gem Support and Vulnerabilities to RailsGoat==

===Brief Explanation:===
Add Devise Support to RailsGoat along with adding Devise-related vulnerabilities.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* Using Devise gem inside RailsGoat plus Devise-related vulnerabilities.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 207 [https://github.com/OWASP/railsgoat/issues/207] and * Issue 243 [https://github.com/OWASP/railsgoat/issues/243] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Generic Idea==

===Brief Explanation:===
RailsGoat is a great framework for learning about OWASP Top 10 2013 using a vulnerable version of the Ruby on Rails (versions 3 to 5), as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. Feel free to check out the [Railsgoat Github site](https://github.com/OWASP/railsgoat) for more details. If you have an idea that is not on this list then don't worry, you can still submit it.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that makes RailsGoat even better
* Code that conforms to our Development Rules and Guidelines

=== Needs: ===
* Student Developers

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

GSOC2018 Ideas

2018-03-19T13:51:59Z

Rick.mitchell: /* OWASP ZAP */

'''OWASP Foundation has been selected as an organization to be part of the GOOGLE SUMMER CODE 2018'''

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.
===Active Scanning WebSockets===
:'''Brief Explanation:'''
:
:ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.
:
:We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.
:
:'''Expected Results:'''
:* An plugable infrastructure that allows us to active scan websockets
:* Converting the relevant existing scan rules to work with websockets
:* Implementing new websocket specific scan rules
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== React Handling ===
:'''Brief Explanation:'''
:
:ZAP doesnt understand React applications as well as it should be able to.
:
:It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.
:
:'''Expected Results:'''
:* ZAP able to explore React applications more effectively
:* ZAP able to attack React applications more effectively
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backslash Powered Scanner ===
:'''Brief Explanation:'''
:
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)
:
:''' Expected Results '''
:* Extend ZAP's active scanner to leverage Backslash type scanning. (Including adapting some of the existing scan rules to leverage the new component.)
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:: '''Note''' This issue was previously undertaken, however, only partial progress was made. The [https://github.com/zaproxy/zap-extensions/pull/1014 Pull Request] is still open and can be built upon. The 2018 effort needs to ensure the code builds and is successfully put to use in some of the existing scan rules and unit tests.
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended.
:
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated authentication detection and configuration ===
:'''Brief Explanation:'''
:
:Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>
:
:This is time consuming and error prone.
:
:Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.
:
:'''Expected Results:'''
:* Detect login and registration pages
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:'''Brief Explanation:'''
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:'''Expected Results:'''
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Develop Bamboo Addon ===
:'''Brief Explanation:'''
:
:It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]
:
:For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].
:
:'''Expected Results:'''
:
:A Bamboo addon that supports:
:* Spidering (using the traditional and Ajax spiders)
:* Active Scanning
:* Authentication
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our Development Rules and Guidelines
:
:''' Getting started: '''
:
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].
:
:'''Knowledge Prerequisites:'''
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2018 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Frontend Technology Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target client-architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, testing and building

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== UI/Graphics Design Update ===

'''Brief Explanation:'''

The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.

'''Expected Results:'''
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons
* <del>Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop</del> ([https://github.com/bkimminich/juice-shop/issues/315 #315] in progress)
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way

''' Getting started: '''
* Get familiar with the existing HTML views and CSS of the frontend
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites

'''Knowledge Prerequisites:'''
* Strong web and graphic design experience
* Sophisticated HTML and CSS experience

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP Security Knowledge Framework - Chatbot machine learning feature==

=== Brief Explanation ===
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.

The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.

The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.

=== Expected Results ===
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.
# A Chatbot (using existing frameworks) to:
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.
## Based on enriched query fetch relevant information from knowledge base and return.
# An integration to some chat system like Gitter.im, IRC, Slack etc.

=== Knowledge Prerequisites ===
* Programming languages:
** OWASP-SKF API is build in Python 3.6/3.7
** OWASP-SKF Frontend is build with Angular 4 TS
* Machine learning enthusiastic/interest

=== Proposal from student ===
* We want to ask from the student to write a proposal on how to approach the problem we described.
'''Mentors''':

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]

==OWASP Nettacker==
===Brief Explanation===
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).

===Getting started===

* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.

'''A Better Penetration Testing Automated Framework'''

===Expected Results===
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.

===Knowledge Prerequisites===

* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.
* Good knowledge of computer security (and penetration testing)
* Knowledge of OS (Linux, Windows, Mac...) and Services
* Familiar with IDS/IPS/Firewalls and ...
* To develop the API you should be familiar with HTTP, Database...

===Mentors===
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP CSRF Protector ==
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form.
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===
'''Brief explanation:'''

The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.

Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;

The goal of this project would be to:
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues]
'''Expected results:'''
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)

'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]
== OWASP BLT (Bug Logging Tool) ==
===Brief Explanation:===

BLT lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

Check OWASP WIKI PAGE [https://www.owasp.org/index.php/OWASP_Bug_Logging_Tool] for some reference;

===Expected Results:===
* Fuse app to allow easy bug reporting from phone.
* BUG cryptocurrency rewarded for each bug reported - requires a way to verify bugs are valid and not duplicates
* Allow for companies to do private (paid) bug bounties
* allow for bug reporting via email
* build a referral program
* integrate an idea / suggestion feature

===Knowledge Prerequisite:===
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Fusetools will be used for the app and C++ (Bitcoin based) or Ethereum will be used for the cryptocurrency part.

===Proposals from student:===
* Proposal on new features
* Recommendations on how to use social applications to promote OWASP BLT

'''Mentors:'''
* Sean Auriti [https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @]
* Sourav Badami [https://www.owasp.org/index.php/User:Souravbadami Sourav Badami] [mailto:souravbadami@gmail.com @]

==OWASP RailsGoat - 2017 OWASP Top Ten==

===Brief Explanation:===
Add support for multiple OWASP Top Ten versions, such as 2017 and 2010.
Currently RailsGoat supports only the 2013 version of OWASP Top Ten.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that supports additional version(s) of OWASP Top Ten
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 305 [https://github.com/OWASP/railsgoat/issues/305] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Sri Harsha Gajavalli [mailto:sriharsha.g15@iiits.in] - OWASP RailsGoat Mentor
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, Mentor"
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Capture-The-Flag RailsGoat Image Creation Automation==

===Brief Explanation:===
Create automation to build a Capture-The-Flag competition (CTF) image (VM, ISO, etc) which contains everything needed, such as [Operating System, Rails Stack, RailsGoat], so RailsGoat can easily be used in more Capture-The-Flag competitions.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that automates the process of building RailsGoat CTF images.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 306 [https://github.com/OWASP/railsgoat/issues/306] has more details.

===Knowledge Prerequisite:===
* Some background in creating VMs/ISOs would be helpful.
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Matt Robinson [mailto:brimstone@the.narro.ws] - OWASP RailsGoat Mentor
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Merge "Security on Rails" book's lunchedin examples into RailsGoat==

===Brief Explanation:===
Merge "Security on Rails" book's lunchedin examples into RailsGoat. Need to get permission from publisher. @jasnow got permission previously.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* More teaching RailsGoat examples based on "Security on Rails" book's lunchedin project.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 307 [https://github.com/OWASP/railsgoat/issues/307] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security
would be useful, but not essential.

'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Add Devise Gem Support and Vulnerabilities to RailsGoat==

===Brief Explanation:===
Add Devise Support to RailsGoat along with adding Devise-related vulnerabilities.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* Using Devise gem inside RailsGoat plus Devise-related vulnerabilities.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 207 [https://github.com/OWASP/railsgoat/issues/207] and * Issue 243 [https://github.com/OWASP/railsgoat/issues/243] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Generic Idea==

===Brief Explanation:===
RailsGoat is a great framework for learning about OWASP Top 10 2013 using a vulnerable version of the Ruby on Rails (versions 3 to 5), as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. Feel free to check out the [Railsgoat Github site](https://github.com/OWASP/railsgoat) for more details. If you have an idea that is not on this list then don't worry, you can still submit it.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that makes RailsGoat even better
* Code that conforms to our Development Rules and Guidelines

=== Needs: ===
* Student Developers

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

GSOC2018 Ideas

2018-03-19T13:19:02Z

Rick.mitchell: Added Backslash Powered Scanner section

'''OWASP Foundation has been selected as an organization to be part of the GOOGLE SUMMER CODE 2018'''

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''
'''* Read the [[GSoC SAT]] '''
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/OWASP github organization]
==OWASP ZAP==
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.
===Active Scanning WebSockets===
'''Brief Explanation:'''

ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.

We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.

'''Expected Results:'''
* An plugable infrastructure that allows us to active scan websockets
* Converting the relevant existing scan rules to work with websockets
* Implementing new websocket specific scan rules

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== React Handling ===
'''Brief Explanation:'''

ZAP doesnt understand React applications as well as it should be able to.

It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.

'''Expected Results:'''
* ZAP able to explore React applications more effectively
* ZAP able to attack React applications more effectively

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backslash Powered Scanner ===

This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)

''' Expected Results '''
* Extend ZAP's active scanner to leverage Backslash type scanning. (Including adapting some of the existing scan rules to leverage the new component.)
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

===== Note =====
This issue was previously undertaken, however, only partial progress was made. The [https://github.com/zaproxy/zap-extensions/pull/1014 Pull Request] is still open and can be built upon.
The 2018 effort needs to ensure the code builds and is successfully put to use in some of the existing scan rules and unit tests.

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Automated authentication detection and configuration ===
'''Brief Explanation:'''

Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki>

This is time consuming and error prone.

Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.

'''Expected Results:'''
* Detect login and registration pages
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible
* An option to completely automate the authentication process, for as many authentication mechanisms as possible

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
'''Brief Explanation:'''

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

'''Expected Results:'''
* A documented definition of a text representation for Zest
* A parser that converts the text representation into a working Zest script
* An option in the Zest java implementation to output Zest scripts text format

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Develop Bamboo Addon ===
'''Brief Explanation:'''

It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]

For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].

'''Expected Results:'''

A Bamboo addon that supports:
* Spidering (using the traditional and Ajax spiders)
* Active Scanning
* Authentication

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our Development Rules and Guidelines

''' Getting started: '''

* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].

'''Knowledge Prerequisites:'''
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2018 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Frontend Technology Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target client-architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, testing and building

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== UI/Graphics Design Update ===

'''Brief Explanation:'''

The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.

'''Expected Results:'''
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons
* <del>Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop</del> ([https://github.com/bkimminich/juice-shop/issues/315 #315] in progress)
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way

''' Getting started: '''
* Get familiar with the existing HTML views and CSS of the frontend
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites

'''Knowledge Prerequisites:'''
* Strong web and graphic design experience
* Sophisticated HTML and CSS experience

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader

==OWASP Security Knowledge Framework - Chatbot machine learning feature==

=== Brief Explanation ===
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.

The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.

The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.

=== Expected Results ===
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.
# A Chatbot (using existing frameworks) to:
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.
## Based on enriched query fetch relevant information from knowledge base and return.
# An integration to some chat system like Gitter.im, IRC, Slack etc.

=== Knowledge Prerequisites ===
* Programming languages:
** OWASP-SKF API is build in Python 3.6/3.7
** OWASP-SKF Frontend is build with Angular 4 TS
* Machine learning enthusiastic/interest

=== Proposal from student ===
* We want to ask from the student to write a proposal on how to approach the problem we described.
'''Mentors''':

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]

==OWASP Nettacker==
===Brief Explanation===
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).

===Getting started===

* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.

'''A Better Penetration Testing Automated Framework'''

===Expected Results===
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.

===Knowledge Prerequisites===

* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.
* Good knowledge of computer security (and penetration testing)
* Knowledge of OS (Linux, Windows, Mac...) and Services
* Familiar with IDS/IPS/Firewalls and ...
* To develop the API you should be familiar with HTTP, Database...

===Mentors===
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]

==OWASP OWTF==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.
===OWASP OWTF - MiTM proxy interception and replay capabilities===
'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible
*ability to intercept the transactions
*modify or replay transaction on the fly
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
Bonus:
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
*Create a browser instance and do the necessary login procedure
*Handle the browser for the URI
*When called to close the browser, do a clean logout and kill the browser instance.
'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - Web interface enhancements===
'''Brief explanation:'''

The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.

'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders
===OWASP OWTF - New plugin architecture===
'''Brief explanation:'''

The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.

This issue is documented in detail at https://github.com/owtf/owtf/issues/905.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
*CRITICAL: Excellent reliability
*Good performance
*Unit tests / Functional tests
*Good documentation

== OWASP CSRF Protector ==
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form.
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===
'''Brief explanation:'''

The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.

Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;

The goal of this project would be to:
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues]
'''Expected results:'''
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''
*'''CRITICAL''': Excellent reliability and performance.
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)

'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]
== OWASP BLT (Bug Logging Tool) ==
===Brief Explanation:===

BLT lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

Check OWASP WIKI PAGE [https://www.owasp.org/index.php/OWASP_Bug_Logging_Tool] for some reference;

===Expected Results:===
* Fuse app to allow easy bug reporting from phone.
* BUG cryptocurrency rewarded for each bug reported - requires a way to verify bugs are valid and not duplicates
* Allow for companies to do private (paid) bug bounties
* allow for bug reporting via email
* build a referral program
* integrate an idea / suggestion feature

===Knowledge Prerequisite:===
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. Fusetools will be used for the app and C++ (Bitcoin based) or Ethereum will be used for the cryptocurrency part.

===Proposals from student:===
* Proposal on new features
* Recommendations on how to use social applications to promote OWASP BLT

'''Mentors:'''
* Sean Auriti [https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @]
* Sourav Badami [https://www.owasp.org/index.php/User:Souravbadami Sourav Badami] [mailto:souravbadami@gmail.com @]

==OWASP RailsGoat - 2017 OWASP Top Ten==

===Brief Explanation:===
Add support for multiple OWASP Top Ten versions, such as 2017 and 2010.
Currently RailsGoat supports only the 2013 version of OWASP Top Ten.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that supports additional version(s) of OWASP Top Ten
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 305 [https://github.com/OWASP/railsgoat/issues/305] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Sri Harsha Gajavalli [mailto:sriharsha.g15@iiits.in] - OWASP RailsGoat Mentor
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, Mentor"
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Capture-The-Flag RailsGoat Image Creation Automation==

===Brief Explanation:===
Create automation to build a Capture-The-Flag competition (CTF) image (VM, ISO, etc) which contains everything needed, such as [Operating System, Rails Stack, RailsGoat], so RailsGoat can easily be used in more Capture-The-Flag competitions.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that automates the process of building RailsGoat CTF images.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 306 [https://github.com/OWASP/railsgoat/issues/306] has more details.

===Knowledge Prerequisite:===
* Some background in creating VMs/ISOs would be helpful.
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Matt Robinson [mailto:brimstone@the.narro.ws] - OWASP RailsGoat Mentor
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Merge "Security on Rails" book's lunchedin examples into RailsGoat==

===Brief Explanation:===
Merge "Security on Rails" book's lunchedin examples into RailsGoat. Need to get permission from publisher. @jasnow got permission previously.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* More teaching RailsGoat examples based on "Security on Rails" book's lunchedin project.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 307 [https://github.com/OWASP/railsgoat/issues/307] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security
would be useful, but not essential.

'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Add Devise Gem Support and Vulnerabilities to RailsGoat==

===Brief Explanation:===
Add Devise Support to RailsGoat along with adding Devise-related vulnerabilities.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* Using Devise gem inside RailsGoat plus Devise-related vulnerabilities.
* Code that conforms to our Development Rules and Guidelines

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.
* We have created a dedicated wiki for the OWASP GSOC initiative: https://github.com/OWASP/railsgoat/wiki/RailsGoat-Summer-of-Code-Type-Project-Information
* Issue 207 [https://github.com/OWASP/railsgoat/issues/207] and * Issue 243 [https://github.com/OWASP/railsgoat/issues/243] has more details.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

==OWASP RailsGoat - Generic Idea==

===Brief Explanation:===
RailsGoat is a great framework for learning about OWASP Top 10 2013 using a vulnerable version of the Ruby on Rails (versions 3 to 5), as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. Feel free to check out the [Railsgoat Github site](https://github.com/OWASP/railsgoat) for more details. If you have an idea that is not on this list then don't worry, you can still submit it.

===Expected Results:===
* Wonderful experience for Student Developers, Mentors, and Technical Advisors
* A new feature that makes RailsGoat even better
* Code that conforms to our Development Rules and Guidelines

=== Needs: ===
* Student Developers

===Getting Started===
* Have a look at the RailsGoat https://github.com/OWASP/railsgoat/blob/master/README.md file, especially the 'Getting Started' section. We like to see student developers who have already contributed to RailsGoat, so try fixing one of the bugs.

===Knowledge Prerequisite:===
* RailsGoat is written in Ruby and Ruby-on-Rails, so a good knowledge of this language ecosystem is recommended. Some knowledge of application security would be useful, but not essential.
'''Mentors:'''
* Frank Rietta [mailto:frank@rietta.com] - OWASP RailsGoat Mentor
* [https://www.owasp.org/index.php/User:Ken Ken Johnson @] - OWASP RailsGoat "Technical Advisor, mentor"
* John Poulin [mailto:john.m.poulin@gmail.com] - OWASP RailsGoat Mentor
* Al Snow [mailto:jasnow@hotmail.com] - OWASP RailsGoat Project Coordinator

GSOC2018 Ideas

2018-01-03T01:07:20Z

Rick.mitchell:

GSOC2018 Ideas

2018-01-03T01:06:48Z

Rick.mitchell: Re-add hackademics specifics under the sample heading

GSOC2018 Ideas

2018-01-03T01:04:51Z

Rick.mitchell: Remove hackademics specifics from generic info section

ZAPpingTheTop10

2017-12-18T14:57:42Z

Rick.mitchell:

= ZAPping the OWASP Top 10 =

'''''This content is currently a work in progress (as of Dec-2017)''''', complete mapping for the 2013 edition of the OWASP Top 10 can be found [https://www.owasp.org/index.php/ZAPpingTheTop10-2013 here].

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.

</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A2-Broken_Authentication | A2 Broken Authentication]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A3-Sensitive_Data_Exposure | A3 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A4-XML_External_Entities_(XXE) | A4 XML External Entities (XXE)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> Active scan rules [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A5-Broken_Access_Control | A5 Broken Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A6-Security_Misconfiguration | A6 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10-2017_A7-Cross-Site_Scripting_(XSS) | A7 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

ZAPpingTheTop10

2017-12-18T14:57:14Z

Rick.mitchell: Updated for 2017 - Initial cut

= ZAPping the OWASP Top 10 =

'''''This content is currently a work in progress (as of Dec-2017), complete mapping for the 2013 edition of the OWASP Top 10 can be found [https://www.owasp.org/index.php/ZAPpingTheTop10-2013 here].'''''

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.

</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A2-Broken_Authentication | A2 Broken Authentication]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control Testing]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A3-Sensitive_Data_Exposure | A3 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A4-XML_External_Entities_(XXE) | A4 XML External Entities (XXE)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automatic </td><td style="border: 1px solid #ccc; padding: 5px;"> Active scan rules [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A5-Broken_Access_Control | A5 Broken Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A6-Security_Misconfiguration | A6 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10-2017_A7-Cross-Site_Scripting_(XSS) | A7 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td><td style="border: 1px solid #ccc; padding: 5px;"> TBD </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

ZAPpingTheTop10

2017-12-18T14:31:50Z

Rick.mitchell:

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.

</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsParams Params tab] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A7 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSites#Generate_anti_CSRF_test_form Generate Anti CSRF Test Form] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

ZAPpingTheTop10

2017-12-18T14:27:38Z

Rick.mitchell:

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2013 risks.

</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p><p>A printable (pdf) version of this document is also available: [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsParams Params tab] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A7 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSites#Generate_anti_CSRF_test_form Generate Anti CSRF Test Form] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

ZAPpingTheTop10

2017-12-18T14:25:16Z

Rick.mitchell: Rick.mitchell moved page ZAPpingTheTop10 to ZAPpingTheTop10-2013: Prep for 2017 update

#REDIRECT [[ZAPpingTheTop10-2013]]

ZAPpingTheTop10-2013

2017-12-18T14:25:15Z

Rick.mitchell: Rick.mitchell moved page ZAPpingTheTop10 to ZAPpingTheTop10-2013: Prep for 2017 update

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2013 risks.

</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p><p>A printable (pdf) version of this document is also available: [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsParams Params tab] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A7 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSites#Generate_anti_CSRF_test_form Generate Anti CSRF Test Form] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

Projects/OWASP Zed Attack Proxy Project/Pages/News

2017-12-09T11:31:29Z

Rick.mitchell: 2.7 updates and toolswatch info

'''Latest News:'''

* 2017/11/28 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0 2.7.0] released
* 2017/03/29 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0 2.6.0] released
* 2017/02/11 ZAP came second in the [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ Top Security Tools of 2016 as voted by ToolsWatch.org readers]
* 2016/06/03 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_5_0 2.5.0] released
* 2016/05/26 ZAP [https://bugcrowd.com/owaspzap bug bounty program] launched
* 2016/02/23 ZAP declared the [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ Top Security Tool of 2015 as voted by ToolsWatch.org readers]
* 2016/02/19 ZAP [http://zaproxy.blogspot.com/2016/02/zap-newsletter-2016-february.html February newsletter] published
* 2016/01/04 ZAP [http://zaproxy.blogspot.com/2016/01/zap-newsletter-2016-january.html January newsletter] published
* 2015/12/15 ZAP [http://zaproxy.blogspot.co.uk/2015/12/zap-newsletter-2015-december.html December newsletter] published
* 2015/12/04 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_4_3 2.4.3] released
* 2015/11/02 ZAP [http://zaproxy.blogspot.co.uk/2015/11/zap-newsletter-2015-november.html November newsletter] published
* 2015/09/07 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_4_2 2.4.2] released
* 2015/07/31 ZAP [https://www.owasp.org/index.php/2015-08-ZAP-ScriptingCompetition Scripting Competition] launched
* 2015/07/30 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_4_1 2.4.1] released
* 2015/05/05 ZAP featured in the [http://assets.thoughtworks.com/assets/technology-radar-may-2015-en.pdf ThoughtWorks Technology Radar]
* 2015/04/14 Version [http://owasp.blogspot.co.uk/2015/04/owasp-zap-240.html 2.4.0] released
* 2015/01/14 ZAP came second in the [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ Top Security Tools of 2014 as voted by ToolsWatch.org readers]
* 2015/01/02 ZAP [https://github.com/zaproxy/community-scripts Community Scripts] repo launched
* 2014/05/21 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_3_1 2.3.1] released
* 2014/04/10 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_3_0 2.3.0] released
* 2014/03/10 Hacking ZAP blog post series started: http://zaproxy.blogspot.co.uk/2014/03/hacking-zap-1-why-should-you.html
* 2014/02/17 ZAP included as one of the [https://sourceforge.net/blog/projects-of-the-week-february-17-2014/ SourceForge projects of the week]
* 2013/12/20 ZAP declared the [https://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ Top Security Tool of 2013 as voted by ToolsWatch.org readers]
* 2013/11/04 [https://github.com/zaproxy/zap-core-help/wiki/ZapEvangelists ZAP Evangelists] initiative launched
* 2013/10/29 Simon won Best Project Leader [https://www.owasp.org/index.php/WASPY_Awards_2013 WASPY Award]
* 2013/09/27 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_2_2 2.2.2] released
* 2013/09/11 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_2_0 2.2.0] released
* 2013/07/29 New language file including support for Bosnian
* 2013/06/17 ZAP user questionnaire launched, now in both [https://docs.google.com/forms/d/1lUPTYHe9CS5tropNStoRK9jVeZ7tWRywhBHDIZjE4cA/viewform English] and [https://docs.google.com/forms/d/1xAKE3TCOaBrmFnyAVUr6NdTd3mKvu7g_uGriOcS2Ka4/viewform Spanish]
* 2013/06/05 ZAP questions can now be asked on [https://irc.lc/mozilla/websectools/zapuser??? irc]
* 2013/05/10 5 ZAP related projects accepted for [https://github.com/zaproxy/zap-core-help/wiki/GSoC2013 Google Summer of Code]
* 2013/04/18 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_1_0 2.1.0] released
* 2013/01/30 Version [http://owasp.blogspot.co.uk/2013/01/owasp-zed-attack-proxy-v-200.html 2.0.0] released
* 2012/11/27 Started a new [http://code.google.com/p/zaproxy-test/ zaproxy-test] project of unit and integrations tests
* 2012/10/29 Adopted [http://crowdin.net/project/owasp-zap Crowdin] for translations
* 2012/10/22 Started generating [https://github.com/zaproxy/zap-core-help/wiki/WeeklyReleases weekly releases]
* 2012/10/12 ZAP Overview tutorial [http://www.youtube.com/watch?v=eH0RBI0nmww video] published
* 2012/09/18 [http://www.cafepress.com/zaproxy ZAP Gear Store] goes live
* 2012/08/05 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases1_4_1 1.4.1] released
* 2012/07/08 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases1_4_0 1.4.0.1] downloaded over 15,000 times
* 2012/07/05 [https://github.com/zaproxy/zap-core-help/wiki/ApiPython Python API] released
* 2012/06/15 ZAP accepted for the [[Projects_Reboot_2012|OWASP Project Reboot]]
* 2012/06/13 Using ZAP for Security Regression tests [http://www.youtube.com/watch?v=ZWSLFHpg1So video] published
* 2012/06/04 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases1_4_0 1.4.0.1] downloaded over 10,000 times
* 2012/05/28 Simon's Introduction to ZAP talk at App Sec USA becomes the most watched OWASP video on [http://vimeo.com/owasp/videos/sort:plays vimeo]
* 2012/04/23 3 ZAP related [https://github.com/zaproxy/zap-core-help/wiki/GSoC2012 Google Summer of Code 2012] projects accepted. To find out how these are progressing please see their [https://github.com/zaproxy/zap-core-help/wiki/GSoC2012 wiki pages].
* 2012/04/23 OWASP ZAP [https://github.com/zaproxy/zap-core-help/wiki/SmartCards SmartCard Project] officially launched.
* 2012/04/08 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases1_4_0 1.4.0.1] released
* 2012/02/10 Version [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases1_3_4 1.3.4] downloaded over 10,000 times
* 2012/02/01 OWASP ZAP is named the [http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html Toolsmith Tool of the Year for 2011!]

OWASP Zed Attack Proxy Project

2017-11-28T18:46:05Z

Rick.mitchell: Release info updated

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

====ZAP 2.7.0 is now available!====

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy
}}

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />[https://www.owasp.org/index.php/User:Ricardo.Pereira Ricardo Pereira] [mailto:ricardo.pereira@owasp.org @]

[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:rick.mitchell@owasp.org @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| width="50%" valign="center" align="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| width="50%" valign="center" align="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 has been released (Nov 2017), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0

It requires Java 8 (minimum) and supports Selenium 3.

==Release 2.8.0==
ZAP 2.8.0 does not yet have a planned release date, but is likely to be around the beginning of 2018 or (more likely) the middle of 2018.
</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

OWASP Zed Attack Proxy Project

2017-11-28T18:45:01Z

Rick.mitchell: Updated release info

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

====ZAP 2.7.0 is now available!====

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy
}}

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />[https://www.owasp.org/index.php/User:Ricardo.Pereira Ricardo Pereira] [mailto:ricardo.pereira@owasp.org @]

[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:rick.mitchell@owasp.org @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| width="50%" valign="center" align="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| width="50%" valign="center" align="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 has been released (Nov 2017), this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_7_0

It requires Java 8 (minimum) and supports Selenium 3.

==Release 2.8.0==
ZAP 2.8.0 does not yet have a planned release date, but is likely to be around the end of 2017 or (more likely) the beginning of 2018.
</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

Projects/OWASP Zed Attack Proxy Project/Pages/Talks

2017-11-14T01:55:20Z

Rick.mitchell: Remove frequency reference

'''Upcoming Talks/Training:'''

For details of upcoming ZAP related talks or training please see the latest [https://github.com/zaproxy/zaproxy/wiki/Newsletters ZAP Newsletter]

OWASP Zed Attack Proxy Project

2017-11-14T01:52:42Z

Rick.mitchell: Minor terminology tweak (per issue 3980) and a typo correction

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

====ZAP 2.6.0 is now available and includes important security fixes. Please update asap!====

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

{{#widget:PayPal Donation
|target=_blank
|budget=Zed Attack Proxy
}}

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.6.0/ZAPGettingStartedGuide-2.6.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| style="padding-left:25px;width:200px;" valign="top" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br />[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

Co-Project Leaders<br />
Ricardo Pereira<br />
[https://www.owasp.org/index.php/User:Rick.mitchell Rick Mitchell] [mailto:kingthorin@gmail.com @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| width="50%" valign="center" align="center" | [[File:Owasp-builders-small.png|link=]]
|
|-
| width="50%" valign="center" align="center" | [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png|||400px|ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (using a [https://www.ej-technologies.com/products/install4j/overview.html multi-platform installer builder])
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.6.0==
ZAP 2.6.0 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0

==Release 2.7.0==
ZAP 2.7.0 is being actively worked on, and is expected to be released relatively soon.

It will require Java 8 (minimum) and will support Selenium 3. It will also include all of the changes currently available in the [https://github.com/zaproxy/zaproxy/wiki/Downloads#zap-weekly weekly release].

==Release 2.8.0==
ZAP 2.8.0 does not yet have a planned release date, but is likely to be around the end of 2017 or (more likely) the beginning of 2018.
</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP Release Quality Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]
[[Category:Flagship Projects|Zap]]
[[Category:OWASP Zed Attack Proxy|Zap]]

User:Rick.mitchell

2017-11-08T14:21:04Z

Rick.mitchell: Update

Rick's User Page

__TOC__

== What Rick's Worked On ==

Click here to see [https://www.openhub.net/accounts/kingthorin/ Rick's Contributions to OWASP ZAP.]

Click here to see [https://www.owasp.org/index.php/Special:Contributions/Rick.mitchell Rick's Contributions (Edits)]. [As of Nov. 2017 these mainly deal with the Testing Guide, GSoC, and ZAP.]

To see discussion and contributions with regard to the [[:Common_OWASP_Numbering]] project, checkout the mailing list for Jan 2010:<br>
[https://lists.owasp.org/pipermail/owasp-testing/2010-January/subject.html OWASP Testing Mailing List Jan 2010].

== "and/or" Explanation ==

A quick explanation of why "and/or" shouldn't be used in written English.

[[Image:And_or.png|Binary logic of "and" and "or"]]

'''Note''': The OR allows for the same True result as the AND (bottom right corner), while also allowing for other combinations producing True results.<br>
Sometimes people mean "and/exclusive or" when they type "and/or" however this would look extremely strange when written and 99% of the time a simple or will suffice.<br>
'''Therefore''' all written usage of "and/or" should simply be "or".

ZAPpingTheTop10-2013

2017-10-13T17:17:40Z

Rick.mitchell: Updated per https://github.com/zaproxy/zaproxy/issues/3883

= ZAPping the OWASP Top 10 =

<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2013 risks.

</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p><p>A printable (pdf) version of this document is also available: [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

<table class="wikitable">
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting proxy] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A1-Injection | A1 Injection]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsParams Params tab] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A7 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta])<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSites#Generate_anti_CSRF_test_form Generate Anti CSRF Test Form] </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>

<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]] </font> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
</table>

<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

OWASP Vulnerable Web Applications Directory Project

2017-05-23T17:42:45Z

Rick.mitchell: Switch Ohloh to Open Hub

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Vulnerable Web Applications Directory Project==

The OWASP Vulnerable Web Applications Directory Project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available for legal security and vulnerability testing of various kinds.

==Introduction==

Select from the above tabs to view all of the:
* On-Line applications
* Off-Line applications
* Virtual Machines and ISO images

==Description==

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available. These vulnerable web applications can be used by web developers, security auditors and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.

The main goal of VWAD is to provide a list of vulnerable web applications available to security professionals for hacking and offensive activities, so that they can attack realistic web environments... without going to jail :)

The vulnerable web applications have been classified in three categories: On-Line, Off-Line, and VMs/ISOs. Each list has been ordered alphabetically.

An initial list that inspired this project was maintained till October 2013 at: http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html.

A brief description of the OWASP VWAD project is available at: http://blog.dinosec.com/2013/11/owasp-vulnerable-web-applications.html.

The associated GitHub repository is available at: https://github.com/OWASP/OWASP-VWAD.

==Licensing==
OWASP Vulnerable Web Applications Directory Projects is free to use. It is licensed under the Apache 2.0 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is VWAD? ==

OWASP VWAD provides:

* A list of all known vulnerable web applications.

== Presentation ==

Interview with [http://trustedsoftwarealliance.com/2013/10/18/simon-bennetts-the-owasp-web-applications-vulnerability-project/ Simon Bennetts – The OWASP Web Applications Vulnerability Project ].

== Project Leaders ==

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

== Related Projects ==

* N/A

== Open Hub ==

*https://www.openhub.net/p/OWASP-VWAD

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* N/A - The project is self contained on the wiki.
* GitHub repository - https://github.com/OWASP/OWASP-VWAD

== News and Events ==
* [16 Oct 2013] Project created.

== In Print ==
N/A

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

=On-Line apps=

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Online | Online}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Online source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

= Off-Line apps =

Vulnerable applications that have to be downloaded and used locally:

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Offline | Offline}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/Offline source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/OfflineOld | OfflineOld}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/OfflineOld source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

= Virtual Machines or ISOs =

VMs which contain multiple vulnerable applications:

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMs | VMs}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMs source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

Please add any new apps in alphabetic order, correct mistakes or just comment on this page if you dont have write access to this wiki.

The following apps are quite old and appear not to be maintained - as such they are probably less useful.

{{:OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMsOld | VMsOld}}

Please note that the [https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project/Pages/VMsOld source page] for this tab is automatically generated via the [https://github.com/OWASP/OWASP-VWAD VWAD github project].

You can either edit that page directly or submit a pull request.

= Acknowledgements =
==Volunteers==
VWAD is developed by a worldwide team of volunteers. The primary contributors to date have been:

*[mailto:raul@raulsiles.com Raul Siles]
*[[User:Simon Bennetts|Simon Bennetts]]

==Others==
* [mailto:achim@owasp.org Achim Hoffmann]
* [[User:Zakiakhmad|Zaki Akhmad]]

==On-line resources used==
* [http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html Hacking Vulnerable Web Applications Without Going To Jail]
* [http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/ Vulnerable Web Applications for learning]
* [http://code.google.com/p/owaspbwa/wiki/UserGuide OWASP BWA User Guide]

==Other vulnerable web-app compilations==
* [http://www.amanhardikar.com/mindmaps/Practice.html Penetration Testing Practice Labs - Vulnerable Apps/Systems]

= Road Map and Getting Involved =
As of March 5, 2014, all known Vulnerable Web Applications have been included.

Going forward the plan is to:
* Keep publicising
* Keep up to date with any new apps released or updated
* Review every 6 months to see if it could be improved in any way

Involvement in the development and promotion of the OWASP Vulnerable Web Applications Directory Project is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:
* Update the wiki with any missing apps
* Send pull requests to https://github.com/OWASP/OWASP-VWAD

=Project About=
{{:Projects/OWASP_Vulnerable_Web_Applications_Directory_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Breakers]] [[Category:OWASP_Document]]

OWASP Code Sprint 2017

2017-05-23T16:26:56Z

Rick.mitchell: Fix student APPLY HERE link

== '''Goal''' ==
The OWASP Code Sprint 2017 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Code Sprint 2017 a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

== '''Program details''' ==

''Projects that are eligible:'' All code/tools projects. Documentation projects are excluded.

''Duration:'' 2 months of full-time engagement.

== '''How it works''' ==

Any code/tool project can participate in the OWASP Code Sprint. Each project will be guided by an OWASP mentor. Students are evaluated in the middle and at the end of the coding period, based on success criteria identified at the beginning of the project. Successful students will receive $750 after each evaluation, a total of $1500 per student.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

== '''How you can participate''' ==

=== As a student: ===

1. Review the list of OWASP Projects currently participating in the OWASP Code Sprint 2017.

2. Get in touch with the OWASP Project mentor of your choice.

3. Agree deliverables with OWASP mentor.

4. Work away during April thru June 2017.

5. Rise to Open Source Development Glory :-)

=== ALL STUDENTS PLEASE APPLY HERE ===

Student application submission is now open: [https://goo.gl/forms/it8hieQAcvCTuPG83 APPLY HERE].

=== As an OWASP Project Leader: ===

1. Edit this page adding your project and some proposed tasks as per the examples

2. Promote the initiative to your academic contacts

== '''Timeplan''' ==

'''Phase 1: Proposals'''

Project leaders who want to include their project to the program should submit some initial proposal ideas on this page. These ideas serve as guidance to the students; they are things that project leaders would like to get done, like new features, improvements, etc.

Subsequently students are invited to submit detailed proposals that can (but do not necessarily have to) be based on these ideas. Students are strongly encouraged to engage with project leaders and each project's community (e.g. through the project's mailing list) in order to discuss the details of their proposal. Proposals should provide details about the implementation, time plan, milestones, etc.

'''Phase 2: Scoring of proposals'''

After the submission of proposals, project leaders and contributors/mentors are required to review the submitted proposals and score them (on a 1 to 5 scale). Each proposal should receive at least 3 assessments/scores from different mentors. Each mentor, contributor or leader can score only proposals for their OWN project. All assessments should provide justification. Reviewers are strongly encouraged to provide constructive comments for students so that they can improve in the future.

Project leaders are responsible to attract a sufficient number of volunteer mentors to score proposals and subsequently supervise those that will get selected.

'''Phase 3: Slot allocation.'''

When proposal scoring has been completed, each project leader requests a specific number of slots. This number should be based on:
The number of truly outstanding proposals according to submitted scores.
The importance of the proposal to the project's roadmap.
The number of available mentors for the project. At least 2 mentors are needed for each proposal that gets accepted.
If the total number of requested slots is less than or equal to the available number of slots, then all projects get the requested slots. If not, the following rules apply:
All projects that have requested a slot get at least 1 slot, provided they have a high quality proposal and sufficient number of mentors.
Two mentors are required per slot allocated to the project.
The program's administrators get in touch with project leaders, especially those that have requested a large number of slots to receive additional feedback on the requested slots and explore any available possibilities for reducing the requested number of slots. A project leader might choose to donate one or more requested slots back to the pool so that other projects can get more slots. The program administrators can choose to initiate a public discussion between projects in need of more slots and projects that have requested a lot of slots in order to determine the best possible outcome for everyone.
If all else fails, slots are equally allocated to projects, i.e. all projects get 1 slot; projects that have requested 2 or more slots get an extra slot if available; projects that have requested 3 or more slots get an extra slot if available, etc. When there are no more slots available for all projects that have requested them a draw is used to allocate the remaining slots.

In any case, the program's administrators should perform a final review of the selected proposals to ensure that they are of high quality. If concerns arise they should request additional information from project leaders.

'''Phase 4: Coding.'''

This is the main phase of the program. Students implement their proposal according to the submitted timeplan and under the supervision
of their mentors.

== '''Evaluations''' ==

In the middle of the coding period, mentors should submit an evaluation of their students to ensure that they are on track and provide some feedback both to OWASP and the students.

If no/little progress has been made up to this point, the mentors could decide to fail the student in which case the student does not receive money. If successful, OWASP will pay half the amount ($750). The final evaluations are submitted at the end of the coding period and the second installment ($750) is paid to the student if all agreed deliverables are met. If the student has failed to demonstrate progress during the second period, then the second installment will not be paid and the student will get only half of the amount.
== '''Deadlines''' ==
Program announcement: May 15''', 2017'''

Deadline for Student Applications: '''June 15, 2015'''

Proposal Evaluations: from: '''June''' '''15 thru June 23 2017'''

Successful proposals announcement:: '''June 26, 2017'''

Bonding Period Announcement: June 26, 2017 - July 1, 2017

Coding Period Starts: '''July 3, 2017'''

Mid-term evaluations: Submitted from :'''July 31, 2017 thru August 4, 2017'''

Coding Period Re-starts: August 7, 2017

Coding period ends: '''September 1, 2017'''

Final evaluations:'''September 4, 2017 thru September 8, 2017'''

== '''Mailing List''' ==
Please subscribe to the following mailing list to receive updates or ask any particular questions:

[https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/owasp-code-sprint-2017 OWASP Code Sprint 2017 Mailing List]

== '''Project Ideas''' ==
== OWASP Mobile Security Testing Project ==

The OWASP Mobile universe, consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

=== Write Mobile Crackmes and De-Obfuscation Guides ===

'''Brief Explanation:'''

A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we want to link most of the content to practical examples. We're therefore planning to add crackmes for Android and iOS to the GitHub repo that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing.

In this project, the student creates multiple cracking exercises for Android and documents solutions to these exercises. The new crackmes developed in this project will be added to the existing list at:

https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md

Possible solutions will be added to the "Reverse Engineering" chapters in the Mobile Testing Guide along the following lines:

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec

Additionally, the crackmes produced will be used as examples in other sections of the guide, such as test cases.

'''Expected Results:'''

* Several Apps that implemented different obfuscation techniques.
* Evaluation of tools and techniques to de-obfuscate code.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Browse through the MASVS and check the Reverse Engineering requirements (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x15-V8-Resiliency_Against_Reverse_Engineering_Requirements.md)
* Check out these wok-in-progress sections in the MSTG and the "obfuscation metrics" project:

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#assessing-software-protections

https://github.com/b-mueller/obfuscation-metrics

'''Knowledge Prerequisites:'''
General interest in Obfuscation techniques, Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:bernhard.mueller@owasp.org Bernhard Mueller] - OWASP Slack: @bernhardm - OWASP Mobile Security Testing Guide and MASVS Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== SSRF Detector Integration ===
:
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector
:
:''' Expected Results '''
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:''' Expected Results '''
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Support Java as a Scripting Language ===
:
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.
:
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.
:
:''' Expected Results '''
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Bamboo Support ===
:
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin).
:
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))
:
:''' Expected Results '''
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):
::*Manage Sessions (Loading/Persisting)
::*Define Context (Name, Include & Exclude URLs)
::* Attack Contexts (Spider, Ajax Spider, Active Scan)
::* Setup Autentication (Formed or Script Based)
::* Generate Reports
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backslash Powered Scanner ===
:
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)
:
:''' Expected Results '''
:* Extend ZAP's active scanner to leverage Backslash type scanning.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT ==

'''Brief Explanation:'''

lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

== OWASP ZSC ==

'''Brief Explanation:'''

OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project

''' Getting started '''
* Get in touch with us on Github:
https://github.com/zscproject/OWASP-ZSC

Project Leaders:
*https://www.owasp.org/index.php/User:Ali_Razmjoo
*https://www.owasp.org/index.php/User:Johanna_Curiel

'''Expected Results:'''
We have a list of potential modules we want to build
To get familiar with the project, please check our installation and developer guidelines:
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details

Contact us through Github, send us a question:
https://github.com/zscproject/OWASP-ZSC

* New obfuscation modules
* New shellcodes for OSX and Windows

'''Knowledge Prerequisites:'''
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
Brian Beaudry & Patrik Patel
Please contact us through Github
https://github.com/zscproject/OWASP-ZSC

== OWASP Seraphimdroid mobile security project ==

=== Behavioral malware and intrusion analysis ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.

'''Expected Results:'''

* Reviewing scientific literature and find feasible approach we can take
* Implement and possibly improve the approach in Seraphimdroid
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it
* Documenting approach as a technical report

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML
* Basic knowledge and interest in machine learning

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Framework for plugin development ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed.

'''Expected Results:'''

* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid
* Providing GUI integration with third party components
* Develop at least one test plugin
* Document the development process and API

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

== OWASP DefectDojo ==

'''Brief Explanation:'''

DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.

'''Expected Results:'''

* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced
* Students will receive hands-on experience in a full-stack software development project
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions

'''Knowledge Prerequisites:'''
* Python
* HTML, Bootstrap

''' Getting started: '''
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]

'''Mentors:'''
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader

== OWASP AppSensor ==

[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.

=== Machine Learning Driven Web Server Log Analysis ===
:
:'''Brief Explanation:'''
:
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams
:* Because the format is well understood, the data points (features) are well understood.
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)
:
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed.
:
:''' Expected Results '''
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)
:* System builds ML model for processing future log files
:* System provides mechanism for processing future logs using trained model.
:
:''' Knowledge Prerequisite: '''
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team
:

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes AppSensor even better
:
:''' Knowledge Prerequisite: '''
:AppSensor is written in Java, so a good knowledge of this language is recommended.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team
:

== OWASP OWTF ==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular.

=== OWASP OWTF - MiTM proxy interception and replay capabilities ===

'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible

* ability to intercept the transactions
* modify or replay transaction on the fly
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code

Bonus:

* Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
* Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

* The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
* Create a browser instance and do the necessary login procedure
* Handle the browser for the URI
* When called to close the browser, do a clean logout and kill the browser instance.

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:'''
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

=== OWASP OWTF - Report enhancements ===

'''Brief explanation:'''

The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:

* HTML (pure static html here)
* PDF
* XML (for processing)
* JSON (for processing)

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:'''
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

=== OWASP OWTF - Distributed architecture ===

To be updated soon!

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:'''
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

== OWASP Hackademic Challenges Project ==

[[OWASP Hackademic Challenges Project]] The OWASP Hackademic Challenges project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment.

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in python using Django.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.
* PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

''' Getting Started: '''
* Install and take a brief look around the old cms so you have an idea of the functionality needed
* It's ok to scream in frustration
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)

'''Knowledge Prerequisites:'''
Python, Django, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' [mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

=== Course Type Challenge ===

'''Brief Explanation:'''
We have a sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

''' Getting started '''
* Check popular javascript guide tools such as: (http://introjs.com/ and http://github.hubspot.com/shepherd/docs/welcome/ )
* If you're more interested in system or non-web challenges check serverspec and definitely check quest (https://github.com/puppetlabs/quest)
* If you think contributing is a good idea to make yourself familiar with the project you can either port one of the existing simpler 1-page challenges to a docker container and submit a pull request or write a guide on how to create such a challenge

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' [mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

OWASP Code Sprint 2017

2017-03-29T18:23:42Z

Rick.mitchell: Minor correction

== '''Goal''' ==
The OWASP Code Sprint 2017 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Code Sprint 2017 a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

== '''Program details''' ==

''Projects that are eligible:'' All code/tools projects. Documentation projects are excluded.

''Duration:'' 2 months of full-time engagement.

== '''How it works''' ==

Any code/tool project can participate in the OWASP Code Sprint. Each project will be guided by an OWASP mentor. Students are evaluated in the middle and at the end of the coding period, based on success criteria identified at the beginning of the project. Successful students will receive $750 after each evaluation, a total of $1500 per student.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

== '''How you can participate''' ==

=== As a student: ===

1. Review the list of OWASP Projects currently participating in the OWASP Code Sprint 2017.

2. Get in touch with the OWASP Project mentor of your choice.

3. Agree deliverables with OWASP mentor.

4. Work away during April thru June 2017.

5. Rise to Open Source Development Glory :-)

ALL STUDENTS PLEASE APPLY HERE >> [http://goo.gl/forms/jUFTcXVDEY FORM] - needs to be updated

=== As an OWASP Project Leader: ===

1. Edit this page adding your project and some proposed tasks as per the examples

2. Promote the initiative to your academic contacts

== '''Timeplan''' ==

'''Phase 1: Proposals'''

Project leaders who want to include their project to the program should submit some initial proposal ideas on this page. These ideas serve as guidance to the students; they are things that project leaders would like to get done, like new features, improvements, etc.

Subsequently students are invited to submit detailed proposals that can (but do not necessarily have to) be based on these ideas. Students are strongly encouraged to engage with project leaders and each project's community (e.g. through the project's mailing list) in order to discuss the details of their proposal. Proposals should provide details about the implementation, time plan, milestones, etc.

'''Phase 2: Scoring of proposals'''

After the submission of proposals, project leaders and contributors/mentors are required to review the submitted proposals and score them (on a 1 to 5 scale). Each proposal should receive at least 3 assessments/scores from different mentors. Each mentor, contributor or leader can score only proposals for their OWN project. All assessments should provide justification. Reviewers are strongly encouraged to provide constructive comments for students so that they can improve in the future.

Project leaders are responsible to attract a sufficient number of volunteer mentors to score proposals and subsequently supervise those that will get selected.

'''Phase 3: Slot allocation.'''

When proposal scoring has been completed, each project leader requests a specific number of slots. This number should be based on:
The number of truly outstanding proposals according to submitted scores.
The importance of the proposal to the project's roadmap.
The number of available mentors for the project. At least 2 mentors are needed for each proposal that gets accepted.
If the total number of requested slots is less than or equal to the available number of slots, then all projects get the requested slots. If not, the following rules apply:
All projects that have requested a slot get at least 1 slot, provided they have a high quality proposal and sufficient number of mentors.
Two mentors are required per slot allocated to the project.
The program's administrators get in touch with project leaders, especially those that have requested a large number of slots to receive additional feedback on the requested slots and explore any available possibilities for reducing the requested number of slots. A project leader might choose to donate one or more requested slots back to the pool so that other projects can get more slots. The program administrators can choose to initiate a public discussion between projects in need of more slots and projects that have requested a lot of slots in order to determine the best possible outcome for everyone.
If all else fails, slots are equally allocated to projects, i.e. all projects get 1 slot; projects that have requested 2 or more slots get an extra slot if available; projects that have requested 3 or more slots get an extra slot if available, etc. When there are no more slots available for all projects that have requested them a draw is used to allocate the remaining slots.

In any case, the program's administrators should perform a final review of the selected proposals to ensure that they are of high quality. If concerns arise they should request additional information from project leaders.

'''Phase 4: Coding.'''

This is the main phase of the program. Students implement their proposal according to the submitted timeplan and under the supervision
of their mentors.

== '''Evaluations''' ==

In the middle of the coding period, mentors should submit an evaluation of their students to ensure that they are on track and provide some feedback both to OWASP and the students.

If no/little progress has been made up to this point, the mentors could decide to fail the student in which case the student does not receive money. If successful, OWASP will pay half the amount ($750). The final evaluations are submitted at the end of the coding period and the second installment ($750) is paid to the student if all agreed deliverables are met. If the student has failed to demonstrate progress during the second period, then the second installment will not be paid and the student will get only half of the amount.
== '''Deadlines''' ==
Program announcement: '''April 3, 2017'''

Deadline for Student Applications: '''April 17, 2017'''

Proposal Evaluations: from: '''April 18 thru April 24 2017'''

Successful proposals announcement:: '''April 25, 2017'''

Coding Period Starts: '''April 28, 2017'''

Mid-term evaluations: Submitted from : '''May 22 thru May 26 2017'''

Coding period ends: '''June 19, 2017'''

Final evaluations:'''June 26, 2017'''

== '''Mailing List''' ==
Please subscribe to the following mailing list to receive updates or ask any particular questions:

[https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/owasp-code-sprint-2017 OWASP Code Sprint 2017 Mailing List]

== '''Project Ideas''' ==
== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Slack: @sushi2k - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

=== Write Mobile Crackmes and De-Obfuscation Guides ===

'''Brief Explanation:'''

A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we want to link most of the content to practical examples. We're therefore planning to add crackmes for Android and iOS to the GitHub repo that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing.

In this project, the student creates multiple cracking exercises for Android and documents solutions to these exercises. The new crackmes developed in this project will be added to the existing list at:

https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md

Possible solutions will be added to the "Reverse Engineering" chapters in the Mobile Testing Guide along the following lines:

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec

Additionally, the crackmes produced will be used as examples in other sections of the guide, such as test cases.

'''Expected Results:'''

* Several Apps that implemented different obfuscation techniques.
* Evaluation of tools and techniques to de-obfuscate code.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Browse through the MASVS and check the Reverse Engineering requirements (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x15-V8-Resiliency_Against_Reverse_Engineering_Requirements.md)
* Check out these wok-in-progress sections in the MSTG and the "obfuscation metrics" project:

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#assessing-software-protections

https://github.com/b-mueller/obfuscation-metrics

'''Knowledge Prerequisites:'''
General interest in Obfuscation techniques, Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:bernhard.mueller@owasp.org Bernhard Mueller] - OWASP Slack: @bernhardm - OWASP Mobile Security Testing Guide and MASVS Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== SSRF Detector Integration ===
:
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector
:
:''' Expected Results '''
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:''' Expected Results '''
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Support Java as a Scripting Language ===
:
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.
:
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.
:
:''' Expected Results '''
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Bamboo Support ===
:
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin).
:
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))
:
:''' Expected Results '''
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):
::*Manage Sessions (Loading/Persisting)
::*Define Context (Name, Include & Exclude URLs)
::* Attack Contexts (Spider, Ajax Spider, Active Scan)
::* Setup Autentication (Formed or Script Based)
::* Generate Reports
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backslash Powered Scanner ===
:
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)
:
:''' Expected Results '''
:* Extend ZAP's active scanner to leverage Backslash type scanning.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

== OWASP ZSC ==

'''Brief Explanation:'''

OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project

''' Getting started '''
* Get in touch with us on Github:
https://github.com/zscproject/OWASP-ZSC

Project Leaders:
*https://www.owasp.org/index.php/User:Ali_Razmjoo
*https://www.owasp.org/index.php/User:Johanna_Curiel

'''Expected Results:'''
We have a list of potential modules we want to build
To get familiar with the project, please check our installation and developer guidelines:
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details

Contact us through Github, send us a question:
https://github.com/zscproject/OWASP-ZSC

* New obfuscation modules
* New shellcodes for OSX and Windows

'''Knowledge Prerequisites:'''
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
Brian Beaudry & Patrik Patel
Please contact us through Github
https://github.com/zscproject/OWASP-ZSC

== OWASP Seraphimdroid mobile security project ==

=== Behavioral malware and intrusion analysis ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.

'''Expected Results:'''

* Reviewing scientific literature and find feasible approach we can take
* Implement and possibly improve the approach in Seraphimdroid
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it
* Documenting approach as a technical report

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML
* Basic knowledge and interest in machine learning

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Framework for plugin development ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed.

'''Expected Results:'''

* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid
* Providing GUI integration with third party components
* Develop at least one test plugin
* Document the development process and API

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

== OWASP DefectDojo ==

'''Brief Explanation:'''

DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.

'''Expected Results:'''

* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced
* Students will receive hands-on experience in a full-stack software development project
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions

'''Knowledge Prerequisites:'''
* Python
* HTML, Bootstrap

''' Getting started: '''
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]

'''Mentors:'''
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader

== OWASP AppSensor ==

[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.

=== Machine Learning Driven Web Server Log Analysis ===
:
:'''Brief Explanation:'''
:
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams
:* Because the format is well understood, the data points (features) are well understood.
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)
:
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed.
:
:''' Expected Results '''
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)
:* System builds ML model for processing future log files
:* System provides mechanism for processing future logs using trained model.
:
:''' Knowledge Prerequisite: '''
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team
:

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes AppSensor even better
:
:''' Knowledge Prerequisite: '''
:AppSensor is written in Java, so a good knowledge of this language is recommended.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team
:

== OWASP OWTF ==
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular.

=== OWASP OWTF - MiTM proxy interception and replay capabilities ===

'''Brief Explanation:'''

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible

* ability to intercept the transactions
* modify or replay transaction on the fly
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code

Bonus:

* Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
* Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

* The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
* Create a browser instance and do the necessary login procedure
* Handle the browser for the URI
* When called to close the browser, do a clean logout and kill the browser instance.

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:'''
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

=== OWASP OWTF - Report enhancements ===

'''Brief explanation:'''

The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:

* HTML (pure static html here)
* PDF
* XML (for processing)
* JSON (for processing)

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:'''
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

=== OWASP OWTF - Distributed architecture ===

To be updated soon!

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.

'''OWASP OWTF Mentors:'''
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

== OWASP Hackademic Challenges Project ==

[[OWASP Hackademic Challenges Project]] The OWASP Hackademic Challenges project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment.

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in python using Django.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.
* PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

''' Getting Started: '''
* Install and take a brief look around the old cms so you have an idea of the functionality needed
* It's ok to scream in frustration
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)

'''Knowledge Prerequisites:'''
Python, Django, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' [mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

=== Course Type Challenge ===

'''Brief Explanation:'''
We have a sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

''' Getting started '''
* Check popular javascript guide tools such as: (http://introjs.com/ and http://github.hubspot.com/shepherd/docs/welcome/ )
* If you're more interested in system or non-web challenges check serverspec and definitely check quest (https://github.com/puppetlabs/quest)
* If you think contributing is a good idea to make yourself familiar with the project you can either port one of the existing simpler 1-page challenges to a docker container and submit a pull request or write a guide on how to create such a challenge

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' [mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

OWASP Zed Attack Proxy Project

2017-03-21T13:42:15Z

Rick.mitchell: Add toolswatch 2016 2nd place

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
[[Image:zap128x128.png|right]]
{{ReviewProject|projectname=zaproxy|language=en}}
<div style="font-size:120%;border:none;margin: 0;color:#000">
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers[[#Justification|*]]. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

[[Image:ZAP-Download.png | link=https://github.com/zaproxy/zaproxy/wiki/Downloads]]

====Please help us to make ZAP even better for you by answering the [https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform ZAP User Questionnaire]!====

For a quick overview of ZAP and an introduction to the [https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin official ZAP Jenkins plugin] see these tutorial videos on YouTube:

{|
|-
{{#ev:youtube|eH0RBI0nmww}} 
{{#ev:youtube|mmHZLSffCUg}}
|}

For more videos see the links on the [https://github.com/zaproxy/zaproxy/wiki/Videos wiki videos page].

Interested in a ZAP talk or training event? See the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Talks talks] tab. Not one near you? Contact a [https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists Zap Evangelist] to arrange one!

<paypal>Zed Attack Proxy</paypal>

For general information about ZAP:
* [https://twitter.com/zaproxy Twitter] - official ZAP announcements (low volume)
* [https://zaproxy.blogspot.co.uk/ Blog] - official ZAP blog

For help using ZAP:
* [https://github.com/zaproxy/zaproxy/releases/download/2.4.0/ZAPGettingStartedGuide-2.4.pdf Getting Started Guide (pdf)] - an introductory guide you can print
* [https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB Tutorial Videos]
* [https://github.com/zaproxy/zap-core-help/wiki User Guide] - online version of the User Guide included with ZAP
* [https://groups.google.com/group/zaproxy-users User Group] - ask questions about using ZAP
* [https://github.com/zaproxy/zap-extensions/wiki Add-ons] - help for the optional add-ons you can install
* [https://stackoverflow.com/questions/tagged/zap StackOverflow] - because some people use this for all everything ;)

To learn more about ZAP development:
* [https://github.com/zaproxy Source Code] - for all of the ZAP related projects
* [https://github.com/zaproxy/zaproxy/wiki/Introduction Wiki] - lots of detailed info
* [https://groups.google.com/group/zaproxy-develop Developer Group] - ask questions about the ZAP internals
* [https://crowdin.com/project/owasp-zap Crowdin (GUI)] - help translate the ZAP GUI
* [https://crowdin.com/project/owasp-zap-help Crowdin (User Guide)] - help translate the ZAP User Guide
* [https://www.openhub.net/p/zaproxy OpenHub] - FOSS analytics
* [https://www.bountysource.com/teams/zap/issues BountySource] - Vote on ZAP issues (you can also donate money here, but 10% taken out)

===Justification===
Justification for the statements made in the tagline at the top;)

Popularity:
* ToolsWatch Annual Best Free/Open Source Security Tool Survey:
** 2016 [http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2015 [http://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]
** 2014 [http://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/ 2nd]
** 2013 [http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ 1st]

Contributors:
* [https://www.openhub.net/p/zaproxy Code Contributors]
* [https://crowdin.com/project/owasp-zap ZAP core i18n Contributors]
* [https://crowdin.com/project/owasp-zap-help ZAP help i18n Contributors]

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[https://github.com/zaproxy/zaproxy/wiki/Downloads Download OWASP ZAP!]

== News and Events ==
Please see the [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#News News] and [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Talks Talks] tabs

== Change Log ==
* [https://github.com/zaproxy/zaproxy/commits/develop zaproxy]
* [https://github.com/zaproxy/zap-extensions/commits/master zap-extensions]

== Code Repo ==
* [https://github.com/zaproxy/zaproxy/ zaproxy]
* [https://github.com/zaproxy/zap-extensions/ zap-extensions]

== Email List ==

Questions? Please ask on the [http://groups.google.com/group/zaproxy-users ZAP User Group]

== Project Leader ==

Project Leader<br/>[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @]

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project OWASP WTE]
* [https://www.owasp.org/index.php/OWASP_OWTF OWASP OWTF]

== Ohloh ==

*https://www.openhub.net/p/zaproxy

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" rowspan="2" width="50%" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
| align="center" valign="center" width="50%"| [[File:Owasp-builders-small.png|link=]]
|
|-
| align="center" valign="center" width="50%"| [[File:Owasp-breakers-small.png|link=]]
|-
| colspan="2" align="center" | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]]
|}

|}

= Screenshots =
[[Image:zap128x128.png|right]]
{|
|-
|
[[Image:ZAP-ScreenShotAddAlert.png||400px||ZAP Add Alert Screen Shot]]
|
[[Image:ZAP-ScreenShotHelp.png||400px|left|ZAP Help Screen Shot]]
|-
|
[[Image:ZAP-ScreenShotHistoryFilter.png|thumb|400px|left|ZAP History Filter Screen Shot]]
|
[[Image:ZAP-ScreenShotSearchTab.png|thumb|400px|left|ZAP Search Tab Screen Shot]]
|}

= Talks =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/Talks | Talks}}

</div>
= News =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
{{:Projects/OWASP Zed Attack Proxy Project/Pages/News | News}}

</div>
= ZAP Gear =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Yes, you can now buy ZAP related gear!

All of the artwork for ZAP swag is released under the Creative Common License and can be downloaded from the [https://github.com/zaproxy/zap-swag zap-swag] repo.

You can of course use the artwork from this repo with any other online store that you like.

A range of products can be purchased from [http://www.redbubble.com/people/zaproxy Redbubble]

Stickers can be purchased from [https://www.stickermule.com/uk/user/1070684077/stickers Stickermule]

T-shirts can be purchased from [http://www.cafepress.com/zaproxy Cafepress]

[[Image:zap-tshirt-cp.PNG | link=http://www.cafepress.com/zaproxy]]

</div>

= Supporters =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

ZAP is developed by a worldwide [https://github.com/zaproxy/zap-core-help/wiki/HelpCredits team] of volunteers.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on ZAP:

* [http://www.mozilla.org Mozilla]
* [http://www.linuxfoundation.org/ The Linux Foundation]
* [http://www.owasp.org OWASP]
* [http://www.sage.co.uk Sage]
* [http://www.google.com Google]
* [http://www.microsoft.com Microsoft]
* [http://www.hacktics.com/ Hacktics, Ernst & Young]
* [http://www.dinosec.com/ DinoSec]
* [http://www.denimgroup.com Denim Group]
* [http://www.aspectsecurity.com/ Aspect Security]
* [http://secureideas.net SecureIdeas]
* [http://utilisec.com UtiliSec]
* [http://www.encription.co.uk/ encription]
* [https://www.accenture.com/us-en/digital-index.aspx Accenture Digital]
</div>

= Functionality =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's functionality:'''

* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting Proxy]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Traditional] and AJAX spiders
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Automated scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive scanner]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBruteforce Forced browsing]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert Dynamic SSL certificates]
* [https://github.com/zaproxy/zap-core-help/wiki/SmartCards Smartcard and Client Digital Certificates support]
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsWebsocketIntroduction Web sockets] support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Support for a wide range of scripting languages]
* [https://github.com/zaproxy/zap-core-help/wiki//HelpAddonsPlugnhackPlugnhack Plug-n-Hack support]
* Authentication and session support
* [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsApi Powerful REST based API]
* Automatic updating option
* [https://github.com/zaproxy/zap-extensions/wiki Integrated and growing marketplace of add-ons]

</div>
= Features =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">
'''Some of ZAP's features:'''

* [http://www.apache.org/licenses/LICENSE-2.0 Open source]
* Cross platform (it even runs on a [https://github.com/zaproxy/zaproxy/wiki/zappi Raspberry Pi!])
* Easy to install (just requires java 1.7)
* Completely free (no paid for 'Pro' version)
* Ease of use a priority
* [https://github.com/zaproxy/zap-core-help/wiki/HelpIntro Comprehensive help pages]
* Fully internationalized
* Translated into over 20 languages
* Community based, with involvement actively encouraged
* Under active development by an international team of volunteers

ZAP is a fork of the well regarded [http://www.parosproxy.org/ Paros Proxy].

</div>

= Languages =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

'''ZAP supports the following languages:'''

* English
* Arabic
* Bosnian
* Brazilian Portuguese
* Chinese
* Danish
* Filipino
* French
* German
* Greek
* Hungarian
* Indonesian
* Italian
* Japanese
* Korean
* Persian
* Polish
* Russian
* Sinhala
* Spanish
* Urdu

You can use [http://crowdin.net/project/owasp-zap Crowdin] to help improve these translations or add new ones right now!

</div>

= Roadmap =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

==Release 2.4.3==
ZAP 2.4.3 has been released, this is a bug fix and enhancement release

For more details see https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_4_3

</div>

= Get Involved =
[[Image:zap128x128.png|right]]
<div style="font-size:120%;border:none;margin: 0;color:#000">

Involvement in the development of ZAP is actively encouraged!

You do not have to be a security expert in order to contribute.

Some of the ways you can help:

==Feature Requests==

Please raise new feature requests as enhancement requests here: https://github.com/zaproxy/zaproxy/issues

If there are existing requests you are also interested in then please 'star' them - that way we can see which features people are most interested in and can prioritize them accordingly.

==Feedback==

Please use the [http://groups.google.com/group/zaproxy-users zaproxy-users Google Group] for feedback:
* What do like?
* What don't you like?
* What features could be made easier to use?
* How could the help pages be improved?

==Log issues==

Have you had a problem using ZAP?

If so and its not already been logged then please [https://github.com/zaproxy/zaproxy/issues report it]

==Localization==

Are you fluent in another language? Can you help translate ZAP into that language?

You can use [http://crowdin.net/project/owasp-zap Crowdin] to do that!

==Development==

If you fancy having a go at adding functionality to ZAP then please get in touch via the [http://groups.google.com/group/zaproxy-develop zaproxy-develop Google Group].

Again, you do not have to be a security expert to contribute code - working on ZAP could be great way to learn more about web application security!

If you actively contribute to ZAP then you will be invited to join the project.

</div>

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Zed Attack Proxy Project]]
[[Category:OWASP_Tool]]
[[Category:OWASP_Release_Quality_Tool|OWASP Release Quality Tool]]
[[Category:OWASP_Download]]
[[Category:Popular]]
[[Category:SAMM-ST-2]]

GSOC2017 Ideas

2017-01-31T21:53:33Z

Rick.mitchell: /* Backlash Powered Scanner */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== SSRF Detector Integration ===
:
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector
:
:''' Expected Results '''
:
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:''' Expected Results '''
:
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Support Java as a Scripting Language ===
:
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.
:
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.
:
:''' Expected Results '''
:
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Bamboo Support ===
:
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin).
:
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))
:
:''' Expected Results '''
:
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):
::*Manage Sessions (Loading/Persisting)
::*Define Context (Name, Include & Exclude URLs)
::* Attack Contexts (Spider, Ajax Spider, Active Scan)
::* Setup Autentication (Formed or Script Based)
::* Generate Reports
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backslash Powered Scanner ===
:
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)
:
:''' Expected Results '''
:
:* Extend ZAP's active scanner to leverage Backslash type scanning.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T18:21:57Z

Rick.mitchell: /* Backlash Powered Scanner */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== SSRF Detector Integration ===
:
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector
:
:''' Expected Results '''
:
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:''' Expected Results '''
:
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Support Java as a Scripting Language ===
:
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.
:
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.
:
:''' Expected Results '''
:
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Bamboo Support ===
:
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin).
:
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))
:
:''' Expected Results '''
:
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):
::*Manage Sessions (Loading/Persisting)
::*Define Context (Name, Include & Exclude URLs)
::* Attack Contexts (Spider, Ajax Spider, Active Scan)
::* Setup Autentication (Formed or Script Based)
::* Generate Reports
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backlash Powered Scanner ===
:
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)
:
:''' Expected Results '''
:
:* Extend ZAP's active scanner to leverage Backlash scanning.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T18:21:15Z

Rick.mitchell: /* OWASP ZAP */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== SSRF Detector Integration ===
:
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector
:
:''' Expected Results '''
:
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:''' Expected Results '''
:
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Support Java as a Scripting Language ===
:
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.
:
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.
:
:''' Expected Results '''
:
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Bamboo Support ===
:
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin).
:
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))
:
:''' Expected Results '''
:
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):
::*Manage Sessions (Loading/Persisting)
::*Define Context (Name, Include & Exclude URLs)
::* Attack Contexts (Spider, Ajax Spider, Active Scan)
::* Setup Autentication (Formed or Script Based)
::* Generate Reports
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Backlash Powered Scanner ===
:
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)
:
:''' Expected Results '''
:
:* Extend ZAP's active scanner to leverage Backlash scanning.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T18:12:05Z

Rick.mitchell: /* Bamboo Support */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== SSRF Detector Integration ===
:
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector
:
:''' Expected Results '''
:
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:''' Expected Results '''
:
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Support Java as a Scripting Language ===
:
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.
:
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.
:
:''' Expected Results '''
:
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Bamboo Support ===
:
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin).
:
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))
:
:''' Expected Results '''
:
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):
::*Manage Sessions (Loading/Persisting)
::*Define Context (Name, Include & Exclude URLs)
::* Attack Contexts (Spider, Ajax Spider, Active Scan)
::* Setup Autentication (Formed or Script Based)
::* Generate Reports
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T18:10:19Z

Rick.mitchell: /* OWASP ZAP */

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== SSRF Detector Integration ===
:
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector
:
:''' Expected Results '''
:
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Zest Text Representation and Parser ===
:
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.
:
:A standardized text representation and parser would be very useful and help its adoption.
:
:''' Expected Results '''
:
:* A documented definition of a text representation for Zest
:* A parser that converts the text representation into a working Zest script
:* An option in the Zest java implementation to output Zest scripts text format
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Support Java as a Scripting Language ===
:
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.
:
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.
:
:''' Expected Results '''
:
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Bamboo Support ===
:
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin).
:
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))
:
:''' Expected Results '''
:
:* Facilitate the invocation of various ZAP functionalities from Bamboo CI. Including (but not limited to):
::*Manage Sessions (Loading/Persisting)
::*Define Context (Name, Include & Exclude URLs)
::* Attack Contexts (Spider, Ajax Spider, Active Scan)
::* Setup Autentication (Formed or Script Based)
::* Generate Reports
:* Templates for all of the current script types
:* Optionally auto complete supported
:
:''' Knowledge Prerequisite: '''
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your Idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T13:44:32Z

Rick.mitchell: Indent everything

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your idea ===
:
:'''Brief Explanation:'''
:
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.
:
:''' Getting started '''
:* Get in touch with us :)
:
:'''Expected Results:'''
:* A new feature that makes ZAP even better
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:'''Knowledge Prerequisites:'''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T13:43:49Z

Rick.mitchell: Indent everything

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===
:
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.
:
:''' Expected Results '''
:
:* Code completion for all of the parameters for all available functions in the standard scripts
:* Implementations for JavaScript, JRuby and Jython
:* Helper classes with code completion for commonly required functionality
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.
:
:'''Mentors:'''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

'''Knowledge Prerequisites:'''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T13:43:18Z

Rick.mitchell: Indent everything

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===
:
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
:
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
:
:''' Expected Results '''
:
:* User able to specify a specific field to enumerate via the ZAP UI
:* A list of all valid characters to be returned from the sets of characters the user specifies
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]
:
:''' Knowledge Prerequisite: '''
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
:
:''' Mentors '''
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
:

=== Scripting Code Completion ===

ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.

''' Expected Results '''

* Code completion for all of the parameters for all available functions in the standard scripts
* Implementations for JavaScript, JRuby and Jython
* Helper classes with code completion for commonly required functionality
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

'''Knowledge Prerequisites:'''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

GSOC2017 Ideas

2017-01-31T13:40:53Z

Rick.mitchell:

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check out the suggested projects below
* Contact the mentors and teams of the projects that you are interested in

== OWASP Juice Shop ==

[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

=== Challenge Pack 2017 ===

'''Brief Explanation:'''

Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

'''Expected Results:'''
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])
* Each challenge comes with full functional unit and integration tests
* Each challenge is verified to be exploitable by corresponding end-to-end tests
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Tech Stack Update ===

'''Brief Explanation:'''

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:

* AngularJS 1.x with Bootstrap in the client
* Express on top of NodeJS on the server with
** SQLite as a database
** Sequelize as an OR-Mapper
*** sequelize-restful as an automatic API-generator on top of the DB entities
* Jasmine 1.x to specify behavioral tests
** Karma as a test runner for the client-side unit tests
** Frisby.js for API tests on a dynamically launched server
** Protractor for end-to-end testing of the challenge exploits
* NPM for running/testing the application
* Grunt for some of the custom build scripts

Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].

Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.

'''Expected Results:'''
* High-level target architecture overview including a migration plan with intermediary milestones
* Execution of migration without breaking functionality or losing tests along the way
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.

''' Getting started: '''
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2

'''Knowledge Prerequisites:'''
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

=== Your idea ===

'''Brief Explanation:'''

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

''' Getting started '''
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]

'''Expected Results:'''
* A new feature that makes OWASP Juice Shop even better
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

'''Knowledge Prerequisites:'''
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

'''Mentors:'''
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader

== OWASP Mobile Hacking Playground ==

The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:

* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:

* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

=== Creation of Android Code Samples ===

'''Brief Explanation:'''

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

'''Expected Results:'''

The following categories and their test cases are not fully added to the Android App:

* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

''' Getting started: '''
Here are a few suggestion on how to get started.
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
* Browse through the MASVS and check the different areas and their defined requirements.
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

'''Knowledge Prerequisites:'''
General interest in Mobile and Security. Basic knowledge of Android and Java.

'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

== OWASP ZAP ==

[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.

=== Field Enumeration ===

This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

''' Expected Results '''

* User able to specify a specific field to enumerate via the ZAP UI
* A list of all valid characters to be returned from the sets of characters the user specifies
* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

''' Mentors '''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Scripting Code Completion ===

ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.

''' Expected Results '''

* Code completion for all of the parameters for all available functions in the standard scripts
* Implementations for JavaScript, JRuby and Jython
* Helper classes with code completion for commonly required functionality
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

''' Knowledge Prerequisite: '''
ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

=== Your idea ===

'''Brief Explanation:'''

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes ZAP even better
* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]

'''Knowledge Prerequisites:'''
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team

== BLT / Bugheist ==

'''Brief Explanation:'''

Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.

''' Getting started '''
* Get in touch with us :)

'''Expected Results:'''
* A new feature that makes Bugheist even better

'''Knowledge Prerequisites:'''
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentors:'''
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team

== OWASP Security Knowledge framework ==

===Brief Explanation===
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

'''In a nutshell'''

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

===Your idea / Getting started===
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

===Expected Results===
* Adding features to SKF project
* Adding more function examples to pre-development phase
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
* Adding/updating Knowledgebase items
* Adding CWE references to knowledgebase items
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)

===Knowledge Prerequisites===

* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.
* For writing knowledgebase items only technical knowledge of application security is required
* For writing / updating code examples you need to know a programming language along with secure development.
* For writing the verification guide you need some penetration testing experience.

'''Mentors:'''

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

Web Service Security Testing Cheat Sheet

2016-05-11T12:08:38Z

Rick.mitchell: Add ZAP to tools list