https://wiki.owasp.org/api.php?action=feedcontributions&user=Larry+Conklin&feedformat=atomOWASP - User contributions [en]2024-03-28T22:45:40ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236946GSOC2018 Ideas2018-01-20T19:20:59Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check OWASP Code Review Guide [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs:===<br />
'''Techincal writers'''<br />
<br />
===Expected Results:===<br />
* Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Move work in pdf and Adobe InDesign to GitBook format<br />
* Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, Adode InDesign<br />
<br />
===Proposals from student:===<br />
* Proposal on different formats to use to help increase the awareness and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
'''Mentors:'''<br />
* Gary Robinson [mailto:Gary.Robinson@owasp.org] - OWASP Code Review Guide Project Leader<br />
<br />
* Larry Conklin [mailto:Larry.Conklin@owasp.org] Larry Conklin - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236945GSOC2018 Ideas2018-01-20T19:18:52Z<p>Larry Conklin: aaa</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs:===<br />
'''Techincal writers'''<br />
<br />
===Expected Results:===<br />
* Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Move work in pdf and Adobe InDesign to GitBook format<br />
* Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, Adode InDesign<br />
<br />
===Proposals from student:===<br />
* Proposal on different formats to use to help increase the awareness and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
'''Mentors:'''<br />
* [mailto:Gary.Robinson@owasp.org] Gary Robinson - OWASP Code Review Guide Project Leader<br />
<br />
* [mailto:Larry.Conklin@owasp.org] Larry Conklin - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236944GSOC2018 Ideas2018-01-20T19:09:28Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs:===<br />
'''Techincal writers'''<br />
<br />
===Expected Results:===<br />
* Important: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
===Proposals from student:===<br />
* Proposal on different formats to use to help increase the awareness and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
'''Mentors:'''<br />
* [mailto:Gary Robinson@owasp.org] Gary Robinson - OWASP Code Review Guide Project Leader<br />
<br />
* [mailto:Larry.Conklin@owasp.org] Larry Conklin - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236943GSOC2018 Ideas2018-01-20T19:06:26Z<p>Larry Conklin: aaa</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs:===<br />
'''Techincal writers'''<br />
<br />
===Expected Results:===<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
* It would be great to help move this work to other lanunages<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
===Proposals from student: ===<br />
* Proposal on different formats to use to help increase the awarnes and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
'''Mentors:'''<br />
* [mailto:Gary Robinson@owasp.org] Gary Robinson - OWASP Code Review Guide Project Leader<br />
<br />
* [https://www.owasp.org/index.php/User:Larry Conklin] [mailto:Larry.Conklin@owasp.org] - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236942GSOC2018 Ideas2018-01-20T19:00:58Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs:===<br />
'''Techincal writers'''<br />
<br />
===Expected Results:===<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
* It would be great to help move this work to other lanunages<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
===Proposals from student: ===<br />
* Proposal on different formats to use to help increase the awarnes and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
'''Mentors:'''<br />
* [[User:Gary_Robinson|Gary Robinson]] - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236941GSOC2018 Ideas2018-01-20T18:59:10Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs:===<br />
'''Techincal writers'''<br />
<br />
===Expected Results:===<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
* It would be great to help move this work to other lanunages<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
===Proposals from student: ===<br />
* Proposal on different formats to use to help increase the awarnes and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
'''Mentors:'''<br />
* [[User:Gary Robinson|Gary Robinson]] - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236940GSOC2018 Ideas2018-01-20T18:57:03Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs===<br />
'''Techincal writers'''<br />
<br />
===Expected Results.===<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
* It would be great to help move this work to other lanunages<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
===Proposal from student ===<br />
* Proposal on different formats to use to help increase the awarnes and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
===Mentors:===<br />
* [[User:Gary Robinson|Gary Robinson]] - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236939GSOC2018 Ideas2018-01-20T18:53:07Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief Explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs===<br />
Techincal writers<br />
<br />
===Expected Results.===<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
* It would be great to help move this work to other lanunages<br />
<br />
===Knowledge Prerequisite:===<br />
Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
==== Proposal from student ===<br />
* Different formats to use to help increase the awarnes and use of the OWASP Code Review Guide<br />
* Recommendations on how to use social applications to promote OWASP Code Review Guide to developers and IT management<br />
<br />
===Mentors:===<br />
* [[User:Gary Robinson|Gary Robinson]] - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236938GSOC2018 Ideas2018-01-20T18:49:29Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
===Brief explanation:===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
===Needs===<br />
Techincal writers<br />
<br />
===Expected results.===<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
* It would be great to help move this work to other lanunages<br />
<br />
===Knowledge Prerequisite:====<br />
Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
===Your Idea===<br />
==== Proposal from student ===<br />
* Different formats to use to help increase the awarnes and use of the OWASP Code Review Guide<br />
* Recommendation on how to use social applications to promote OWASP Code Review Guide<br />
<br />
===Mentors:===<br />
* [[User:Gary Robinson|Gary Robinson]] - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236937GSOC2018 Ideas2018-01-20T18:41:12Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
==='''Brief explanation:'''===<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
==='''Needs'''===<br />
Techincal writers<br />
<br />
==='''Expected results.'''===<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
* It would be great to help move this work to other lanunages<br />
<br />
'''Knowledge Prerequisite:''' Good techincal writting skills, US grammer, translations skills to other lanuages.<br />
<br />
'''Mentors:'''<br />
* [[User:Gary Robinson|Gary Robinson]] - OWASP Code Review Guide Project Leader</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236936GSOC2018 Ideas2018-01-20T18:32:25Z<p>Larry Conklin: /* OWASP Code Review Guide */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
'''Brief explanation:'''<br />
<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
<br />
'''Needs Techincal writers'''<br />
<br />
'''Expected results.'''<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
<br />
'''Knowledge Prerequisite:''' Good techincal writting skills, US grammer, translations skills to other lanuages.</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236935GSOC2018 Ideas2018-01-20T18:30:56Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==<br />
'''Brief explanation:'''<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Check [https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project] for some reference;<br />
'''Needs Techincal writers'''<br />
'''Expected results.'''<br />
* mportant: Move work in pdf and Adobe InDesign to OWASP wiki. See OWASP Testing Guide<br />
* Important: Move work in pdf and Adobe InDesign to GitBook format<br />
* Important: Move work in pdf and Adobe InDesign to OWASP OWASP lulu eBook format<br />
<br />
'''Knowledge Prerequisite:''' Good techincal writting skills, US grammer, translations skills to other lanuages.</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236932GSOC2018 Ideas2018-01-20T16:59:25Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework - Chatbot machine learning feature==<br />
<br />
=== Brief Explanation ===<br />
We want to create a SKF Chatbot service using the knowledge already inside SKF like the knowledge base items, code examples and the security controls like ASVS and PCI DSS.<br />
<br />
The chatbot service and core of this new feature can be consumed by website’s as an addon, IDE of developers and website chat channels like Gitter.im.<br />
<br />
The core of the SKF Chatbot will be using machine learning to accomplish the hard task of correlating data and merging different sources as a response/answer.<br />
<br />
=== Expected Results ===<br />
# A Defined Knowledge Base (Data Structure / DB) which can be used to define and search for entities. For example: if a query is:<br />
## How to mitigate CSRF in PHP the system should be able to understand or translate it to: {How: intent} to {mitigate: solution} {CSRF: attack} in {PHP: programming language} This kind of query can be further user to fetch right information in the knowledge base and provide right solution (code example) for mitigating CSRF in PHP.<br />
## What is CSRF? the system should be able to understand or translate it to: {What: intent} is {CSRF: attack/defense} This kind of query can be further user to fetch right information in the knowledge base that explains CSRF and provide the security control from example ASVS<br />
# An ETL process to convert existing SKF Knowledge data and ASVS data to above mentioned data structure.<br />
# A Chatbot (using existing frameworks) to:<br />
## Understand at least two intent like (How to, What is …..) and be able to enrich the user query as mentioned above.<br />
## Based on enriched query fetch relevant information from knowledge base and return.<br />
# An integration to some chat system like Gitter.im, IRC, Slack etc.<br />
<br />
=== Knowledge Prerequisites ===<br />
* Programming languages:<br />
** OWASP-SKF API is build in Python 3.6/3.7<br />
** OWASP-SKF Frontend is build with Angular 4 TS<br />
* Machine learning enthusiastic/interest<br />
<br />
=== Proposal from student ===<br />
* We want to ask from the student to write a proposal on how to approach the problem we described.<br />
'''Mentors''':<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org] Minhaz [mailto:minhaz@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]<br />
<br />
== OWASP Code Review Guide ==</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=GSOC2018_Ideas&diff=236879GSOC2018 Ideas2018-01-17T23:30:46Z<p>Larry Conklin: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
===Active Scanning WebSockets===<br />
'''Brief Explanation:'''<br />
<br />
ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesnt current support active scanning (automated attacking) of websockets.<br />
<br />
We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
<br />
'''Expected Results:'''<br />
* An plugable infrastructure that allows us to active scan websockets<br />
* Converting the relevant existing scan rules to work with websockets<br />
* Implementing new websocket specific scan rules<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== React Handling ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP doesnt understand React applications as well as it should be able to.<br />
<br />
It would be great if ZAP had a much better understanding of such applications, including how to explore and attack them more effectively.<br />
<br />
'''Expected Results:'''<br />
* ZAP able to explore React applications more effectively<br />
* ZAP able to attack React applications more effectively<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* As React is written in JavaScript, good knowledge of this language is recommended. ZAP is written in Java, so some knowledge of this language would be useful. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated authentication detection and configuration ===<br />
'''Brief Explanation:'''<br />
<br />
Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
<br />
This is time consuming and error prone.<br />
<br />
Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
<br />
'''Expected Results:'''<br />
* Detect login and registration pages<br />
* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
'''Brief Explanation:'''<br />
<br />
Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
<br />
A standardized text representation and parser would be very useful and help its adoption.<br />
<br />
'''Expected Results:'''<br />
* A documented definition of a text representation for Zest<br />
* A parser that converts the text representation into a working Zest script<br />
* An option in the Zest java implementation to output Zest scripts text format<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Develop Bamboo Addon ===<br />
'''Brief Explanation:'''<br />
<br />
It would be great to have an official ZAP add-on for [https://www.atlassian.com/software/bamboo Bamboo], equivalent to the one we now have for [https://wiki.jenkins.io/display/JENKINS/zap+plugin Jenkins]<br />
<br />
For more information about Bamboo plugins see the [https://developer.atlassian.com/server/bamboo/bamboo-plugin-guide/ Bamboo plugin guide].<br />
<br />
'''Expected Results:'''<br />
<br />
A Bamboo addon that supports:<br />
* Spidering (using the traditional and Ajax spiders)<br />
* Active Scanning<br />
* Authentication<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP and Bamboo are written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
'''Brief Explanation:'''<br />
<br />
ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes ZAP even better<br />
* Code that conforms to our Development Rules and Guidelines<br />
<br />
''' Getting started: '''<br />
<br />
* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding section.<br />
* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
<br />
'''Knowledge Prerequisites:'''<br />
* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
'''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2018 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] user story])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Frontend Technology Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are [https://github.com/bkimminich/juice-shop/issues/165 Angular 5] and [https://github.com/bkimminich/juice-shop/issues/400 Bootstrap 4] available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target client-architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, testing and building<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== UI/Graphics Design Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The UI of OWASP Juice Shop was written following recommendations from Twitter Bootstrap to be responsive, but it never had an actual designer or graphics artist take a look or add some insight. Currently the look & feel comes "out of the box" from a [https://bootswatch.com Bootswatch] theme and [https://fontawesome.com Font Awesome 5] icons. This gives it a quite modern look, but also leaves it very generic. The project could greatly benefit from involvement of someone with actual UI/UX Design expertise. Having a matching theme for [https://ctfd.io CTFd] would be another big achievement for the Juice Shop.<br />
<br />
'''Expected Results:'''<br />
* Design concepts to pick or have the user community vote on (including color schemes, sample screens, icons etc.)<br />
* Overhauling the overall UI look & feel, e.g. by making an individual Bootswatch theme or designing some individual icons<br />
* Getting rid of the stock images by providing individually designed product images for the standard inventory of the shop<br />
* Add more flexibility and options to the existing theming/customization of the UI (see [https://github.com/bkimminich/juice-shop/issues/379 #379])<br />
* Design a [https://github.com/bkimminich/juice-shop-ctf/issues/9 "Juice Shop" CTFd-theme] playing well with the look & feel of the application<br />
* Execution of migration without breaking functionality or client-side unit and end-to-end tests along the way<br />
<br />
''' Getting started: '''<br />
* Get familiar with the existing HTML views and CSS of the frontend<br />
* Get a feeling for the high quality bar by inspecting the existing client-side unit and e2e test suites<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Strong web and graphic design experience<br />
* Sophisticated HTML and CSS experience<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP Security Knowledge Framework==<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell'''<br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
===Your idea / Getting started===<br />
*Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
===Expected Results===<br />
*Adding features to SKF project<br />
**https://github.com/blabla1337/skf-flask/issues/369<br />
**https://github.com/blabla1337/skf-flask/issues/367<br />
**https://github.com/blabla1337/skf-flask/issues/68<br />
**https://github.com/blabla1337/skf-flask/issues/95<br />
*Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
*Adding/updating knowledge base items<br />
*Adding CWE references to knowledgebase items<br />
**https://github.com/blabla1337/skf-flask/issues/35<br />
*Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated <br />
**https://github.com/blabla1337/skf-flask/issues/352<br />
===Knowledge Prerequisites===<br />
*For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0<br />
*For writing knowledgebase items only technical knowledge of application security is required<br />
*For writing / updating code examples you need to know a programming language along with secure development.<br />
*For writing the verification guide you need some penetration testing experience.<br />
'''Mentors:'''<br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
==OWASP Nettacker==<br />
===Brief Explanation===<br />
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.<br />
<br />
if you need more details please visit the [https://github.com/viraintel/OWASP-Nettacker GitHub page] or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).<br />
<br />
===Getting started===<br />
<br />
* You may read the available documents in the [https://github.com/viraintel/OWASP-Nettacker/wiki wiki page]. Developers and users documents are separated.<br />
<br />
'''A Better Penetration Testing Automated Framework'''<br />
<br />
===Expected Results===<br />
The expected results are to contribute the OWASP Nettacker framework [https://github.com/viraintel/OWASP-Nettacker/issues issues] (mostly help wanted or enhancement). Please check the GitHub repo to learn more.<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.<br />
* Good knowledge of computer security (and penetration testing)<br />
* Knowledge of OS (Linux, Windows, Mac...) and Services<br />
* Familiar with IDS/IPS/Firewalls and ...<br />
* To develop the API you should be familiar with HTTP, Database...<br />
<br />
===Mentors===<br />
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/ui-break.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP CSRF Protector ==<br />
[[CSRFProtector Project|OWASP CSRF Protector Project]] is a project started with the goal to help developer to mitigate CSRF in web applications with ease. It's based on [[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet|Synchronizer Token Pattern]] and leverages an injected java-script code to provide CSRF mitigation without much developer intervention. So far it has been implemented as a [https://github.com/mebjas/CSRF-Protector-PHP PHP Library] and an [[CSRFProtector Project|Apache 2.2.x module]]. Although different libraries and frameworks provide CSRF mitigation these days - all of them require developer to explicitly inject tokens with every form. <br />
===OWASP CSRF Protector - Extending the design as a python package to work with Flask and an Express JS (Node.JS) middleware===<br />
'''Brief explanation:'''<br />
<br />
The design of CSRF Protector involves a server side middle-ware that intercepts every incoming request and validates them for CSRF attacks. If the validation is successful the flow of control goes to business logic and the tokens are refreshed. In case of failed validation configured actions are taken. Post that, another middle ware takes care of injecting a JavaScript code (refer [https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js CSRF Protector PHP JS Code]) to HTML output. On the client side this code ensures that, for every request that require validation - the correct token is sent along with the request.<br />
<br />
Check [https://github.com/mebjas/CSRF-Protector-PHP/wiki GitHub Wiki] for some reference;<br />
<br />
The goal of this project would be to:<br />
# Port this design to a python module that can be used easily with Flask - [https://github.com/mebjas/CSRF-Protector-py/projects/1?add_cards_query=is%3Aopen Kanban Board]<br />
# Port this design to a node js module that can work well with express js (a popular Node.JS based framework). - [https://github.com/mebjas/CSRF-Protector-JS Initial Repo Link]<br />
# Fix some outstanding issues with java-script code used in library: [https://github.com/mebjas/CSRF-Protector-PHP/issues?q=is%3Aopen+is%3Aissue+label%3AJS Issues] <br />
'''Expected results:'''<br />
*'''IMPORTANT: Clean, maintainable (ES6 compatible and using recommended design patterns) in case of Node.JS'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Javascript (Client Side), Python (having worked with flask preferable), Node.JS (having worked with node.js and middle wares preferable)<br />
<br />
'''Mentors:''' Contact: [mailto:minhaz@owasp.org;minhazv@microsoft.com Minhaz A V]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233692Southern Maryland2017-09-24T21:00:11Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
'''C. It's when security information is gathered about an organization from totally public sources, such as surfing the web'''<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
'''WarGames'''<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
'''c) This command allows a hacker to determine the site’s security'''<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
'''d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail'''<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
'''1 = 1'''<br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
<pre><br />
a) AND ('aa'=CONCAT('a','a')) <br />
b) AND 'a'='a'||'a' <br />
c) AND 'aa'='a'+'a' <br />
</pre><br />
'''Determine what database engine is being used by using SQL formatting'''<br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233691Southern Maryland2017-09-24T20:59:14Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
'''C. It's when security information is gathered about an organization from totally public sources, such as surfing the web'''<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
'''WarGames'''<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
'''c) This command allows a hacker to determine the site’s security'''<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
'''d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail'''<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
'''1 = 1'''<br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
<pre><br />
a) AND ('aa'=CONCAT('a','a')) <br />
b) AND 'a'='a'||'a' <br />
c) AND 'aa'='a'+'a' <br />
<pre><br />
'''Determine what database engine is being used by using SQL formatting'''<br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233690Southern Maryland2017-09-24T20:58:28Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
'''C. It's when security information is gathered about an organization from totally public sources, such as surfing the web'''<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
'''WarGames'''<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
'''c) This command allows a hacker to determine the site’s security'''<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
'''d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail'''<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
'''1 = 1'''<br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
a) AND ('aa'=CONCAT('a','a')) <br />
b) AND 'a'='a'||'a' <br />
c) AND 'aa'='a'+'a' <br />
'''Determine what database engine is being used by using SQL formatting'''<br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233689Southern Maryland2017-09-24T20:57:36Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
'''C. It's when security information is gathered about an organization from totally public sources, such as surfing the web'''<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
'''WarGames'''<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
'''c) This command allows a hacker to determine the site’s security'''<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
'''d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail'''<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
'''1 = 1'''<br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
'''Determine what database engine is being used by using SQL formatting'''<br />
<pre><br />
a) AND ('aa'=CONCAT('a','a')) <br />
b) AND 'a'='a'||'a' <br />
c) AND 'aa'='a'+'a' <br />
</pre><br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233688Southern Maryland2017-09-24T20:55:43Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
'''C. It's when security information is gathered about an organization from totally public sources, such as surfing the web'''<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
'''WarGames'''<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
'''c) This command allows a hacker to determine the site’s security'''<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
'''d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail'''<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
'''1 = 1'''<br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
'''Determine what database engine is being used by using SQL formatting'''<br />
<pre><br />
a) AND ('aa'=CONCAT('a','a')) <br />
b) AND 'a'='a'||'a' <br />
c) AND 'aa'='a'+'a' <br />
</pre><br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233687Southern Maryland2017-09-24T20:53:20Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
'''C. It's when security information is gathered about an organization from totally public sources, such as surfing the web'''<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
'''WarGames'''<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
'''c) This command allows a hacker to determine the site’s security'''<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
'''d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail'''<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
'''1 = 1'''<br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
'''Determine what database engine is being used by using SQL formatting'''<br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233686Southern Maryland2017-09-24T20:51:30Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
'''C. It's when security information is gathered about an organization from totally public sources, such as surfing the web'''<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
''' WarGames'''<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
'''c) This command allows a hacker to determine the site’s security'''<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
'''d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail'''<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
'''1 = 1'''<br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
<br />
'''to determine what database engine is being used by using SQL formatting'''<br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233685Southern Maryland2017-09-24T20:43:56Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
C. It's when security information is gathered about an organization from totally public sources, such as surfing the web<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
WarGames<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
c) This command allows a hacker to determine the site’s security<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
AND ('aa'=CONCAT('a','a')) <br />
AND 'a'='a'||'a' <br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233684Southern Maryland2017-09-24T20:38:25Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
C. It's when security information is gathered about an organization from totally public sources, such as surfing the web<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
WarGames<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
c) This command allows a hacker to determine the site’s security<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
AND ('aa'=CONCAT('a','a')) <br />
AND 'a'='a'||'a' <br />
' AND 'aa'='a'+'a' <br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233683Southern Maryland2017-09-24T20:36:45Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
C. It's when security information is gathered about an organization from totally public sources, such as surfing the web<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
WarGames<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
c) This command allows a hacker to determine the site’s security<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
AND ('aa'=CONCAT('a','a')) <br />
AND 'a'='a'||'a' <br />
AND 'aa'='a'+'a' <br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233682Southern Maryland2017-09-24T20:32:55Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2nonprogrammers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
intelligence 5<br />
<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
C. It's when security information is gathered about an organization from totally public sources, such as surfing the web<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
WarGames<br />
<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
c) This command allows a hacker to determine the site’s security<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
AND ('aa'=CONCAT('a','a')) <br />
AND 'a'='a'||'a' <br />
AND 'aa'='a'+'a' <br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database and <br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233681Southern Maryland2017-09-24T20:28:56Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
# Angela 3<br />
# 2nonprogrammers 5<br />
# no name 7 <br />
# Buddha 7<br />
# Superbad 7<br />
# no name 7<br />
# no name 7<br />
# intelligence 5<br />
<br />
* 1. What is passive research?<br />
* A. It's when a pen tester conducts their work without much effort<br /><br />
* B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br /><br />
* C. It's when security information is gathered about an organization from totally public sources, such as surfing the web<br /><br />
* D. It's exploring a network and its operating systems to get an idea of how it's all configured<br /><br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br /><br />
<br />
* 2. What was the first movie to feature computer hacking?<br /><br />
WarGames<br /><br />
<br />
* 3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
* a) This command returns the home page for the IP address specified<br />
* b) This command opens a backdoor Telnet session to the IP address specified <br />
* c) This command allows a hacker to determine the site’s security<br />
* d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
* 4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
* a) To determine who is the holder of the root account<br />
* b) To perform a DoS attack<br />
* c) To create needless SPAM<br />
* d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail<br />
* e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
<br />
* 5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
<br />
* 6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
<br />
* AND ('aa'=CONCAT('a','a')) <br />
* AND 'a'='a'||'a' <br />
* AND 'aa'='a'+'a' <br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database<br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233680Southern Maryland2017-09-24T20:24:49Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
# Angela 3<br />
# 2nonprogrammers 5<br />
# no name 7 <br />
# Buddha 7<br />
# Superbad 7<br />
# no name 7<br />
# no name 7<br />
# intelligence 5<br />
1. What is passive research?<br />
A. It's when a pen tester conducts their work without much effort<br />
B. It alerts for situations such as database errors, which facilitates an organization to ensure confidentiality and integrity<br />
C. It's when security information is gathered about an organization from totally public sources, such as surfing the web<br />
D. It's exploring a network and its operating systems to get an idea of how it's all configured<br />
https://www.owasp.org/index.php/Testing:_Introduction_and_objectives <br />
<br />
2. What was the first movie to feature computer hacking?<br />
A. WarGames<br />
3. What does the following command achieve? Telnet <IP Address> <Port 80> HEAD /HTTP/1.0<br />
a) This command returns the home page for the IP address specified<br />
b) This command opens a backdoor Telnet session to the IP address specified <br />
c) This command allows a hacker to determine the site’s security<br />
d) This command is bogus and will accomplish nothing<br />
https://books.google.com/books?id=N-4XDAAAQBAJ&pg=PT319&lpg=PT319&dq=telnet+ip+address+port+80+head+http/1.0&source=bl&ots=-kPqPRHEjG&sig=JEln91esv_wX5RH-u5Vf1j_gOiU&hl=en&sa=X&ved=0ahUKEwib0I2G1bnWAhVCSCYKHUKtBU0Q6AEIXzAJ#v=onepage&q=telnet%20ip%20address%20port%2080%20head%20http%2F1.0&f=false <br />
<br />
4. Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test on?<br />
a) To determine who is the holder of the root account<br />
b) To perform a DoS attack<br />
c) To create needless SPAM<br />
d) To illicit a response back that will reveal information about email servers and how they treat undeliverable mail<br />
e) To evaluate the virus protection<br />
Answer https://www.aiotestking.com/ec-council/why-would-you-consider-sending-an-email-to-an-address-that-you-know-does-not-exist-within-the-company-you-are-performing-a-penetration-test-for/<br />
<br />
<br />
5. Hacker believes application is vulnerable to SQL injection. Using SQL Blind injection finish this SQL Statement. http://newspaper.com/items.php?id=2 and ??????????? so he knows yes the application is vulnerable to blind SQL injection <br />
Answer is here https://www.owasp.org/index.php/Blind_SQL_Injection<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Summary<br />
<br />
<br />
6. What is the hacker trying to learn by adding each AND to the SQL statement “SELECT name FROM TableOne where id=2 “? <br />
<br />
a) AND ('aa'=CONCAT('a','a')) <br />
b) AND 'a'='a'||'a' <br />
c) AND 'aa'='a'+'a' <br />
Answer is here https://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint<br />
<br />
Also https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#Fingerprinting_the_Database<br />
http://www.sqlinjection.net/database-fingerprinting/<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233679Southern Maryland2017-09-24T20:19:05Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
Next meeting is being planned<br />
Round One trivia Results<br />
6 question possible 11 points possible, all question 2 points except movie question, 1 point only.<br />
<br />
Angela 3<br />
2 non programmers 5<br />
no name 7 <br />
Buddha 7<br />
Superbad 7<br />
no name 7<br />
no name 7<br />
int elligence 5<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233329Southern Maryland2017-09-17T20:58:52Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
'''Agenda'''<br />
6:00pm to 6:30, meet and greet. (Limited Pizza and Drinks)<br />
6:30pm Larry Conklin (OWASP project leader) speaking on what, who, and the mission of OWASP.<br />
7:15pm David Sanborn, Multipart presentation on web security vulnerabilities. (Part 1)<br />
8:10pm Trivia contest. (Part 1)<br />
'''Event ticket registration.''' Event is free but this helps us book the right room.<br />
https://www.eventbrite.com/e/owasp-southern-maryland-chapter-meeting-tickets-37322971011?aff=es2<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]'''<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=233328Southern Maryland2017-09-17T20:57:32Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
'''Agenda'''<br />
6:00pm to 6:30, meet and greet. (Limited Pizza and Drinks)<br />
6:30pm Larry Conklin (OWASP project leader) speaking on what, who, and the mission of OWASP.<br />
7:15pm David Sanborn, Multipart presentation on web security vulnerabilities. (Part 1)<br />
8:10pm Trivia contest. (Part 1)<br />
'''Event ticket registration.''' Event is free but this helps us book the right room.<br />
https://www.eventbrite.com/e/owasp-southern-maryland-chapter-meeting-tickets-37322971011?aff=es2<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
= Twitter =<br />
<!-- Twitter Box --> {|<br />
<br />
| style="border: 1px solid rgb(204, 204, 204); width: 100%; font-size: 95%; color: rgb(0, 0, 0); background-color: rgb(236, 236, 236);" |<br />
<br />
'''You can follow us on Twitter as [http://twitter.com/owaspdc @somdowasp]''' <twitter>23609877</twitter><br />
<br />
| style="width: 110px; font-size: 95%; color: rgb(0, 0, 0);" |<br />
<br />
|}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232715Southern Maryland2017-08-29T02:41:51Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
'''Agenda'''<br />
6:00pm to 6:30, meet and greet. (Limited Pizza and Drinks)<br />
6:30pm Larry Conklin (OWASP project leader) speaking on what, who, and the mission of OWASP.<br />
7:15pm David Sanborn, Multipart presentation on web security vulnerabilities. (Part 1)<br />
8:10pm Trivia contest. (Part 1)<br />
'''Event ticket registration.''' Event is free but this helps us book the right room.<br />
https://www.eventbrite.com/e/owasp-southern-maryland-chapter-meeting-tickets-37322971011?aff=es2<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232714Southern Maryland2017-08-29T02:40:09Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
'''Agenda'''<br />
6:00pm to 6:30, meet and greet. (Limited Pizza and Drinks)<br />
6:30pm Larry Conklin (OWASP project leader) speaking on what, who, and the mission of OWASP.<br />
7:15pm David Sanborn, Multipart presentation on web security vulnerabilities. (Part 1)<br />
8:10pm Trivia contest. (Part 1)<br />
Event ticket registration, Event is free but this helps us book the right room, and help with pizza order.<br />
https://www.eventbrite.com/e/owasp-southern-maryland-chapter-meeting-tickets-37322971011?aff=es2<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232713Southern Maryland2017-08-29T02:39:23Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
Agenda<br />
6:00pm to 6:30, meet and greet. (Limited Pizza and Drinks)<br />
6:30pm Larry Conklin (OWASP project leader) speaking on what, who, and the mission of OWASP.<br />
7:15pm David Sanborn, Multipart presentation on web security vulnerabilities. (Part 1)<br />
8:10pm Trivia contest. (Part 1)<br />
Event ticket registration, Event is free but this helps us book the right room, and help with pizza order.<br />
https://www.eventbrite.com/e/owasp-southern-maryland-chapter-meeting-tickets-37322971011?aff=es2<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232712Southern Maryland2017-08-29T02:36:10Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
https://www.eventbrite.com/e/owasp-southern-maryland-chapter-meeting-tickets-37322971011?aff=es2<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232711Southern Maryland2017-08-29T01:38:37Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232710Southern Maryland2017-08-29T01:37:44Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232709Southern Maryland2017-08-29T01:37:04Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland<br />
<br />
|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232708Southern Maryland2017-08-29T01:35:25Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn.<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
<br />
Come to the first initial meeting of Southern Maryland OWASP Chapter, all who support and create IT systems are invited. Open to all inside and outside the DoD and those who want to stay abreast or learn more about application security (not just web application).<br />
<br />
Everyone is welcome to join us at our chapter meetings. <br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232707Southern Maryland2017-08-29T01:31:06Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] and David Sanborn<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232706Southern Maryland2017-08-29T01:30:47Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin] David Sanborn<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232705Southern Maryland2017-08-29T01:29:17Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' <br />
September 21, 2017, 6:00PM<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232704Southern Maryland2017-08-29T01:28:04Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
'''Where:''' Southern Maryland Higher Education Center 44219 Airport Road, Califorina, MD 20619<br />
<br />
'''Date/Time:''' September 21, 2017, 6:00PM<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Southern_Maryland&diff=232703Southern Maryland2017-08-29T01:21:15Z<p>Larry Conklin: </p>
<hr />
<div>{{Chapter Template|chaptername=Southern Maryland|extra=The chapter leader is [mailto:larry.conklin@owasp.org Larry Conklin].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-southernmaryland|emailarchives=http://lists.owasp.org/pipermail/owasp-southernmaryland}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
'''Where:''' Southern Maryland Higher Education Center<br />
44219 Airport Road, Califorina, MD 20619<br />
'''Date/Time:''' September 21, 2017, 6:00PM<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:Maryland]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Code_review&diff=231201Code review2017-07-03T21:46:21Z<p>Larry Conklin: </p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:Code_review_guide_singleColumn_V06.pdf Release Candidate Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=File:Code_review_guide_singleColumn_V06.pdf&diff=231200File:Code review guide singleColumn V06.pdf2017-07-03T21:44:15Z<p>Larry Conklin: Code Review Guide 2.0</p>
<hr />
<div>Code Review Guide 2.0</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Code_review&diff=231199Code review2017-07-03T21:32:35Z<p>Larry Conklin: </p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:Code_review_guide_singleColumn_V05_(1).pdf Release Candidate Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Code_review&diff=231198Code review2017-07-03T21:25:52Z<p>Larry Conklin: </p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:Owasp-codereview-project@lists.owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:Code_review_guide_singleColumn_V05_(1).pdf Release Candidate Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:owasp-codereview-project@owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Code_review&diff=231197Code review2017-07-03T21:18:39Z<p>Larry Conklin: </p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:owasp-codereview-project@owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:Code_review_guide_singleColumn_V05_(1).pdf Release Candidate Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:owasp-codereview-project@owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Code_review&diff=231196Code review2017-07-03T21:17:08Z<p>Larry Conklin: aaa</p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=</div>Larry Conklinhttps://wiki.owasp.org/index.php?title=Category:OWASP_Code_Review_Project&diff=230925Category:OWASP Code Review Project2017-06-23T16:06:24Z<p>Larry Conklin: /* Review of Code Review Guide 2.0 */</p>
<hr />
<div><div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div><br />
<div style="border:0,margin:0;overflow: hidden;"><br />
{{OWASP Defenders}} {{OWASP Book|5691953}} <br />
<div style="margin: 5px; padding: 5px; float: left; width:70%">{{Social Media Links}} </div><br />
</div><br />
=Code Review Guide=<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==The Release Candidate for the OWASP Code Review Guide is now available!==<br />
Please forward to all the developers and development teams you know!! We would like to immediately start raising awareness about this OWASP resource. <br />
We plan to release the final version in Aug. 2017 after a public comment period ending July 31, 2017.<br />
<br />
Thank you,<br />
Larry Conklin, Gary Robinson<br />
OWASP Code Review Guides Co-Leaders<br />
<br />
==Introduction==<br />
OWASP Code Review Guide is a technical book written for those responsible for code reviews (management, developers, security professionals). The primarily focus of this book has been divided into two main sections. Section one is why and how of code reviews and sections two is devoted to what vulnerabilities need to be to look for during a manual code review. While security scanners are improving every day the need for manual security code reviews still needs to have a prominent place in organizations SDLC (Secure development life cycle) that desires good secure code in production.<br />
<br />
Second sections deals with vulnerabilities. It is based on the poplar OWASP 2013 top 10. Here you will find most of the code examples for both on what not to do and on what to do. A word of caution on code examples; Perl is famous for its saying that there are 10,000 ways to do one thing. The same is true for C#, PHP and Java or any other computer language. Now add in "Object-Oriented Programming" and if we are using design patterns or even what designs patterns are being used and sample code becomes very “iff” in what to write. We tried to keep the sample code so code reviews can see red flags and not “do it my way or else”.<br />
<br />
The last section is the appendix. Here we have content like code reviewer check list, etc. of items that really don’t flow in book form but needed to be included to make the code review guide compete.<br />
<br />
==Review of Code Review Guide 2.0==<br />
Constructive comments on this OWASP Code Review Release Candidate should be forwarded via email to owasp-codereview-project@owasp.org. Private comments may be sent to larry.conklin@owasp.org or gary.robinson@owasp.org . All comments are welcome. All comments should indicate the specific relevant page and section.<br />
<br />
All feedback is critical to the continued success of the OWASP Code Review Guide.<br />
<br />
==Licensing==<br />
OWASP Code Review Guide is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Project Leader ==<br />
* Larry Conklin [mailto:larry.conklin@owasp.org]<br />
* Gary Robinson [mailto:gary.robinson@owasp.org]<br />
<br />
== Project Email ==<br />
* Project Email [mailto:owasp-codereview-project@owasp.org]<br />
<br />
==Classifications==<br />
[[File:Owasp-defenders-small.png|link=]]<br />
<br />
[[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
<br />
[[File:Project_Type_Files_DOC.jpg|link=]]<br />
<br />
== Related Projects ==<br />
<br />
OWASP Testing Guide [https://www.owasp.org/index.php/OWASP_Testing_Project]<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
* [https://www.owasp.org/index.php/File:Code_review_guide_singleColumn_V05_(1).pdf Release Candidate Code Review Guide 2.0]<br />
<br />
== In Print ==<br />
Code Review Guide 2.0 will be available in Lulu in the near future.<br />
<br />
[http://www.lulu.com/content/5678680 Code Review Guide V1.1] on Lulu.<br />
|}<br />
<br />
= Acknowledgements =<br />
The OWASP Code Review project was conceived by Eoin Keary, the OWASP Ireland Founder and Chapter Lead.<br />
<br />
Code Review Mailing list[mailto:owasp-codereview-project@owasp.org]<br />
<br />
Project leaders [mailto:larry.conklin@owasp.org larry.conklin@owasp.org] or [mailto:gary.robinson@owasp.org gary.robinson@owasp.org]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Larry Conklin