OWASP - User contributions [en]

OWASP Vulnerable Web Applications Directory Project/Pages/Offline

2016-10-19T18:12:40Z

Shivam Dixit:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [https://github.com/quantumfoam/DVNA/ Damn Vulnerable Node Application - DVNA ]
| Node.js
| [https://github.com/quantumfoam/DVNA/ download]
| Claudio Lacayo
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Juice Shop]
| Node/JS
| [https://github.com/bkimminich/juice-shop download]
| OWASP
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://github.com/jerryhoff/WebGoat.NET .NET Goat ]
| C#
| [https://github.com/jerryhoff/WebGoat.NET git repository]
| OWASP
|
|-
| [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project NodeGoat ]
| Node.js
| [https://github.com/OWASP/NodeGoat git repository]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://www.owasp.org/index.php/OWASP_Security_Shepherd Security Shepherd]
| Java
| [https://sourceforge.net/projects/owaspshepherd/ download]
| OWASP
|
|-
| [https://github.com/sqlmapproject/testenv SQL injection test environment]
| PHP
|
|
| SQLmap Project
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://github.com/sectooladdict/wavsep WAVSEP - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://sourceforge.net/projects/wavsep/ download (builds)] [https://code.google.com/p/wavsep/downloads/list download (old)] [https://github.com/sectooladdict/wavsep/wiki wiki]
| Shay Chen
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://github.com/shivamdixit/WebGoatPHP WebGoatPHP ]
| PHP
| [https://github.com/OWASP/OWASPWebGoatPHP git repository]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
| [https://github.com/s4n7h0/xvwa Xtreme Vulnerable Web Application (XVWA)]
| PHP/MySQL
| [https://github.com/s4n7h0/xvwa download]
| @s4n7h0, @samanL33T
|
|-
|}

OWASP Vulnerable Web Applications Directory Project/Pages/Offline

2016-10-19T18:09:49Z

Shivam Dixit:

{| border="1" width="80%" cellspacing="0" cellpadding="2"
|-
! scope="col" | App Name / Link
! scope="col" | Technology
! scope="col" | Other links
! scope="col" | Author
! scope="col" | Notes
|-
| [http://www.badstore.net/ BadStore]
| Perl(CGI)
|
|
|
|-
| [http://code.google.com/p/bodgeit/ BodgeIt Store ]
| Java
| [http://code.google.com/p/bodgeit/downloads/list download]
|
|
|-
| [http://sechow.com/bricks/index.html Bricks ]
| PHP
| [http://sechow.com/bricks/download.html download] [http://sechow.com/bricks/docs/ docs]
| OWASP
|
|-
| [http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ Butterfly Security Project]
| PHP
| [http://sourceforge.net/projects/thebutterflytmp/files/ download]
|
| Last updated in 2008
|-
| [http://www.itsecgames.com/ bWAPP ]
| PHP
| [http://sourceforge.net/projects/bwapp/files/ download] [http://itsecgames.blogspot.be/2013/01/bwapp-installation.html docs]
|
|
|-
| [https://github.com/fridaygoldsmith/bwa_cyclone_transfers Cyclone Transfers ]
| Ruby on Rails
|
|
|
|-
| [https://github.com/quantumfoam/DVNA/ Damn Vulnerable Node Application - DVNA ]
| Node.js
| [https://github.com/quantumfoam/DVNA/ download]
| Claudio Lacayo
|
|-
| [http://www.dvwa.co.uk/ Damn Vulnerable Web Application - DVWA ]
| PHP
| [http://code.google.com/p/dvwa/downloads/list download]
| RandomStorm
|
|-
| [http://dvws.secureideas.net/ Damn Vulnerable Web Services - DVWS ]
| PHP
| [http://dvws.secureideas.net/downloads/files/dvws.tgz download]
| Secure Ideas
|
|-
| [http://google-gruyere.appspot.com/ Gruyere ]
| Python
| [http://google-gruyere.appspot.com/gruyere-code.zip download]
| Google
|
|-
| [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project Hackademic Challenges Project ]
| PHP
| [https://code.google.com/p/owasp-hackademic-challenges/ download]
| OWASP
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx Hacme Bank - Android]
|
|
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx Hacme Bank ]
| .NET
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-bank.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx Hacme Books ]
| Java
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmebooks.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx Hacme Casino ]
| Ruby on Rails
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacme-casino.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx Hacme Shipping ]
| ColdFusion
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmeshipping.aspx download]
| McAfee / Foundstone
|
|-
| [http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx Hacme Travel ]
| C++
| [http://www.mcafee.com/apps/free-tools/termsofuse.aspx?url=/us/downloads/free-tools/hacmetravel.aspx download]
| McAfee / Foundstone
|
|-
| [http://hackxor.sourceforge.net/cgi-bin/index.pl hackxor]
|
|
|
| First 2 levels online, rest offline
|-
| [https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Juice Shop]
| Node/JS
| [https://github.com/bkimminich/juice-shop download]
| OWASP
|
|-
| [http://sourceforge.net/projects/lampsecurity/ LampSecurity]
| PHP
|
|
|
|-
| [http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Mutillidae ]
| PHP
| [http://www.irongeek.com/mutillidae/ download]
|
|
|-
| [https://github.com/jerryhoff/WebGoat.NET .NET Goat ]
| C#
| [https://github.com/jerryhoff/WebGoat.NET git repository]
| OWASP
|
|-
| [https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project NodeGoat ]
| Node.js
| [https://github.com/OWASP/NodeGoat git repository]
| OWASP
|
|-
| [http://peruggia.sourceforge.net/ Peruggia ]
| PHP
| [http://sourceforge.net/projects/peruggia/files/ download]
|
|
|-
| [https://code.google.com/p/puzzlemall/ Puzzlemall ]
| Java
| [https://code.google.com/p/puzzlemall/downloads/list download] [https://code.google.com/p/puzzlemall/downloads/list docs]
|
|
|-
| [https://www.owasp.org/index.php/OWASP_Rails_Goat_Project Rails Goat ]
| Ruby on Rails
| [https://github.com/OWASP/railsgoat/archive/master.zip download] [http://railsgoat.cktricky.com/getting_started.html docs]
| OWASP
|
|-
| [http://suif.stanford.edu/%7Elivshits/securibench/ SecuriBench]
| Java
|
| Stanford
|
|-
| [http://suif.stanford.edu/%7Elivshits/work/securibench-micro/ SecuriBench Micro]
| Java
| [http://suif.stanford.edu/~livshits/securibench/download.html download]
| Stanford
|
|-
| [https://www.owasp.org/index.php/OWASP_Security_Shepherd Security Shepherd]
| Java
| [https://sourceforge.net/projects/owaspshepherd/ download]
| OWASP
|
|-
| [https://github.com/sqlmapproject/testenv SQL injection test environment]
| PHP
|
|
| SQLmap Project
|-
| [https://github.com/Audi-1/sqli-labs SQLI-labs]
| PHP
| [https://github.com/Audi-1/sqli-labs/archive/master.zip download] [http://dummy2dummies.blogspot.com/ blog]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/SpiderLabs/SQLol SQLol ]
| PHP
| [https://github.com/SpiderLabs/SQLol/archive/master.zip download]
|
|
|-
| [https://github.com/sakti/twitterlike twitterlike ]
| PHP
| [https://github.com/sakti/twitterlike git repository]
| Sakti Dwi Cahyono
|
|-
| [http://www.nth-dimension.org.uk/blog.php?id=88 VulnApp ]
| .NET
| [http://projects.nth-dimension.org.uk/dir?d=VulnApp CVS download] [http://projects.nth-dimension.org.uk/rptview?rn=6 vulns]
|
|
|-
| [http://exploit.co.il/hacking/exploit-kb-vulnerable-web-app/ Vulnerable Web App]
|
|
| Exploit.co.il
|
|-
| [https://github.com/adamdoupe/WackoPicko WackoPicko ]
| PHP
| [https://github.com/adamdoupe/WackoPicko/zipball/master download] [http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf whitepaper]
|
|
|-
| [https://github.com/sectooladdict/wavsep WAVSEP - Web Application Vulnerability Scanner Evaluation Project ]
| Java
| [https://sourceforge.net/projects/wavsep/ download (builds)] [https://code.google.com/p/wavsep/downloads/list download (old)] [https://github.com/sectooladdict/wavsep/wiki wiki]
| Shay Chen
|
|-
| [https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat ]
| Java
| [http://code.google.com/p/webgoat/downloads/list download] [https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents guide]
| OWASP
|
|-
| [https://github.com/shivamdixit/WebGoatPHP WebGoatPHP ]
| PHP
| [https://github.com/shivamdixit/WebGoatPHP git repository]
| OWASP
|
|-
| [https://code.google.com/p/wivet/ WIVET - Web Input Vector Extractor Teaser]
|
| [http://www.webguvenligi.org/projeler/wivet download] [https://code.google.com/p/wivet/downloads/list?can=1&q= tests]
|
|
|-
| [https://github.com/s4n7h0/xvwa Xtreme Vulnerable Web Application (XVWA)]
| PHP/MySQL
| [https://github.com/s4n7h0/xvwa download]
| @s4n7h0, @samanL33T
|
|-
|}

WebGoatPHP

2016-10-12T17:49:23Z

Shivam Dixit:

<div style="width:100%;height:200px;border:0,margin:0;overflow: hidden;">[[Image:OWASP_Project_Header.jpg]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/OWASP/OWASPWebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

==Contribute==
To contribute, fork the code on [https://github.com/shivamdixit/WebGoatPHP GitHub] and send a pull request.
Join the discussion on our [https://lists.owasp.org/mailman/listinfo/owasp_webgoatphp mailing list]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Azzeddine_RAMRAMI|Azzeddine]]

| valign="top" style="padding-left:25px;width:200px;" |

==Project Leader==

*[[User:Shivam_Dixit|Shivam Dixit]]
*[[User:Johanna_Curiel|Johanna Curiel]]

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== News and Events ==
* Post issues in CodeBounty.com for fixing
*Project adoption and kick off February 2016

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

WebGoatPHP

2016-09-05T19:23:54Z

Shivam Dixit: /* Project Leader */

<div style="width:100%;height:200px;border:0,margin:0;overflow: hidden;">[[Image:OWASP_Project_Header.jpg]] </div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/shivamdixit/WebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

==Contribute==
To contribute, fork the code on [https://github.com/shivamdixit/WebGoatPHP GitHub] and send a pull request.
Join the discussion on our [https://lists.owasp.org/mailman/listinfo/owasp_webgoatphp mailing list]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Azzeddine_RAMRAMI|Azzeddine]]

| valign="top" style="padding-left:25px;width:200px;" |

==Project Leader==

*[[User:Shivam_Dixit|Shivam Dixit]]
*[[User:Johanna_Curiel|Johanna Curiel]]

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== News and Events ==
* Post issues in CodeBounty.com for fixing
*Project adoption and kick off February 2016

==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

GSoC2015 Ideas

2015-02-14T05:50:23Z

Shivam Dixit: /* OWASP CSRF Guard */

=OWASP Project Requests=

== OWASP Hackademic Challenges ==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check the Hackademic wiki page linked above
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

=== Web Sandbox ===

'''Brief Explanation:'''

After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.

Ideas on the project:

* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.
* Your idea here...

'''Expected Results:'''

Better sandboxing

'''Knowledge Prerequisites:'''

Comfortable in Linux administration and some security knowledge depending on the specific project.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Source Code testing environment - Defensive Challenges ===

'''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Student performance analytics ===

'''Brief Explanation:'''

We need a better way to measure the student's performance and how it varies depending on the problem. You will write a plugin (or make changes to the core depending on your implementation proposal) to gather all sorts of performance data and present them in a meaningfull way.

'''Expected Results:'''

A page to view performance metrics of differenct students.
( Hackalytics )

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML, javascript. Some understanding of analytics.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== New Template ===

'''Brief Explanation:'''

We need a cool new template since the old one is getting pretty old.
You can do it using the latest frontend bells and whistles (like angular,bootstrap or the tools of your choice).

'''Expected Results:'''

A new template.

'''Knowledge Prerequisites:'''

Comfortable in Css, HTML, javascript and/or the tools you plan on using.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Gamification ===

'''Brief Explanation:'''

Gamification is a feature widely used in many learning platforms out there and it would be nice if we could have it too.
You will need to design and implement the awards, badges and whatever other feature you have in mind. You will also implement the front and backend changes necessary to present the results.

'''Expected Results:'''

Gamification of the platform. ( Hackademicification )

'''Knowledge Prerequisites:'''

Comfortable in Css, HTML, javascript and/or the tools you plan on using.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Your idea ===

'''Brief Explanation:'''

Hackademic is it's community, we always welcome new ideas and cool features. Come over to the irc channel or mailing list and propose something.
We'd be happy to help you get it done.

'''Expected Results:'''

Features we didn't know we needed. ;-)

'''Knowledge Prerequisites:'''

Comfortable in whatever tools and languages you plan on using.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

== OWASP WebGoat .NET - Vulnerable Website ==

'''Brief Explanation:'''

The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features
https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview

'''Expected Results:'''

We want to add more modules such as
*WebSockets
*CSRF challenge
*Finalise testing an upgrade to the .NET framework 4.5
*Retest and clean up actual modules

'''Knowledge Prerequisites:'''

Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders

==OWASP WebGoatPHP==
===OWASP WebGoatPHP===
'''Description:'''
[[Webgoat]] is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions.
Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has [[OWASP_WebGoat_Reboot2012|dedicated in 2012]] an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

'''Expected Results:''' WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.

'''Knowledge prerequisite:''' You just need to know PHP and SQL. Familiarity with web application security is recommended.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

==OWASP PureCaptcha==
===OWASP PureCaptcha===
'''Description:'''
[[OWASP PureCaptcha]] is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint.
PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.

'''Expected Results:''' PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.

'''Knowledge prerequisites:''' Any programming language you want to port into, as well as PHP.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Jesse Burns

==OWASP PHP Framework==
===OWASP PHP Framework===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.
The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.

'''Expected Results: ''' A secure yet robust and practical framework for PHP developers.

'''Knowledge prerequisite:''' This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary

'''Skill Level:''' Advanced

==OWASP RBAC Project==
===OWASP RBAC Project===
'''Description:''' ''For the last 7 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

[[OWASP RBAC project]] has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.

'''Expected Results:''' OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.

'''Knowledge prerequisite:''' Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]], Rahul Chaudhary, Jesse Burns

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

==OWASP PHP Widgets==
===OWASP PHP Widgets===
'''Description:''' Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).

'''Expected Results:''' OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.

'''Knowledge prerequisite:''' Average PHP programming. Good experience with web applications.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

==OWASP Seraphimdroid==

'''Description:''' SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.

'''Expected Results:''' After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.

'''Knowledge prerequisite:''' Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.

'''Mentor:''' [[User:Nikola Milosevic|Nikola Milosevic]]

== OWASP OWTF ==

=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===

'''Brief explanation:'''

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - HTTP Request Translator Improvements ===

'''Brief explanation:'''

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a *standalone* *tool* that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)
* Transforms with boundary strings? (TBD)
* Individually or in bulk? (TBD)

'''Essential Function: "--output" argument'''

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)
* http request in => curl command out
* http request in => bash script out
* http request in => python script out
* http request in => php script out
* http request in => ruby script out
* http request in => PowerShell script out

'''Basic additional arguments:'''

- "--proxy" argument: generates the command/script with the relevant proxy option

NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)

- "--string-search" argument: generates the command/script so that it:

1) performs the request

2) then searches for something in the response (i.e. literal match)

- "--regex-search" argument: generates the command/script so that it:
1) performs the request

2) then searches for something in the response (i.e. regex match)

'''OWTF integration'''

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to "export http request" + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).

'''Desired input formats:'''

* Read raw HTTP request from stdin -Suggested default behaviour! :)-

Example: cat path/to/http_request.txt | http-request-translator.py --output

* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"

Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"

Example:

1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)

2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"

3) User pastes a raw HTTP requests + hits enter

4) Tool outputs whatever is relevant for the flags + http request given

* For bulk processing: Maybe a directory of raw http request files?

'''Nice to have: Transforms'''

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test
Host: target.com
...

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")
curl ...... "http://target.com/path/to/$PARAM1/test"

OR a "curl command" like the following:
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - JavaScript Library Sniper Improvements ===

'''Brief explanation:'''
This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.

To solve this problem, we propose a *standalone* *tool* that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and *update* a fingerprint JavaScript library database of:
* Library File hashes => JavaScript Library version
* Library File lengths => JavaScript Library version
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)

3) Build and *update* a vulnerability database of:
* JavaScript Library version => CVE - CVSS score - Vulnerability info

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:
* JavaScript Library version
* List of vulnerabilities sorted in descending CVSS score order

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:
* ALL Library/vulnerability matches described on 4)

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the "JavaScript library database"

Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]

How many JavaScript libraries should be included?
* As many as possible, but especially the major ones: jQuery, knockout, etc.
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-

Common JavaScript library fingerprinting techniques include:
* Parse the JavaScript file and grab the version from there
* Determine the JavaScript version based on a hash of the file
* Determine the JavaScript version based on the length of the file

Other Challenges:
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"
* When the JavaScript file does not match a specific version:
1) The commit that matches the closest should (ideally) be found
2) The NEXT library version after that commit (if present) should be found
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Health Monitor ===

'''Brief explanation:'''

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

'''Feature 1) Alerting mechanisms'''

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:
* Playing an mp3 song (both local and possibly remote locations)
* Scan status overview on the CLI
* Scan status overview on the GUI

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

'''Feature 2) Corrective mechanisms'''

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:
* Stop this tool
* Freeze this process (to continue later)
* Freeze the whole scan (to continue later)

Additional mechanisms:
* Show a ranking of files that take the most space

'''Feature 3) Target monitor'''

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka "problem to solve":

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)

Desired situation aka "solution":

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"

'''Feature 4) Disk space monitor'''

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

'''Feature 5) Network/Internet Connectivity monitor'''

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

'''Feature 6) Tool crash detection'''

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Installation Improvements and Package manager ===

'''Brief explanation:'''

This project is to implement what was suggested in the following github issue:
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
Having a private server with:
* pre-installed files for VMs
* pre-configured and patched tools
* Merged Lists
* Pre-configured certificates
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.
Additional ideas are welcome.

-- They could be hosted on Dropbox or a private VPS :)

2 Installation Modes
* For high speed connections (Downloading the files uncompressed)
* For low speed connections (Downloading the files compressed)
and the installation crashed because i runned out of space in the vm
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Testing Framework Improvements ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

'''Top features'''

In this improvement phase, the Testing Framework should:
* (Top Prio) Focus more on functional tests
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)
* (Top Prio) Put together a great wiki documentation section for contributors
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.
* (Top Prio) Fix the current Travis issues :)
* (Nice to have) Bring the unit tests up to speed with the codebase
This will be challenging but very worth trying after top priorities.
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.

'''General background'''

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

=== OWASP OWTF - Tool utilities module ===

'''WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply'''

'''Brief explanation:'''

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

'''Feature 1) Vulnerable software version database:'''

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example:
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

'''Feature 2) Nmap output file merger:'''

Unify nmap files *without* losing data: XML, text and greppable formats
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

'''Feature 3) Nmap output file vulnerability mapper'''

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an *old* shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

'''Feature 4) URL target list creator:'''

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

'''Feature 5) Hydra command creator:'''

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

'''Feature 6) WP-scan command creator:'''

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

== OWASP ZAP ==

We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.

You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ

OWASP Code Kids 2015 Ideas

2014-11-06T21:22:43Z

Shivam Dixit: /* Task 3: WebGoatPHP logo */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

OWASP Code Kids 2015 Ideas

2014-11-06T21:15:59Z

Shivam Dixit: /* OWASP WebGoatPHP */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

OWASP Code Kids 2015 Ideas

2014-11-06T21:15:20Z

Shivam Dixit: /* Task 6-20: WebGoatPHP challenges screencast series */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge.....

Task 6 - HTTP Basic

Task 7 - Using Access Control Matrix

Task 8 - Business Layer Access Control

Task 9 - Path Based Access Control

Task 10 - Same Origin Policy Protection

Task 11 - Forgot Password

Task 12 - Discover clues in HTML

Task 13 - JS Obfuscation

Task 14 - XSS 1 (Reflected)

Task 15 - XSS 2 (Stored)

Task 16 - XSS 3 (DOM)

Task 17 - Fail Open Authentication

Task 18 - Log Spoofing

Task 19 - Numeric SQL Injection

Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

OWASP Code Kids 2015 Ideas

2014-11-06T21:13:55Z

Shivam Dixit: /* Task 5: Create a SQL injection challenge */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection

https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge
--------------------------------
Task 6 - HTTP Basic
Task 7 - Using Access Control Matrix
Task 8 - Business Layer Access Control
Task 9 - Path Based Access Control
Task 10 - Same Origin Policy Protection
Task 11 - Forgot Password
Task 12 - Discover clues in HTML
Task 13 - JS Obfuscation
Task 14 - XSS 1 (Reflected)
Task 15 - XSS 2 (Stored)
Task 16 - XSS 3 (DOM)
Task 17 - Fail Open Authentication
Task 18 - Log Spoofing
Task 19 - Numeric SQL Injection
Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

OWASP Code Kids 2015 Ideas

2014-11-06T21:12:31Z

Shivam Dixit: /* OWASP WebGoatPHP */

=Task Categories=

The tasks are grouped into the categories described below. '''Please make sure each task is assigned a category.'''

'''Code:''' Tasks related to writing or refactoring code.

'''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more

'''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions

'''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality

'''User Interface:''' Tasks related to user experience research or user interface design and interaction

== OWASP ZAP ==

=== OWASP ZAP Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP OWTF ==

=== OWASP OWTF Task 1 ===

'''Brief Explanation:'''

Task description

'''Task Category:'''

Eg. Code Category

'''Expected Results:'''

Describe the expected results of the task

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' XXXXXX

== OWASP WIKI ==

=== Task 1: Latam Tour 2015 logo ===

'''Brief Explanation:'''

Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:

https://www.owasp.org/images/f/f3/OWASP_Latam_Tour_Logo_2014.png

'''Task Category:'''

Design

'''Expected Results:'''

Latam Tour 2015 logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Fabio Cerullo

== OWASP WebGoatPHP ==

=== Task 1: Implement "remember me" feature ===

'''Brief Explanation:'''

Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.

'''Task Category:'''

Code

'''Expected Results:'''

If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/45

'''Code:'''

app/control/user/login.php

'''Mentors:''' Shivam Dixit

=== Task 2: Make workshop mode dashboard responsive ===

'''Brief Explanation:'''

In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.

'''Task Category:'''

Code

'''Expected Results:'''

Panel perfectly adjusts on small screen resolutions.

'''Knowledge Prerequisites:'''

CSS (media queries), HTML

'''Reference:'''

https://github.com/shivamdixit/WebGoatPHP/issues/26

'''Code:'''

style/dashboard.css

'''Mentors:''' Shivam Dixit

=== Task 3: WebGoatPHP logo ===

'''Brief Explanation:'''

Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on OWASP logo.

'''Task Category:'''

Design

'''Expected Results:'''

WebGoatPHP logo in either psd or jpeg format.

'''Knowledge Prerequisites:'''

Familiarity with Photoshop/GIMP or any other designing software.

'''Mentors:''' Shivam Dixit

=== Task 4: WebGoatPHP deployment screencast ===

'''Brief Explanation:'''

Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.

'''Task Category:'''

Code

'''Expected Results:'''

The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.

'''Knowledge Prerequisites:'''

Familiarity with an operating system (Linux/Windows)

'''Mentors:''' Shivam Dixit

=== Task 5: Create a SQL injection challenge ===

'''Brief Explanation:'''

Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.

'''Task Category:'''

Code

'''Expected Results:'''

A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Reference:'''

https://www.owasp.org/index.php/SQL_Injection
https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge

'''Mentors:''' Shivam Dixit

=== Task 6-20: WebGoatPHP challenges screencast series ===

'''Brief Explanation:'''

In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.

Task - Screencast of challenge
--------------------------------
Task 6 - HTTP Basic
Task 7 - Using Access Control Matrix
Task 8 - Business Layer Access Control
Task 9 - Path Based Access Control
Task 10 - Same Origin Policy Protection
Task 11 - Forgot Password
Task 12 - Discover clues in HTML
Task 13 - JS Obfuscation
Task 14 - XSS 1 (Reflected)
Task 15 - XSS 2 (Stored)
Task 16 - XSS 3 (DOM)
Task 17 - Fail Open Authentication
Task 18 - Log Spoofing
Task 19 - Numeric SQL Injection
Task 20 - XPATH injection

'''Task Category:'''

Code

'''Expected Results:'''

A screencast explaining the vulnerability involved in a particular challenge.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Shivam Dixit

OWASP Code Kids 2015 Ideas

2014-11-06T20:37:07Z

Shivam Dixit: /* OWASP WebGoatPHP */

OWASP Code Kids 2015 Ideas

2014-11-06T20:27:19Z

Shivam Dixit: /* OWASP WebGoatPHP */

OWASP Code Kids 2015 Ideas

2014-11-06T20:26:13Z

Shivam Dixit: /* OWASP WebGoatPHP Task 3 */

OWASP Code Kids 2015 Ideas

2014-11-06T20:24:34Z

Shivam Dixit: /* OWASP WebGoatPHP */

OWASP Code Kids 2015 Ideas

2014-11-06T20:14:59Z

Shivam Dixit: /* OWASP WebGoatPHP */

OWASP Code Kids 2015 Ideas

2014-11-06T20:06:41Z

Shivam Dixit: /* OWASP WebGoatPHP Task 1 */

WebGoatPHP

2014-07-15T03:36:09Z

Shivam Dixit:

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/shivamdixit/WebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

==Contribute==
To contribute, fork the code on [https://github.com/shivamdixit/WebGoatPHP GitHub] and send a pull request.
Join the discussion on our [https://lists.owasp.org/mailman/listinfo/owasp_webgoatphp mailing list]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Johanna_Curiel|Johanna Curiel]]
*[[User:Shivam_Dixit|Shivam Dixit]]
*[[User:Azzeddine_RAMRAMI|Azzeddine]]

| valign="top" style="padding-left:25px;width:200px;" |

==Project Leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== Website ==

http://webgoatphp.com/

== News and Events ==
==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

WebGoatPHP

2014-06-29T00:34:16Z

Shivam Dixit:

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/shivamdixit/WebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Johanna_Curiel|Johanna Curiel]]
*[[User:Azzeddine_RAMRAMI|Azzeddine]]
*[[User:Shivam_Dixit|Shivam Dixit]]

To contribute, fork the code on github and send a pull request. Join the discussion on our [https://lists.owasp.org/mailman/listinfo/owasp_webgoatphp mailing list]

| valign="top" style="padding-left:25px;width:200px;" |

==Project Leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== Website ==

http://webgoatphp.com/

== News and Events ==
==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

User:Shivam Dixit

2014-06-28T09:23:10Z

Shivam Dixit:

==About==
Shivam is a pre-final year undergraduate student at LNM Institute of Information Technology, Jaipur, India. He is majoring in Computer Science and has been developing web applications since 2012. Shivam is enthusiastic about web application security and actively contributing to OWASP projects since 2013.

==Projects==
Shivam is contributing to the project [[WebGoatPHP| OWASP WebGoatPHP]] in Google Summer Of Code '14.

==Contact==
Email: shivam.dixit[at]owasp[dot]org

Github: https://github.com/shivamdixit

Homepage: http://shivamdixit.com

Twitter: @shivamd001

User:Shivam Dixit

2014-06-28T09:18:48Z

Shivam Dixit:

WebGoatPHP

2014-06-28T08:57:30Z

Shivam Dixit:

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/shivamdixit/WebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Johanna_Curiel|Johanna Curiel]]
*[[User:Azzeddine_RAMRAMI|Azzeddine]]
*[[User:Shivam_Dixit|Shivam Dixit]]

To contribute, fork the code on github and send a pull request. If you have any questions write to shivam[dot]dixit[at]owasp[dot]org

| valign="top" style="padding-left:25px;width:200px;" |

==Project Leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== Website ==

http://webgoatphp.com/

== News and Events ==
==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

WebGoatPHP

2014-06-28T08:52:19Z

Shivam Dixit:

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/shivamdixit/WebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

==Major Contributors==
*[[User:Johanna_Curiel|Johanna Curiel]]
*[[User:Shivam_Dixit|Shivam Dixit]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== Website ==

http://webgoatphp.com/

== News and Events ==
==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

WebGoatPHP

2014-06-28T08:51:22Z

Shivam Dixit:

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebGoatPHP==
WebGoatPHP is a port of WebGoat to PHP and MySQL/SQLite databases. The goal is to create an interactive teaching environment for web application security by offering lessons in the form of challenges. In each challenge the user must exploit the vulnerability to demonstrate their understanding.

[https://github.com/shivamdixit/WebGoatPHP GitHub Repo]

==What is WebGoatPHP==
WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. The application is a realistic teaching environment and supports four different modes.

==Why WebGoatPHP?==
WebGoatPHP is suitable for:

* Web Developers, to learn how to develop secure web applications
* Penetration Testers, to learn the different kinds of attacking scenarios
* Teachers, to interactively teach students about web application security

==Project leader==

[https://www.owasp.org/index.php/User:Abbas_Naderi Abbas Naderi]

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

==Major Contributors==
*[[User:Johanna_Curiel|Johanna Curiel]]
*[[User:Shivam_Dixit|Shivam Dixit]]

==Different Operating Modes==
* Single User Mode
* Workshop Mode
* Contest Mode
* Secure Coding Mode

==Types Of Challenges==
* Access Control Flaws
* AJAX Security
* Authentication Flaws
* Code Quality
* Injection Attacks
* Cross-Site Scripting(XSS) Attacks
* Brute Force Attacks
* Session Management Flaws
* Improper Error Handling

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* [https://github.com/shivamdixit/WebGoatPHP/archive/master.zip OWASP WebGoatPHP]

== Website ==

http://webgoatphp.com/

== News and Events ==
==Classifications==
{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|}

|}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

User:Shivam Dixit

2014-05-19T10:11:11Z

Shivam Dixit:

I am a pre-final year undergraduate student in LNM Institute of Information Technology, Jaipur, India. My major field of study is Computer Science. I am a web application security enthusiast and web developer.

I'm Google Summer Of Code student for the project OWASP WebGoatPHP.

I also actively contributor to OWASP PHP Security project.

'''Github''' : https://github.com/shivamdixit

'''Blog''' : http://shivamdixit.com

User:Shivam Dixit

2014-05-19T10:10:28Z

Shivam Dixit:

I am a pre-final year undergraduate student in LNM Institute of Information Technology, Jaipur, India. My major field of study is Computer Science. I am a web application security enthusiast and web developer.

I'm Google Summer Of Code student for the project OWASP WebGoatPHP.

I also actively contributor to OWASP PHP Security project.

Github : https://github.com/shivamdixit
Blog : http://shivamdixit.com

User:Shivam Dixit

2014-05-19T07:34:24Z

Shivam Dixit:

GSoC

2014-03-28T12:52:52Z

Shivam Dixit:

'''OWASP has been selected as an official Google Summer of Code (“GSoC”) mentoring organization in 2014!'''

Open source software is changing the world and creating the future.
Want to help shaping it? We’re looking for students to join us in making 2014 the best Summer of Code yet!

<span style="color:#FF0000">'''STUDENTS: THE PROPOSAL SUBMISSION PERIOD WILL BE OPEN UNTIL MARCH 21ST 19:00UTC - SUBMIT YOUR APPLICATION NOW HERE:'''</span>

[http://www.google-melange.com/gsoc/homepage/google/gsoc2014 '''GOOGLE MELANGE''']

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

All students currently enrolled in an accredited institution are welcome to participate in the Google Summer of Code 2014 program, hopefully along with the OWASP Foundation.

Below you could find all the instructions on how to participate.

== What is GSOC? ==

The Google Summer of Code program (“GSoC”) is designed to encourage student participation in open source development. Through GSoC, accepted student applicants will be paired with OWASP mentors that will guide them through their coding tasks.

Benefits to students include:

* Gaining exposure to real-world software development scenarios,
* An opportunity for employment in areas related to their academic pursuits and
* Google will be offering successful student contributors a 5,500 USD stipend, enabling them to focus on their coding projects for three months.

This program is done completely online. Students and mentors from more than 100 countries have participated in past years.

==Instructions common to all participants==

All participants should take a look at the [http://code.google.com/p/google-summer-of-code/ Summer of Code Program Wiki] every now and then to be informed about updates and advices. It is also important to read the [http://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2013/help_page Summer of Code FAQ], as it contains useful information.
All participants will need a Google account in order to join the program. You'll save some time if you create one now.

===Programming Language===

While the majority of OWASP tools are developed using C++/Java, we do accept other languages, including (but not limited to) Python, Ruby and C#. C++ will be accepted for any project. Submissions and ideas for projects in any other language should specifically mention the choice.

==Instructions for students==

Are you a student and want to code for an OWASP project?
Here are the steps and some tips on getting started:

1) Think of a good idea – For reference see
[https://www.owasp.org/index.php/GSoC2014_Ideas GSoC 2014 Ideas]

2) Do some research yourself based on the idea, write up a proposal draft

3) Post it to the mailing list at https://groups.google.com/d/forum/owasp-gsoc for initial discussions with OWASP mentors.

4) Based on feedback, write a full proposal – See template below:
https://www.owasp.org/index.php/GSoC_SAT

5) Submit your proposal to Google from March 10th to March 21st 2014.

Students wishing to participate in GSoC must realize this is a formal commitment to produce code for the selected OWASP Project during three months. You will also take some resources from OWASP project leaders, who will dedicate a portion of their time to mentor you. Therefore, we'd like to have candidates who are committed to helping OWASP mission. You don't have to be a proven developer -- in fact, this whole program is meant to facilitate joining OWASP and other Open Source communities. However, experience in coding and applications are welcome.

You should start familiarising yourself with the components that you plan on working on before the start date. OWASP Project Mentors are available on the mailing list https://groups.google.com/d/forum/owasp-gsoc for help.

===General instructions===
First of all, please read the instructions common to all participants and the [http://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2014/help_page GSoC FAQ]. Pay special attention to the '''Eligibility''' section of the FAQ.

===Recommended steps===
* Read Google's instructions for participating
* Take a look at the list of ideas
* Come up with project that you're interested in
* Write a first draft proposal and get someone to review it for you
* Submit it using Google's web interface

Coming up with an interesting idea is probably the most difficult part of all. It should be something interesting for an OWASP Project, and more importantly for you. It also has to be something that you can realistically achieve in the time available to you.

Finding out what the most pressing issues are in the projects you're interested in is a good start. You can optionally join the mailing lists for that project: you can make acquaintance with developers and your potential mentor, as well as start learning the codebase. We recommend strongly doing that and we will look favourably on applications from students who have started to act like Open Source developers.

===Student proposal guidelines===
A project proposal is what you will be judged upon. So, as a general recommendation, write a clear proposal on what you plan to do, what your project is and what it is not, etc. Several websites now contain hints and other useful information on writing up such proposals.
OWASP does not require a specific format or specific list of information, but there is an application template on the OWASP page in Google Melange with some specific points that you should address in your application:
* Who are you? What are you studying?
* What exactly do you intend to do? What will not be done?
* Why are you the right person for this task?
* To what extent are you familiar with the software you're proposing to work with? Have you used it? Have you read the source? Have you modified the source?
* How many hours are you going to work on this a week? 10? 20? 30? 40?
* Do you have other commitments that we should know about? If so, please suggest a way to compensate if it will take much time away from Summer of Code.
* Are you comfortable working independently under a supervisor or mentor who is several thousand miles away, not to mention 12 time zones away? How will you work with your mentor to track your work? Have you worked in this style before?
* If your native language is not English, are you comfortable working closely with a supervisor whose native language is English? What is your native language, as that may help us find a mentor who has the same native language?
* Where do you live, and can we assign a mentor who is local to you so you can meet in a coffee shop for lunch?

After you have written your proposal, you should get it reviewed. Do not rely on the OWASP mentors to do it for you via the web interface: they will only send back a proposal if they find it lacking. Instead, ask a colleague or a developer to do it for you.

===Hints===
'''Submit your proposal early:''' early submissions get more attention from developers for the simple fact that they have more time to dedicate to reading them. The more people see it, the more it'll get known.

'''Do not leave it all to the last minute:''' while it is Google that is operating the webserver, it would be wise to expect a last-minute overload on the server. So, make sure you send your application before the final rush. Also, note that the applications submitted very late will get the least attention from mentors, so you may get a low vote because of that.

'''Keep it simple:''' we don't need a 10-page essay on the project and on you (Google won't even let you submit a text that long). You just need to be concise and precise.

'''Know what you are talking about:''' the last thing we need is for students to submit ideas that cannot be accomplished realistically or ideas that aren't even remotely related to OWASP Projects. If your idea is unusual, be sure to explain why you have chosen OWASP to be your mentoring organisation.

'''Aim wide:''' submit more than one proposal, to different OWASP Projects. We also recommend submitting to more than one organisation too. This will increase your chances of being chosen.

The PostgreSQL project has also released a list of [http://www.postgresql.org/developer/summerofcodeadvice.html hints] that you can take a look.

==Instructions for mentors==
===Ideas===
If you're a developer and you wish to participate in Summer of Code, you can do it in two ways: the first and easiest is to make a proposal in the [https://www.owasp.org/index.php/GSoC2014_Ideas ideas] page. Take a look at what the different OWASP Projects needs or what you feel should have. Feel free to submit ideas even if you cannot elaborate too much on them.

The second possibility is to be a mentor for a more specific idea. If you wish to do that, please read the instructions common to all participants and the Summer of Code FAQ. Also, please contact the project leader for your application or module and get the go-ahead from him/her. Then edit the ideas page, adding your idea.

Your idea proposal should be a brief description of what the project is, what the desired goals would be, what the student should know and your email address for contact. Please note, though, that the students are not required to follow your idea to the letter, so regard your proposal as just a suggestion.

===Mentoring===
If you wish to help us even more, you can be an OWASP mentor. We will potentially assign a student to you who has never worked on such a large project and will need some help. Make sure you're up for the task.
When subscribing yourself as a mentor, please make sure that your application or module maintainer is aware of that. Ask him/her to send the Summer of Code OWASP Administrators an email confirming to know you. This is just a formality to make sure you are a real person we can trust -- the administrators cannot know all active developers by their Google account ID.

If you would like to get an idea of what is involved in being a good mentor, be sure to read the [http://www.booki.cc/gsoc-mentoring mentoring guide].

You will be subscribed to a mailing list to discuss ideas. We will also require you to read the proposals as they come in and you will be allowed to vote on the proposals, according to rules we will publish later.

Finally, know that we will never assign you to a project you do not want to work on. We will not assign you more projects than you can/want to take on either. And you will have a backup mentor, just in case something unforeseen takes place.

===Subscribing as mentor===
To subscribe as mentor, you need to complete a few easy steps.
* Contact the OWASP GSoC administrators to let them know which project you want to mentor for
* Log in to [http://www.google-melange.com/ Google Melange]
* Apply as a mentor for OWASP
* Subscribe to https://groups.google.com/d/forum/owasp-gsoc

'''The current list of GSOC 2014 Mentors are:'''
* Abraham Aranguren
* Mennouchi Islam Azeddine
* Ryan Barnett
* Simon Bennetts
* Johanna Curiel
* Spyros Gasteratos
* Gareth Heyes
* Krzysztof Kotowicz
* Andres Morales
* Kostas Papapanagiotou
* Andres Riancho
* Guifre Ruiz
* Prasad Shenoy
* Breno Silva
* Andrew van der Stock
* Kevin W. Wall

==Instructions for OWASP Project Leaders==
If you are an OWASP Project Leader, you may be contacted by developers in your project about an idea he wants to submit.
You should judge whether the idea being proposed coincides with the general goals for your OWASP Project. If you feel that is not the case, you should reply to your developer and suggest that he modify the proposal.
You do not need yourself to be a mentor, but we would like you to.

==Contact OWASP GSoC Admininstrators==
To reach the OWASP administrators for Summer of Code, please send an email to the GSOC Administrators below.

'''The GSOC 2014 Administrators are:'''

* Kostas Papapanagiotou (konstantinos@owasp.org)
* Fabio Cerullo (fcerullo@owasp.org)

SQL Injection

2014-03-28T12:51:28Z

Shivam Dixit:

{{Template:Attack}}
[[Category:OWASP ASDR Project]]
[[Category:Security Focus Area]]
__NOTOC__<br><br>

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

== Overview ==
A [[SQL injection]] attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
SQL injection attacks are a type of [[Top 10 2007-Injection Flaws | injection attack]], in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

==Threat Modeling==
* SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
* SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
* The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.

==Related Security Activities==

===How to Avoid SQL Injection Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.<br>
See the OWASP [[SQL Injection Prevention Cheat Sheet]].<br>
See the OWASP [[Query Parameterization Cheat Sheet]].

===How to Review Code for SQL Injection Vulnerabilities===

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities.

===How to Test for SQL Injection Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities.

==Description==
SQL injection errors occur when:

# Data enters a program from an untrusted source.
# The data used to dynamically construct a SQL query

The main consequences are:

* '''Confidentiality''': Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with [[Glossary#SQL Injection|SQL Injection]] vulnerabilities.

* '''Authentication''': If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.

* '''Authorization''': If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a [[Glossary#SQL Injection|SQL Injection]] vulnerability.

* '''Integrity''': Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a [[Glossary#SQL Injection|SQL Injection]] attack.

== Risk Factors==
The platform affected can be:
* Language: SQL
* Platform: Any (requires interaction with a SQL database)

[[Glossary#SQL Injection|SQL Injection]] has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.

Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.

== Examples ==

===Example 1===

In SQL:

<pre>
select id, firstname, lastname from authors
</pre>

If one provided:

<pre>
Firstname: evil'ex
Lastname: Newman
</pre>

the query string becomes:

<pre>
select id, firstname, lastname from authors where forename = 'evil'ex' and surname ='newman'
</pre>

which the database attempts to run as:

<pre>
Incorrect syntax near il' as the database tried to execute evil.
</pre>

A safe version of the above SQL statement could be coded in Java as:

<pre>
String firstname = req.getParameter("firstname");
String lastname = req.getParameter("lastname");
// FIXME: do your own validation to detect attacks
String query = "SELECT id, firstname, lastname FROM authors WHERE forename = ? and surname = ?";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, firstname );
pstmt.setString( 2, lastname );
try
{
ResultSet results = pstmt.execute( );
}
</pre>

===Example 2===

The following C# code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.

<pre>
...
string userName = ctx.getAuthenticatedUserName();
string query = "SELECT * FROM items WHERE owner = "'"
+ userName + "' AND itemname = '"
+ ItemName.Text + "'";
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
...
</pre>

The query that this code intends to execute follows:

<pre>
SELECT * FROM items
WHERE owner =
AND itemname = ;
</pre>

However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR 'a'='a" for itemName, then the query becomes the following:

<pre>
SELECT * FROM items
WHERE owner = 'wiley'
AND itemname = 'name' OR 'a'='a';
</pre>

The addition of the OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:

<pre>
SELECT * FROM items;
</pre>

This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.

===Example 3===

This example examines the effects of a different malicious value passed to the query constructed and executed in Example 1. If an attacker with the user name hacker enters the string "name'); DELETE FROM items; --" for itemName, then the query becomes the following two queries:

<pre>
SELECT * FROM items
WHERE owner = 'hacker'
AND itemname = 'name';

DELETE FROM items;

--'
</pre>

Many database servers, including Microsoft® SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error in Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, in databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database.

Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. In a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in Example 1. If an attacker enters the string "name'); DELETE FROM items; SELECT * FROM items WHERE 'a'='a", the following three valid statements will be created:

<pre>
SELECT * FROM items
WHERE owner = 'hacker'
AND itemname = 'name';

DELETE FROM items;

SELECT * FROM items WHERE 'a'='a';
</pre>

One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from a whitelist of safe values or identify and escape a blacklist of potentially malicious values. Whitelisting can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, blacklisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:

* Target fields that are not quoted
* Find ways to bypass the need for certain escaped meta-characters
* Use stored procedures to hide the injected meta-characters

Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks.

Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.

<pre>
procedure get_item (
itm_cv IN OUT ItmCurTyp,
usr in varchar2,
itm in varchar2)
is
open itm_cv for ' SELECT * FROM items WHERE ' ||
'owner = '''|| usr ||
' AND itemname = ''' || itm || '''';
end get_item;
</pre>

Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks.

==Related [[Threat Agents]]==
* [[:Category:Command Execution]]
* [[Injection problem]]

==Related [[Attacks]]==
* [[Top 10 2007-Injection Flaws | injection attack]]
* [[Blind SQL Injection]]
* [[Code Injection]]
* [[Double Encoding]]
* [[Interpreter_Injection#ORM_Injection]]

==Related [[Vulnerabilities]]==
* [[:Category:Input Validation Vulnerability]]

==Related [[Controls]]==
* [[Input Validation]]
* [[Output Validation]]
* [[Static Code Analysis]]
[[Category:FIXME|this was the text that was here before we added the links. Can it be deleted?
Avoidance and mitigation

* Requirements specification: A non-SQL style database which is not subject to this flaw may be chosen.

* Implementation: Use vigorous white-list style checking on any user input that may be used in an SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that has been entered in the database may neglect to escape meta-characters before use.

* Image:Advanced Topics on SQL Injection Protection.ppt
]]

==References ==
* [http://www.websec.ca/kb/sql_injection SQL Injection Knowledge Base] - A reference guide for MySQL, MSSQL and Oracle SQL Injection attacks.
* [http://www.greensql.net/ GreenSQL Open Source SQL Injection Filter] - An Open Source database firewall used to protect databases from SQL injection attacks.
* [http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf An Introduction to SQL Injection Attacks for Oracle Developers] - This also includes recommended defenses.
* OWASP [[:Category:OWASP_SQLiX_Project | SQLiX Project]] - An SQL Injection Scanner.
* [http://www.nosec.org/en/pangolin.html Pangolin] - Closed source SQL Injection Scanner.

[[Category:Injection]]
[[Category: Attack]]