https://wiki.owasp.org/api.php?action=feedcontributions&user=Nikola+Milosevic&feedformat=atomOWASP - User contributions [en]2024-03-28T23:05:22ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=255951OWASP SeraphimDroid Project2019-11-05T11:36:06Z<p>Nikola Milosevic: added contributors and new features on the page</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation<br />
|target=_blank<br />
|budget=OWASP Seraphimdroid (Website Donation) }}</div><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
** Article describing deep learning based dynamic malware analysis and anomaly detection: https://arxiv.org/ftp/arxiv/papers/1910/1910.10660.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (05.11.2019) We have participated this year in Google Summer of Code. The work done on dynamic malware analysis and anomaly detection on the device using deep learning is described in the following paper: https://arxiv.org/ftp/arxiv/papers/1910/1910.10660.pdf<br />
* (15.3.2017) We published a part of our machine learning methodology in Elsevier's scientific publication: Milosevic, Nikola, Ali Dehghantanha, and Kim-Kwang Raymond Choo. "Machine learning aided Android malware classification." Computers & Electrical Engineering (2017). http://www.sciencedirect.com/science/article/pii/S0045790617303087<br />
* (09.1.2017) OWASP Seraphimdroid was promoted to Lab project<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Machine learning-based anomaly detection that notifies you when the behaviour of your phone (processor, memory and battery usage is abnormal), so you can take appropriate action. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Junfan Huang<br />
* Kartik Kohli<br />
* Furquan Ahmed<br />
* Ali Tekeoglu<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=255950OWASP SeraphimDroid Project2019-11-05T11:31:44Z<p>Nikola Milosevic: Added article as a result of GSoC 2019</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation<br />
|target=_blank<br />
|budget=OWASP Seraphimdroid (Website Donation) }}</div><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
** Article describing deep learning based dynamic malware analysis and anomaly detection: https://arxiv.org/ftp/arxiv/papers/1910/1910.10660.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (05.11.2019) We have participated this year in Google Summer of Code. The work done on dynamic malware analysis and anomaly detection on the device using deep learning is described in the following paper: https://arxiv.org/ftp/arxiv/papers/1910/1910.10660.pdf<br />
* (15.3.2017) We published a part of our machine learning methodology in Elsevier's scientific publication: Milosevic, Nikola, Ali Dehghantanha, and Kim-Kwang Raymond Choo. "Machine learning aided Android malware classification." Computers & Electrical Engineering (2017). http://www.sciencedirect.com/science/article/pii/S0045790617303087<br />
* (09.1.2017) OWASP Seraphimdroid was promoted to Lab project<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=User:Nikola_Milosevic&diff=248586User:Nikola Milosevic2019-03-09T10:55:58Z<p>Nikola Milosevic: Update</p>
<hr />
<div>E-mail: [mailto:nikola.milosevic@owasp.org Nikola Milosevic]<br />
<br />
Nikola Milosevic was born on December 7th 1986. in Bratislava, Slovakia, but he was living in Belgrade, Serbia, but now he is stationed in Manchester, UK.<br />
<br />
Nikola Milosevic holds a Ph.D. in Computer Science (main areas: natural language processing, machine learning) from the University of Manchester. He currently works at the University of Manchester as a research associate and llectures information security and malware analysis courses at the University of Salford. Nikola Milosevic has MSc. degree obtained at University of Belgrade, Departement of Computer science. In 2008. and in 2009. he was working in Asseco Southe Eastern Europe as Software Test Engineer. From 2010-2012 Nikola was working at P3 Communications GMbH (part of P3 Group) as SoftwareDevelopmentt Engineer for Remote Test Systems of mobile networks. Also fora couplee of months, he was testing mobile prototypes for Nokia and Verizon. He was working as mobile (mainly android) and web developer (with security responsabilities) at Devana Technologies (company behind managewp.com). <br />
<br />
In 2011. Nikola got 2nd price at Cyber Security iPuzzle competition held on Belgrade's fair of security.<br />
<br />
In 2013. Nikola and his team won 1st price on first Belgrade Startup Weekend with Nikola's idea.<br />
<br />
Nikola is founder and local chapter leader of OWASP local chapter in Serbia. Nikola also started OWASP Seraphimdroid project. He is one of the OWASP Manchester chapter leaders.<br />
<br />
<br />
Email: [mailto:nikola.milosevic@owasp.org nikola.milosevic(at)owasp.org]<br />
<br />
Website-blog: [http://www.inspiratron.org Inspiratron.org]<br />
<br />
<br />
<br />
Twitter: [https://twitter.com/dreadknight011 @dreadknight011]<br />
<br />
LinkedIn: [http://rs.linkedin.com/in/nikolamilosevic1986 Nikola Milosevic linkedIn]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=248585GSoC2019 Ideas2019-03-09T10:52:11Z<p>Nikola Milosevic: Additional information for OWASP Seraphimdroid project</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== Idea 1 Improving the Machine Learning chatbot: ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== Idea 2 Improving and building Lab challenges and write-ups: ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.<br />
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.<br />
<br />
''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''<br />
<br />
'''Expected Results:'''<br />
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal<br />
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges<br />
* Documentation how to configure or script the "Hacking Instructor" for challenges in general<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
Notify by Twitter (done)<br><br />
Securetea Dashboard / Gui (done)<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring<br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== IoT Goat ==<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018]. <br />
<br />
===Insecure web services/application===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* Web services deployed in OpenWRT containing critical vulnerabilities showcasing the traditional IoT problems. It must contain the following vulnerabilities to be used with the IoT testing guide: SQL injection, local inclusion and XXE injection (I1), Insufficient Authentication (I2), transfer sensitive information using insecure channels (I4).<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Web security<br />
* Embedded Security<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
===Insecure services===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* Create/Install/Document network services with security vulnerabilities and insecure configurations that can be abused during the challenges.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Network security<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
===Insecure web services/application===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* Web services deployed in OpenWRT containing critical vulnerabilities showcasing the traditional IoT problems. It must contain the following vulnerabilities to be used with the IoT testing guide: SQL injection, local inclusion and XXE injection (I1), Insufficient Authentication (I2), transfer sensitive information using insecure channels (I4).<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Web security<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
===Insecure Android/iOS application===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* .Android application containing client and server side vulnerabilities covering the OWASP TOP 10 Mobile Risks.<br />
* iOS application containing client and server side vulnerabilities covering the OWASP TOP 10 Mobile Risks.<br />
* Web Services deployed as a service in OpenWrt to be used by the Android/iOS clients.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Mobile security knowledge.<br />
* Mobile/Web development knowledge.<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=246929OWASP SeraphimDroid Project2019-01-30T23:54:03Z<p>Nikola Milosevic: Donation button</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">{{#widget:PayPal Donation<br />
|target=_blank<br />
|budget=OWASP Seraphimdroid (Website Donation) }}</div><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (15.3.2017) We published a part of our machine learning methodology in Elsevier's scientific publication: Milosevic, Nikola, Ali Dehghantanha, and Kim-Kwang Raymond Choo. "Machine learning aided Android malware classification." Computers & Electrical Engineering (2017). http://www.sciencedirect.com/science/article/pii/S0045790617303087<br />
* (09.1.2017) OWASP Seraphimdroid was promoted to Lab project<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=246850GSoC2019 Ideas2019-01-26T23:17:31Z<p>Nikola Milosevic: Ideas of OWASP Seraphimdroid projects for GSoC</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF (draft)==<br />
Idea 1: <br />
<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
Idea 2: <br />
<br />
We want to extend the Machine learning chatbot functionality in SKF.<br />
* Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
* Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
* Extend the bot capability to reply what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
* Extend the bot to different platforms like Facebook, telegram, slack etc.<br />
** Now the working chatbot implementation for example is only for Gitter<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
OWASP Honeypot is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to add more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
...<br />
<br />
=== Roadmap ===<br />
<br />
...<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis<br />
* Docker<br />
* Database<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
TODO<br />
<br />
'''Expected Results:'''<br />
<br />
TODO<br />
<br />
''' Getting started: '''<br />
<br />
TODO<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
TODO<br />
<br />
'''Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
Notify by Twitter (done)<br><br />
Securetea Dashboard / Gui (done)<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring<br><br />
Login History<br><br />
<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
==='''Mentors '''=== <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
* [https://github.com/sananthu Ananthu S] - (Mentor)<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
= OWASP Seraphimdroid =<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledge base should be extending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=245952Manchester2018-12-11T16:47:42Z<p>Nikola Milosevic: Code of conduct title</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
<br />
When participating our events, please follow our [https://www.owasp.org/index.php/OWASPManchester_CodeOfConduct &#124; code of conduct]<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
===== '''13th November 2018''' =====<br />
<br />
=== OWASP Manchester CTF 2018 ===<br />
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges.<br />
<br />
The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.<br />
<br />
So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day!<br />
<br />
Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their [https://www.meetup.com/Manchester-Grey-Hats/events/255241900/ Meetup page]!<br />
<br />
Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.<br />
<br />
Check and reserve your place on '''[https://www.meetup.com/OWASP-Manchester/events/255192665/ OWASP Manchester CTF 2018 Meetup event]'''.<br />
<br />
= Code of conduct =<br />
OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.<br />
<br />
OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.<br />
<br />
Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.<br />
<br />
We want you to have fun, in a safe and respectful environment.<br />
<br />
If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.<br />
<br />
Chapter Leads:<br />
*Ben Fountain<br />
*Daniel Pollard<br />
*Joe Carter<br />
*Nikola Milosevic<br />
*Sharka Pekarova<br />
*Saskia Coplans<br />
*Wes Parsons<br />
(email addresses are on the OWASP website [https://www.owasp.org/index.php/Manchester]).<br />
<br />
As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.<br />
<br />
'''Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people'''<br />
<br />
Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[4th September]]<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* Ben Fountain<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Daniel Pollard|Daniel Pollard]]<br />
<br />
Chapter Board Members are:<br />
* Joe Carter<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £1000 Silver<br />
* £2000 Gold<br />
* £3000 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £200.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Silver Chapter sponsor: <br />
[[File:AutoTrader.jpg|center|thumb|249x249px]]<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=245951Manchester2018-12-11T16:47:02Z<p>Nikola Milosevic: Replaced code of conduct</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
<br />
When participating our events, please follow our [https://www.owasp.org/index.php/OWASPManchester_CodeOfConduct &#124; code of conduct]<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
===== '''13th November 2018''' =====<br />
<br />
=== OWASP Manchester CTF 2018 ===<br />
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges.<br />
<br />
The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.<br />
<br />
So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day!<br />
<br />
Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their [https://www.meetup.com/Manchester-Grey-Hats/events/255241900/ Meetup page]!<br />
<br />
Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.<br />
<br />
Check and reserve your place on '''[https://www.meetup.com/OWASP-Manchester/events/255192665/ OWASP Manchester CTF 2018 Meetup event]'''.<br />
<br />
Code of conduct<br />
<br />
OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.<br />
<br />
OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.<br />
<br />
Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.<br />
<br />
We want you to have fun, in a safe and respectful environment.<br />
<br />
If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.<br />
<br />
Chapter Leads:<br />
*Ben Fountain<br />
*Daniel Pollard<br />
*Joe Carter<br />
*Nikola Milosevic<br />
*Sharka Pekarova<br />
*Saskia Coplans<br />
*Wes Parsons<br />
(email addresses are on the OWASP website [https://www.owasp.org/index.php/Manchester]).<br />
<br />
As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.<br />
<br />
'''Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people'''<br />
<br />
Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[4th September]]<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* Ben Fountain<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Daniel Pollard|Daniel Pollard]]<br />
<br />
Chapter Board Members are:<br />
* Joe Carter<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £1000 Silver<br />
* £2000 Gold<br />
* £3000 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £200.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Silver Chapter sponsor: <br />
[[File:AutoTrader.jpg|center|thumb|249x249px]]<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=245950Manchester2018-12-11T16:46:12Z<p>Nikola Milosevic: Code of conduct</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
<br />
When participating our events, please follow our [https://www.owasp.org/index.php/OWASPManchester_CodeOfConduct &#124; code of conduct]<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Code of conduct =<br />
<br />
==Code of Conduct==<br />
OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.<br />
<br />
OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.<br />
<br />
Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.<br />
<br />
We want you to have fun, in a safe and respectful environment.<br />
<br />
If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.<br />
<br />
Chapter Leads:<br />
*Ben Fountain<br />
*Daniel Pollard<br />
*Joe Carter<br />
*Nikola Milosevic<br />
*Sharka Pekarova<br />
*Saskia Coplans<br />
*Wes Parsons<br />
(email addresses are on the OWASP website [https://www.owasp.org/index.php/Manchester]).<br />
<br />
As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.<br />
<br />
'''Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people'''<br />
<br />
Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.<br />
<br />
= Next Meeting =<br />
<br />
===== '''13th November 2018''' =====<br />
<br />
=== OWASP Manchester CTF 2018 ===<br />
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges.<br />
<br />
The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.<br />
<br />
So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day!<br />
<br />
Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their [https://www.meetup.com/Manchester-Grey-Hats/events/255241900/ Meetup page]!<br />
<br />
Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.<br />
<br />
Check and reserve your place on '''[https://www.meetup.com/OWASP-Manchester/events/255192665/ OWASP Manchester CTF 2018 Meetup event]'''.<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[4th September]]<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* Ben Fountain<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Daniel Pollard|Daniel Pollard]]<br />
<br />
Chapter Board Members are:<br />
* Joe Carter<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £1000 Silver<br />
* £2000 Gold<br />
* £3000 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £200.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Silver Chapter sponsor: <br />
[[File:AutoTrader.jpg|center|thumb|249x249px]]<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=245946Manchester2018-12-11T16:43:31Z<p>Nikola Milosevic: Code of conduct</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
<br />
When participating our events, please follow our [https://www.owasp.org/index.php/OWASPManchester_CodeOfConduct &#124; code of conduct]<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
===== '''13th November 2018''' =====<br />
<br />
=== OWASP Manchester CTF 2018 ===<br />
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges.<br />
<br />
The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.<br />
<br />
So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day!<br />
<br />
Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their [https://www.meetup.com/Manchester-Grey-Hats/events/255241900/ Meetup page]!<br />
<br />
Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.<br />
<br />
Check and reserve your place on '''[https://www.meetup.com/OWASP-Manchester/events/255192665/ OWASP Manchester CTF 2018 Meetup event]'''.<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[4th September]]<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* Ben Fountain<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Daniel Pollard|Daniel Pollard]]<br />
<br />
Chapter Board Members are:<br />
* Joe Carter<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £1000 Silver<br />
* £2000 Gold<br />
* £3000 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £200.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: <br />
[[File:AutoTrader.jpg|center|thumb|249x249px]]<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASPManchester_CodeOfConduct&diff=245944OWASPManchester CodeOfConduct2018-12-11T16:41:29Z<p>Nikola Milosevic: Code of conduct</p>
<hr />
<div>== Code of Conduct == <br />
<br />
OWASP Manchester meetings and events are an inclusive environment where all people should feel safe and respected. We welcome diversity in age, race, ethnicity, national origin, range of abilities, sexual orientation, gender identity, financial means, education, and political perspective.<br />
<br />
OWASP Manchester will not tolerate any form of violence, harassment, hate speech or trolling either off or online, or any overly drunken, intimidating or heckling behaviour.<br />
<br />
Please respect the presenters, don’t talk amongst yourselves during their presentations and ensure your mobile phones are muted or switched off.<br />
<br />
We want you to have fun, in a safe and respectful environment.<br />
<br />
If you have any issues or concerns relating to the code of conduct please contact one or the Chapter Leads either in person, though the Meetup page or via email.<br />
<br />
Chapter Leads:<br />
* Ben Fountain<br />
* Daniel Pollard<br />
* Joe Carter<br />
* Nikola Milosevic<br />
* Sharka Pekarova<br />
* Saskia Coplans<br />
* Wes Parsons<br />
<br />
(email addresses are on the OWASP website [[https://www.owasp.org/index.php/Manchester]]).<br />
<br />
As this is a private event we withhold the right to remove and ultimately ban anyone who violates this code of conduct and will report any incidents to the appropriate authorities if necessary.<br />
<br />
'''Polite note to Vendors/Recruiters/Internal Recruiters/Business Development people''' <br />
<br />
Vendors and Recruiters are welcome at OWASP Manchester, however we ask that you remember this is a user group, not a networking event, and tapping people up for jobs or business unprompted is not encouraged.</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=245939Manchester2018-12-11T16:30:59Z<p>Nikola Milosevic: position of logo</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
===== '''13th November 2018''' =====<br />
<br />
=== OWASP Manchester CTF 2018 ===<br />
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges.<br />
<br />
The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.<br />
<br />
So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day!<br />
<br />
Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their [https://www.meetup.com/Manchester-Grey-Hats/events/255241900/ Meetup page]!<br />
<br />
Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.<br />
<br />
Check and reserve your place on '''[https://www.meetup.com/OWASP-Manchester/events/255192665/ OWASP Manchester CTF 2018 Meetup event]'''.<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[4th September]]<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* Ben Fountain<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Daniel Pollard|Daniel Pollard]]<br />
<br />
Chapter Board Members are:<br />
* Joe Carter<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £1000 Silver<br />
* £2000 Gold<br />
* £3000 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £200.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: <br />
[[File:AutoTrader.jpg|center|thumb|249x249px]]<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=File:AutoTrader.jpg&diff=245938File:AutoTrader.jpg2018-12-11T16:29:45Z<p>Nikola Milosevic: </p>
<hr />
<div>AutoTrader logo as a sponsor</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=244346Manchester2018-10-18T10:23:36Z<p>Nikola Milosevic: Changed sponsorship values</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
===== '''13th November 2018''' =====<br />
<br />
=== OWASP Manchester CTF 2018 ===<br />
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges.<br />
<br />
The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.<br />
<br />
So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day!<br />
<br />
Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their [https://www.meetup.com/Manchester-Grey-Hats/events/255241900/ Meetup page]!<br />
<br />
Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.<br />
<br />
Check and reserve your place on '''[https://www.meetup.com/OWASP-Manchester/events/255192665/ OWASP Manchester CTF 2018 Meetup event]'''.<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[4th September]]<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* Ben Fountain<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Daniel Pollard|Daniel Pollard]]<br />
<br />
Chapter Board Members are:<br />
* Joe Carter<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £1000 Silver<br />
* £2000 Gold<br />
* £3000 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £200.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: <br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=244031Manchester2018-10-05T09:46:23Z<p>Nikola Milosevic: Next event</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
===== '''13th November 2018''' =====<br />
<br />
=== OWASP Manchester CTF 2018 ===<br />
Manchester OWASP will be running it’s first annual CTF on November 13th in partnership with Manchester Grey Hats who will be running the challenges.<br />
<br />
The CTF will be hosted by the Manchester Technology Centre on Oxford Road and is aimed at people working in the tech industry who have an interest in security. The CTF itself will be a jeopardy style challenge aimed at a range of technical capabilities, with some low or non tech challenges.<br />
<br />
So, if you're a developer, software tester, system architect, infosec professional, or just have an interest in security sign up. We'll be running teams of 4, so you can either enter a full team or we can help you put one together on the day!<br />
<br />
Manchester Grey Hats will be running a series of short workshops on the same topics as the CTF on October 24th, so keep an eye on their [https://www.meetup.com/Manchester-Grey-Hats/events/255241900/ Meetup page]!<br />
<br />
Thanks to our community sponsors; Manchester Grey Hats, North West Testers Gathering, Manchester Girl Geeks, Techs and the City, Tech Leaders of the North West and PowerShell Manchester.<br />
<br />
Check and reserve your place on '''[https://www.meetup.com/OWASP-Manchester/events/255192665/ OWASP Manchester CTF 2018 Meetup event]'''.<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[4th September]]<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* Ben Fountain<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Daniel Pollard|Daniel Pollard]]<br />
<br />
Chapter Board Members are:<br />
* Joe Carter<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: [[Image:Veracode-sponsor.jpg]]<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=4th_September&diff=2440304th September2018-10-05T09:38:57Z<p>Nikola Milosevic: Archive page for OWASP Manchester past event. Will be linked from main page.</p>
<hr />
<div>'''4th September 2018''' <br />
<br />
The next OWASP Manchester will take place on Tuesday 4th September at Booking Go (Rentalcars) on Fountain Street in Manchester. (NOTE: Please proceed to the 6th floor on arrival.)<br />
<br />
Confirmed speakers are:<br />
<br />
'''Scott Helme''' ([https://twitter.com/Scott_Helme @Scott_Helme])<br />
<br />
'''Catherine Chapman''' ([https://twitter.com/cathapman @cathapman])<br />
<br />
Tickets are available via Eventbrite: https://www.eventbrite.co.uk/e/owasp-manchester-chapter-meeting-tickets-49427317437 <br />
<br />
This event is kindly sponsored by '''SureCloud''' ([https://twitter.com/SureCloud @SureCloud]).</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=242206Manchester2018-08-01T11:58:22Z<p>Nikola Milosevic: Added new chapter leaders</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
Details of our next meeting - which will likely be in September - will appear here soon!<br />
<br />
= Past Events =<br />
<br />
'''2018 Dates'''<br />
<br />
[[17th July]]<br />
<br />
[[3rd May]]<br />
<br />
'''2017 Dates'''<br />
<br />
[[2017 04 26 Manchester|24th April]]<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_11_30_Manchester|30th November]]<br />
<br />
[[2016_06_16_Manchester|16th June]]<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are (in alphabetical order!):<br />
<br />
* Ben Fountain<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* Joe Carter<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[Sharka Pekarova]]<br />
* [mailto:saskia@digitalinerruption.com Saskia Coplans]<br />
* [mailto:parsonswesley@gmail.com Wes Parsons]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: [[Image:Veracode-sponsor.jpg]]<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=227440OWASP SeraphimDroid Project2017-03-15T14:15:00Z<p>Nikola Milosevic: Publication added</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (15.3.2017) We published a part of our machine learning methodology in Elsevier's scientific publication: Milosevic, Nikola, Ali Dehghantanha, and Kim-Kwang Raymond Choo. "Machine learning aided Android malware classification." Computers & Electrical Engineering (2017). http://www.sciencedirect.com/science/article/pii/S0045790617303087<br />
* (09.1.2017) OWASP Seraphimdroid was promoted to Lab project<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSOC2017_Ideas&diff=225902GSOC2017 Ideas2017-02-02T11:04:32Z<p>Nikola Milosevic: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check out the suggested projects below<br />
* Contact the mentors and teams of the projects that you are interested in<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
<br />
=== Challenge Pack 2017 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the [https://github.com/bkimminich/juice-shop/issues/244 Order Dashboard] and [https://github.com/bkimminich/juice-shop/issues/243 Pomace Recycling user stories])<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/3<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Tech Stack Update ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frameworks and modules:<br />
<br />
* AngularJS 1.x with Bootstrap in the client<br />
* Express on top of NodeJS on the server with<br />
** SQLite as a database<br />
** Sequelize as an OR-Mapper<br />
*** sequelize-restful as an automatic API-generator on top of the DB entities<br />
* Jasmine 1.x to specify behavioral tests<br />
** Karma as a test runner for the client-side unit tests<br />
** Frisby.js for API tests on a dynamically launched server<br />
** Protractor for end-to-end testing of the challenge exploits<br />
* NPM for running/testing the application<br />
* Grunt for some of the custom build scripts<br />
<br />
Several of the above frameworks or modules have moved on to new (runtime incompatible) major releases, namely [https://github.com/bkimminich/juice-shop/issues/165 Angular 2], [https://github.com/bkimminich/juice-shop/issues/167 Sequelize], [https://github.com/bkimminich/juice-shop/issues/164 Frisby and Jasmine]. Other modules are out of maintenance entirely, e.g. [https://github.com/bkimminich/juice-shop/issues/167 sequelize-restful].<br />
<br />
Migrating the OWASP Juice Shop to the latest versions of the mentioned frameworks & modules is an important step to keep the application relevant as ''the most modern'' intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well.<br />
<br />
'''Expected Results:'''<br />
* High-level target architecture overview including a migration plan with intermediary milestones<br />
* Execution of migration without breaking functionality or losing tests along the way<br />
* Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
* Check out the corresponding GitHub milestone for this project: https://github.com/bkimminich/juice-shop/milestone/2<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, experience with latest Javascript frameworks for frontend, backend, testing and building (e.g. AngularJS 2.x, Jasmine 2.x, ...)<br />
<br />
'''Mentors:'''<br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] - OWASP Juice Shop Project Leader<br />
<br />
== OWASP Mobile Hacking Playground ==<br />
<br />
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects: <br />
<br />
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)<br />
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)<br />
<br />
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:<br />
<br />
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.<br />
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.<br />
<br />
It is also encouraged to use the App(s) for education purpose during trainings and workshops.<br />
<br />
<br />
=== Creation of Android Code Samples ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated. <br />
<br />
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
The following categories and their test cases are not fully added to the Android App:<br />
<br />
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)<br />
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)<br />
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)<br />
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)<br />
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)<br />
<br />
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.<br />
<br />
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together. <br />
<br />
<br />
<br />
''' Getting started: '''<br />
Here are a few suggestion on how to get started.<br />
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes. <br />
* Browse through the MASVS and check the different areas and their defined requirements.<br />
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).<br />
<br />
'''Knowledge Prerequisites:'''<br />
General interest in Mobile and Security. Basic knowledge of Android and Java.<br />
<br />
<br />
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader<br />
<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT / Bugheist ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
Bugheist lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=224877OWASP SeraphimDroid Project2017-01-10T11:39:41Z<p>Nikola Milosevic: /* Educational component */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (09.1.2017) OWASP Seraphimdroid was promoted to Lab project<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=224876OWASP SeraphimDroid Project2017-01-10T11:38:44Z<p>Nikola Milosevic: /* News and Events */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (09.1.2017) OWASP Seraphimdroid was promoted to Lab project<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=224875OWASP SeraphimDroid Project2017-01-10T11:36:52Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=224874OWASP SeraphimDroid Project2017-01-10T11:33:36Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Lab_big.jpg|link=OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=224873OWASP SeraphimDroid Project2017-01-10T11:33:11Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Lab_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=220820OWASP SeraphimDroid Project2016-08-28T18:00:40Z<p>Nikola Milosevic: /* News and Events */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
Kartik Kholi [mailto:kartik.kholi@owasp.org]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (28.8.2016) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/blog/2016/08/28/educational-framework-added-to-owasp-seraphimdroid/ read here]<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=217293Manchester2016-05-23T11:46:39Z<p>Nikola Milosevic: </p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date''': Thursday, 16th June 2016, 18:00<br />
<br />
'''Location''': Spaceport, 26 1st floor, 24 Lever St, Manchester M1 1DZ<br />
<br />
'''Registration''': Tickets are available [https://www.eventbrite.co.uk/e/owasp-manchester-meeting-16th-june-2016-tickets-25550865326 via Eventbrite]<br />
<br />
'''Event sponsors''': [http://avecto.com Avecto]<br />
<br />
'''Presentations:'''<br />
<br />
'''Dr. Ali Dehghantanha - Digital Forensics: The Missing Piece of the Internet of Things Promise''' <br />
<br />
'''Abstract:''' Every new device we create, every sensor we deploy, every byte we synchronize to other locations will at some point come under scrutiny in the course of investigations and legal matters. Yet no reliable forensics applications nor digital forensics guidance exists to retrieve the data from IoT devices in the event of a cyber event, an active investigation or a litigation request. The digital forensics of internet of things (IoT) technologies is the missing conversation in our headlong rush to the promise of connecting every device on the planet. This presentation discuss about issues and importance of further development in this field and elaborates on how forensics practitioners, device manufacturers and legal authorities could share the efforts and minimise this gap.<br />
<br />
'''Speaker's Bio:''' Dr. Ali Dehghantanha is a Marie-Curie International Incoming Fellow in Cyber Forensics and has served for many years in a variety of research and industrial positions. Other than Ph.D in Cyber Security he holds many professional certificates such as GREM, CISM, CISSP, and CCFP. He has served as an expert witness, cyber forensics analysts and malware researcher with leading players in Cyber-Security and E-Commerce. Additional information can be found at http://alid.info <br />
<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
= Past Events =<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
* Joe Carter<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: [[Image:Veracode-sponsor.jpg]]<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=217107Manchester2016-05-19T14:00:13Z<p>Nikola Milosevic: /* Local Organizations */</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date''': Thursday, 16th June 2016, 18:00<br />
<br />
'''Location''': Spaceport, 26 1st floor, 24 Lever St, Manchester M1 1DZ<br />
<br />
'''Registration''': Tickets are available [https://www.eventbrite.co.uk/e/owasp-manchester-meeting-16th-june-2016-tickets-25550865326 via Eventbrite]<br />
<br />
'''Event sponsors''': [http://avecto.com Avecto]<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
= Past Events =<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
* Joe Carter<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [https://northernuksecuritygroup.wordpress.com/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: [[Image:Veracode-sponsor.jpg]]<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=217106Manchester2016-05-19T13:55:44Z<p>Nikola Milosevic: /* Local Organizations */</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date''': Thursday, 16th June 2016, 18:00<br />
<br />
'''Location''': Spaceport, 26 1st floor, 24 Lever St, Manchester M1 1DZ<br />
<br />
'''Registration''': Tickets are available [https://www.eventbrite.co.uk/e/owasp-manchester-meeting-16th-june-2016-tickets-25550865326 via Eventbrite]<br />
<br />
'''Event sponsors''': [http://avecto.com Avecto]<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
= Past Events =<br />
<br />
'''2016 Dates'''<br />
<br />
[[2016_03_17_Manchester|17th March]]<br />
<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_11_17_Manchester|12th November]]<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
* Joe Carter<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
== Chapter Sponsors ==<br />
Thank you to our Gold Chapter sponsor: [[Image:Veracode-sponsor.jpg]]<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=210960Manchester2016-03-11T13:21:53Z<p>Nikola Milosevic: </p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 17th March 2015, 18:00<br />
<br />
'''Location:''' Spaceport, 26 1st floor, 24 Lever St, Manchester M1 1DZ<br />
<br />
'''Registration:''' https://www.eventbrite.co.uk/e/owasp-manchester-meeting-17th-march-tickets-22527547501<br />
<br />
'''Event sponsors:''' [http://avecto.com Avecto]<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Turning over a new Leaf – How the world’s bestselling electric car, the Nissan Leaf can be accessed remotely to activate the climate control and spy on details of the driver’s journeys simply by knowing or guessing the VIN of the vehicle. This may seem like a harmless prank but could be used to void warranties or drain batteries remotely, with Nissan looking to add GPS tracking to the vehicles this issue could have become a whole lot worse.<br />
<br />
''Speaker bio:''<br />
Scott is a Pen Tester by day and runs several well-known security sites and blogs by night including report-uri.io, securityheaders.io and scotthelme.co.uk.<br />
<br />
* '''Julian Horoszkiewicz'''<br />
<br />
''Abstract:''<br />
Blind detection of path traversal-vulnerable file uploads - Presentation of an experimental web penetration testing technique, aiming at detection of path traversal issues in file upload implementations, with zero knowledge about the remote directory structure.<br />
<br />
''Speaker bio:''<br />
Julian Horoszkiewicz, IT Security Consultant at Pentest Ltd, OSCP, open source and security enthusiast, recently focused on methodology<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
===Speakers===<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=210352Manchester2016-03-03T11:06:45Z<p>Nikola Milosevic: </p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 17th March 2015, 18:00<br />
<br />
'''Location:''' Spaceport, 26 1st floor, 24 Lever St, Manchester M1 1DZ<br />
<br />
'''Registration:''' https://www.eventbrite.co.uk/e/owasp-manchester-meeting-17th-march-tickets-22527547501<br />
<br />
'''Event sponsors:''' [http://avecto.com Avecto]<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Turning over a new Leaf – How the world’s bestselling electric car, the Nissan Leaf can be accessed remotely to activate the climate control and spy on details of the driver’s journeys simply by knowing or guessing the VIN of the vehicle. This may seem like a harmless prank but could be used to void warranties or drain batteries remotely, with Nissan looking to add GPS tracking to the vehicles this issue could have become a whole lot worse.<br />
<br />
''Speaker bio:''<br />
Scott is a Pen Tester by day and runs several well-known security sites and blogs by night including report-uri.io, securityheaders.io and scotthelme.co.uk.<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
===Speakers===<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSOC2016_Ideas&diff=209089GSOC2016 Ideas2016-02-17T11:23:27Z<p>Nikola Milosevic: /* OWASP Seraphimdroid */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
=== REST API for the sandbox ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.<br />
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.<br />
<br />
Ideas on the project:<br />
Since the sandbox is written in python, you can use microframeworks such as flask to implement the api.<br />
The endpoint authorization can be done via certificates or plain signature or username/password type authentication.<br />
However the communication between the two has to be over a secure channel.<br />
<br />
'''Expected Results:'''<br />
* A REST style api which allows an authenticated remote entity control the sandbox engine.<br />
* PEP8 compliant code<br />
* Acceptable unit test coverage<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Python, test driven developmen, some idea what REST is, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== New CMS ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The CMS part of the project is really old and has accumulated a significant amount of technical debt.<br />
In addition many design decisions are either outdated or could be improved. <br />
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.<br />
The new cms can be written in php or python using any compoennts we agree are necesary and based on the framework we agree on.<br />
<br />
'''Expected Results:'''<br />
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.<br />
* REST endpoints in addition to classic ones<br />
* tests covering all routes implemented<br />
* PSR/PEP 8 code<br />
<br />
''' Note: '''<br />
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.<br />
If you decide to take on this project contact us and we can agree on a list of routes.<br />
If you don't decide to take on this project contact us.<br />
Generally contact us, we like it when students have insightful questions and the community is active<br />
<br />
'''Knowledge Prerequisites:'''<br />
Python or PHP, the framework suggested, what REST is, the technologies used, some security knowledge would be nice.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== First Course Type Challenge ===<br />
<br />
'''Brief Explanation:'''<br />
We have a wonderful sandbox engine which allows for complex guided challenges to be implemented.<br />
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.<br />
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.<br />
Bellow you will find some examples that we thought might be interesting.<br />
<br />
Ideas on the project:<br />
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)<br />
<br />
* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.<br />
<br />
* Guide to exploiting the TOP10. (Using ZAP?)<br />
<br />
* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.<br />
<br />
<br />
'''Expected Results:'''<br />
<br />
* One or more Course - style challenges provided either as a docker container or as a vagrant box.<br />
* Concrete documentation on how to build a challenge like this.<br />
<br />
'''Knowledge Prerequisites:'''<br />
The technologies used.<br />
<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Advanced Sandboxed Challenges ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
In the spirit of the challenges above, we're looking for true ctf type challenges.<br />
This is an open ended task. We're expecting awesome fresh ideas.<br />
<br />
Ideas on the project:<br />
* An application vulnerable to one or more TOP 10 elements.<br />
* A logic flaws based ctf<br />
* Your idea here<br />
<br />
'''Expected Results:'''<br />
Docker containers or Vagrant boxes that contain complete new challenges.<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
Knowledge of the technologies used<br />
<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Amazing students, in our experience the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project.<br />
The above should give you a general idea where we're going but don't let them constrain you.<br />
Do you wanna do something that would fit into Hackademic? Send us an email!<br />
<br />
Ideas on the project:<br />
No idea, that's your turn to shine!<br />
<br />
'''Expected Results:'''<br />
If it's code, code according to our coding standards.<br />
If it's challenges, something new and interesting.<br />
If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.<br />
<br />
In short we'd like some quality. ;-)<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
== OWASP OWTF ==<br />
<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
''' OWASP Mentors '''<br />
<br />
<br />
<br />
<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Example Idea ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Simon Bennetts<br />
<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== Example Idea ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
<br />
== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project| ]] ==<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP ZSC Tool ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_ZSC_Tool_Project|OWASP ZSC]] is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.<br />
<br />
'''Expected Results:'''<br />
<br />
Please take a look of our TODO list in Github to get some ideas:<br />
https://github.com/Ali-Razmjoo/OWASP-ZSC/issues<br />
<br />
Another ideas:<br />
* Help us develop shellcode module for windows<br />
* Develop shellcode module for OSX<br />
<br />
Read about the project here:<br />
https://ali-razmjoo.gitbooks.io/owasp-zsc/content/<br />
<br />
Recommended reading:<br />
http://www.vividmachines.com/shellcode/shellcode.html<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* Basic knowledge about Shellcode and assembly language<br />
<br />
'''Mentors:''' <br />
*Christo and Timo Goosen and Brian Beaudry- OWASP ZSC Contributors<br />
<br />
Contact us through our mailing list for questions:<br />
https://groups.google.com/d/forum/owasp-zsc</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=208561OWASP SeraphimDroid Project2016-02-12T13:28:01Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=208560OWASP SeraphimDroid Project2016-02-12T13:27:00Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
=Project/Feature ideas=<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well.'''<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=208559OWASP SeraphimDroid Project2016-02-12T13:26:06Z<p>Nikola Milosevic: /* Project ideas */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
=Project/Feature ideas=<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=208558OWASP SeraphimDroid Project2016-02-12T13:25:40Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
<br />
=Project ideas=<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSOC2016_Ideas&diff=208557GSOC2016 Ideas2016-02-12T13:21:05Z<p>Nikola Milosevic: /* OWASP Seraphimdroid OWASP_SeraphimDroid_Project */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
=== Example Idea===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
<br />
== OWASP OWTF ==<br />
<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
''' OWASP Mentors '''<br />
<br />
<br />
<br />
<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Example Idea ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== Example Idea ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
<br />
== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project| ]] ==<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSOC2016_Ideas&diff=208556GSOC2016 Ideas2016-02-12T13:20:46Z<p>Nikola Milosevic: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
=== Example Idea===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
<br />
== OWASP OWTF ==<br />
<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
''' OWASP Mentors '''<br />
<br />
<br />
<br />
<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Example Idea ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== Example Idea ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
<br />
== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project|OWASP_SeraphimDroid_Project]] ==<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSOC2016_Ideas&diff=208555GSOC2016 Ideas2016-02-12T13:19:41Z<p>Nikola Milosevic: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
=== Example Idea===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
<br />
== OWASP OWTF ==<br />
<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
''' OWASP Mentors '''<br />
<br />
<br />
<br />
<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Example Idea ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== Example Idea ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
<br />
== OWASP Seraphimdroid ==<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSOC2016_Ideas&diff=208554GSOC2016 Ideas2016-02-12T13:18:59Z<p>Nikola Milosevic: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
=== Example Idea===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
<br />
== OWASP OWTF ==<br />
<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
''' OWASP Mentors '''<br />
<br />
<br />
<br />
<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Example Idea ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== Example Idea ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
<br />
== OWASP Seraphimdroid ==<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=GSOC2016_Ideas&diff=208553GSOC2016 Ideas2016-02-12T13:18:05Z<p>Nikola Milosevic: OWASP Seraphimdroid ideas added</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
* Read the [[GSoC SAT]]<br />
* Check the Hackademic wiki page linked above<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]<br />
<br />
<br />
== OWASP Hackademic Challenges ==<br />
<br />
[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.<br />
<br />
=== Example Idea===<br />
<br />
'''Brief Explanation:'''<br />
<br />
After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.<br />
<br />
Ideas on the project:<br />
<br />
* Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.<br />
* Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.<br />
* Your idea here...<br />
<br />
'''Expected Results:'''<br />
<br />
Better sandboxing<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Linux administration and some security knowledge depending on the specific project.<br />
<br />
'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders<br />
<br />
<br />
== OWASP OWTF ==<br />
<br />
<br />
=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Background problem to solve:<br />
<br />
We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date. <br />
<br />
Proposed solution:<br />
<br />
We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.<br />
<br />
<br />
A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf <br />
<br />
VMS will have the following features:<br />
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.<br />
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.<br />
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)<br />
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)<br />
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.<br />
<br />
[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - HTTP Request Translator Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Problem to solve:<br />
<br />
There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.<br />
<br />
Proposed solution:<br />
<br />
An HTTP request translator, a *standalone* *tool* that can:<br />
<br />
1) Be used from inside OR outside of OWTF.<br />
<br />
2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts<br />
<br />
3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)<br />
* Transforms with boundary strings? (TBD)<br />
* Individually or in bulk? (TBD)<br />
<br />
'''Essential Function: "--output" argument'''<br />
<br />
CRITICAL: The command/script should be generated so that the request is sent as literally as possible.<br />
<br />
Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.<br />
<br />
NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)<br />
* http request in => curl command out<br />
* http request in => bash script out<br />
* http request in => python script out<br />
* http request in => php script out<br />
* http request in => ruby script out<br />
* http request in => PowerShell script out<br />
<br />
'''Basic additional arguments:'''<br />
<br />
- "--proxy" argument: generates the command/script with the relevant proxy option<br />
<br />
NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)<br />
<br />
- "--string-search" argument: generates the command/script so that it:<br />
<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. literal match)<br />
<br />
- "--regex-search" argument: generates the command/script so that it:<br />
1) performs the request<br />
<br />
2) then searches for something in the response (i.e. regex match)<br />
<br />
'''OWTF integration'''<br />
<br />
The idea here, is to invoke this tool from:<br />
<br />
1) Single HTTP transactions:<br />
<br />
For example, have a button to "export http request" + then show options equivalent to the flags<br />
<br />
2) Multiple HTTP transactions:<br />
<br />
Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).<br />
<br />
<br />
'''Desired input formats:'''<br />
<br />
* Read raw HTTP request from stdin -Suggested default behaviour! :)-<br />
<br />
Example: cat path/to/http_request.txt | http-request-translator.py --output<br />
<br />
* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"<br />
<br />
Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"<br />
<br />
Example:<br />
<br />
1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)<br />
<br />
2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"<br />
<br />
3) User pastes a raw HTTP requests + hits enter<br />
<br />
4) Tool outputs whatever is relevant for the flags + http request given<br />
<br />
* For bulk processing: Maybe a directory of raw http request files?<br />
<br />
'''Nice to have: Transforms'''<br />
<br />
In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.<br />
<br />
Example:<br />
<br />
NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"<br />
<br />
Step 1) The user provides a raw HTTP request like this:<br />
<br />
GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test<br />
Host: target.com<br />
...<br />
<br />
Step 2) The tool generates a bash script like the following:<br />
<br />
#!/bin/bash<br />
<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")<br />
curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
OR a "curl command" like the following:<br />
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"<br />
<br />
<br />
This feature can be valuable to shave a bit more time in script writing.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - JavaScript Library Sniper Improvements ===<br />
<br />
'''Brief explanation:'''<br />
This is a project that tries to resolve a very common problem during penetration tests:<br />
<br />
The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.<br />
<br />
<br />
To solve this problem, we propose a *standalone* *tool* that can:<br />
<br />
1) Be run BOTH from inside AND outside of OWTF<br />
<br />
2) Build and *update* a fingerprint JavaScript library database of:<br />
* Library File hashes => JavaScript Library version<br />
* Library File lengths => JavaScript Library version<br />
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)<br />
<br />
3) Build and *update* a vulnerability database of:<br />
* JavaScript Library version => CVE - CVSS score - Vulnerability info<br />
<br />
4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:<br />
* JavaScript Library version<br />
* List of vulnerabilities sorted in descending CVSS score order<br />
<br />
5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:<br />
* ALL Library/vulnerability matches described on 4)<br />
<br />
Once the standalone tool is built and verified to be working, OWTF should be able to:<br />
<br />
Feature 1) GREP plugin improvement (Web Application Fingerprint):<br />
<br />
Step 1) Lookup file lengths and hashes in the "JavaScript library database"<br />
<br />
Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user<br />
<br />
Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):<br />
<br />
1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-<br />
<br />
2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)<br />
<br />
Potential projects worth having a look for potential overlap/inspiration:<br />
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]<br />
<br />
How many JavaScript libraries should be included?<br />
* As many as possible, but especially the major ones: jQuery, knockout, etc.<br />
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-<br />
<br />
Common JavaScript library fingerprinting techniques include:<br />
* Parse the JavaScript file and grab the version from there<br />
* Determine the JavaScript version based on a hash of the file<br />
* Determine the JavaScript version based on the length of the file<br />
<br />
Other Challenges:<br />
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"<br />
* When the JavaScript file does not match a specific version:<br />
1) The commit that matches the closest should (ideally) be found<br />
2) The NEXT library version after that commit (if present) should be found<br />
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Health Monitor ===<br />
<br />
'''Brief explanation:'''<br />
<br />
In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.<br />
<br />
For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:<br />
<br />
'''Feature 1) Alerting mechanisms'''<br />
<br />
When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:<br />
* Playing an mp3 song (both local and possibly remote locations)<br />
* Scan status overview on the CLI<br />
* Scan status overview on the GUI<br />
<br />
NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.<br />
<br />
'''Feature 2) Corrective mechanisms'''<br />
<br />
Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:<br />
* Stop this tool<br />
* Freeze this process (to continue later)<br />
* Freeze the whole scan (to continue later)<br />
<br />
Additional mechanisms:<br />
* Show a ranking of files that take the most space<br />
<br />
'''Feature 3) Target monitor'''<br />
<br />
Brief overview:<br />
<br />
All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).<br />
<br />
Potential approach: Check if length of 1st page changes every 60 seconds.<br />
<br />
NOTE: It might be needed to change this on the fly.<br />
<br />
More background<br />
<br />
Consider the following scenario:<br />
<br />
Current Situation aka "problem to solve":<br />
<br />
1) Website X goes down during a scan<br />
<br />
2) the customer notices<br />
<br />
3) the customer tells the boss<br />
<br />
4) the boss tells the pentester<br />
<br />
5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)<br />
<br />
Desired situation aka "solution":<br />
<br />
It would be much more professional AND efficient that:<br />
<br />
1) The pentester notices<br />
<br />
2) The pentester tells the boss<br />
<br />
3) The boss tells the customer<br />
<br />
4) OWTF stops the tool because it knows that website is DEAD anyway<br />
<br />
A target monitor could easily do this with heartbeat requests + playing mp3s<br />
<br />
The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"<br />
<br />
'''Feature 4) Disk space monitor'''<br />
<br />
Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).<br />
<br />
Proposed solution:<br />
<br />
Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).<br />
<br />
'''Feature 5) Network/Internet Connectivity monitor'''<br />
<br />
Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:<br />
<br />
1) Detects the lack of connectivity<br />
<br />
2) Freezes all the tools (read: processes) in progress<br />
<br />
3) Resumes the scan when the connectivity is back.<br />
<br />
'''Feature 6) Tool crash detection'''<br />
<br />
Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)<br />
<br />
'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''<br />
<br />
OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Installation Improvements and Package manager ===<br />
<br />
'''Brief explanation:'''<br />
<br />
This project is to implement what was suggested in the following github issue:<br />
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]<br />
<br />
<br />
Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?<br />
Having a private server with:<br />
* pre-installed files for VMs<br />
* pre-configured and patched tools<br />
* Merged Lists<br />
* Pre-configured certificates<br />
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.<br />
Additional ideas are welcome.<br />
<br />
-- They could be hosted on Dropbox or a private VPS :)<br />
<br />
2 Installation Modes<br />
* For high speed connections (Downloading the files uncompressed)<br />
* For low speed connections (Downloading the files compressed)<br />
and the installation crashed because i runned out of space in the vm<br />
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
=== OWASP OWTF - Testing Framework Improvements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.<br />
<br />
<br />
'''Top features'''<br />
<br />
In this improvement phase, the Testing Framework should:<br />
* (Top Prio) Focus more on functional tests<br />
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)<br />
* (Top Prio) Put together a great wiki documentation section for contributors<br />
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.<br />
* (Top Prio) Fix the current Travis issues :)<br />
* (Nice to have) Bring the unit tests up to speed with the codebase<br />
This will be challenging but very worth trying after top priorities.<br />
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.<br />
<br />
<br />
'''General background'''<br />
<br />
The Unit Test Framework should be able to:<br />
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)<br />
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")<br />
* Allow to regression test by test categories (i.e. "test only web plugins")<br />
* Allow to regression test everything (i.e. plugins + framework core: "test all")<br />
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible<br />
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF<br />
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF<br />
* Perform well so that we can run as many tests as possible in a given period of time<br />
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Performant and automated regression testing<br />
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible<br />
* Good documentation<br />
<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
<br />
=== OWASP OWTF - Tool utilities module ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.<br />
<br />
'''Feature 1) Vulnerable software version database:'''<br />
<br />
Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).<br />
<br />
Example:<br />
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]<br />
<br />
'''Feature 2) Nmap output file merger:'''<br />
<br />
Unify nmap files *without* losing data: XML, text and greppable formats<br />
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).<br />
<br />
'''Feature 3) Nmap output file vulnerability mapper'''<br />
<br />
From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):<br />
<br />
1) CVEs in reverse order of CVSS score, with links.<br />
<br />
2) Metasploit modules available for each CVE / issue<br />
<br />
NOTE: Can supply an *old* shell script for reference<br />
<br />
3) Servers/ports affected (i.e. all server / port combinations using that software version)<br />
<br />
<br />
'''Feature 4) URL target list creator:'''<br />
<br />
Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF<br />
<br />
<br />
'''Feature 5) Hydra command creator:'''<br />
<br />
nmap file in => Hydra command list out<br />
<br />
grep http auth / login pages in output files to identify login interfaces => Hydra command list out<br />
<br />
<br />
'''Feature 6) WP-scan command creator:'''<br />
<br />
look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press<br />
<br />
<br />
For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* Excellent reliability (i.e. proper exception handling, etc.)<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn<br />
<br />
<br />
'''OWASP OWTF Mentor:'''<br />
<br />
Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com<br />
<br />
''' OWASP Mentors '''<br />
<br />
<br />
<br />
<br />
<br />
<br />
== OWASP ZAP ==<br />
<br />
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.<br />
<br />
You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ<br />
<br />
=== Example Idea ===<br />
<br />
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.<br />
<br />
==== Expected Results ====<br />
<br />
* Report data will be a distinct type of data returned via API calls<br />
* An add-on that provides report data - so this becomes 'plug-able'<br />
* Report data and meta data should be fully internationalized<br />
* Users can specify which sites / contexts report data should apply to<br />
<br />
==== Knowledge Prerequisite: ====<br />
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
==== Mentors ====<br />
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts<br />
<br />
<br />
== OWASP Testing Guide ==<br />
<br />
=== Example Idea ===<br />
'''Brief explanation:'''<br />
<br />
We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP. <br />
<br />
'''Expected outputs:'''<br />
<br />
Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline).<br />
Optional ZAP changes or add-on to make better use of the OTGs<br />
<br />
'''Knowledge required:'''<br />
<br />
Writing skills<br />
<br />
'''OTG Web Testing Tool Integration mentor:''' <br />
<br />
Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.<br />
<br />
* Check the AppSensor wiki page linked above<br />
* Contact us through the mailing list.<br />
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]<br />
* Also see our [http://www.appsensor.org appsensor website]<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work. <br />
<br />
'''Expected Results:'''<br />
<br />
We want to support a number of integrations. Some that have been requested by our community are: <br />
* SNMP<br />
* JMX<br />
* SCOM<br />
* syslog<br />
* CEF<br />
* AppDynamics<br />
<br />
Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them. <br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
Comfortable in Java and unit testing. <br />
<br />
'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)<br />
<br />
<br />
== OWASP Passfault ==<br />
<br />
=== Example Idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Passfault]] has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity. <br />
<br />
'''Expected Results:'''<br />
<br />
When complete an administrator should be able to do the following:<br />
* Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)<br />
* Adjust password complexity threshold<br />
* (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Bash scripting<br />
* Linux administration<br />
<br />
'''Mentors:''' <br />
* [[User:Cam_Morris|Cam Morris]] - OWASP Passfault Project Leader (Development)<br />
* John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)<br />
<br />
<br />
== OWASP Seraphimdroid ==<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Educational component ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.<br />
<br />
'''Expected Results:'''<br />
<br />
* Develop uneatable knowledge base and GUI for it<br />
* Develop web server where the knowledge base can be updated<br />
* Improve current educational reporting<br />
* Develop methodology for monitoring users and notifying them about risky activities<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=208395OWASP SeraphimDroid Project2016-02-09T16:07:07Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
'''OWASP Seraphimdroid encourages students and University lecturers to contribute to the projects. We would like to encourage any BSc, 3rd year or master project ideas that would improve Seraphimdroid app. Project leaders are willing to co-supervise these projects. Please contact us if you are interested. At the end of the page are listed some of the potential project ideas, but we encourage you to send us your ideas as well. '''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=203947OWASP SeraphimDroid Project2015-11-29T09:33:23Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
{|<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=203946OWASP SeraphimDroid Project2015-11-29T09:32:29Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* {|<br />
|-<br />
{{#ev:youtube|WccEBFaBXOw}}<br />
|}<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=OWASP_SeraphimDroid_Project&diff=203945OWASP SeraphimDroid Project2015-11-29T09:31:10Z<p>Nikola Milosevic: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP SeraphimDroid==<br />
'''Mission:'''<br />
<br />
''To create, as a community, an open platform for education and protection of Android users against privacy and security threats.''<br />
<br />
OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
OWASP Seraphimdroid has two aims:<br />
* To protect user's privacy and secure the device against malicious features that may cost user money<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
<br />
[[File:OWASPSeraphimdroid.png | 200px]]<br />
<br />
==Introduction==<br />
<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are more exposed to the attacks. From the open WiFi networks that can be spoofed to the Trojan malware applications on the app stores, threats are everywhere around. Many of the attacks are successful because users are not aware of the risks and threats. They may act naive and expose themselves to the attacks even more. These attacks may lead to the identity theft, money theft, losing privacy or they devices may start acting as part of the botnet network.<br />
<br />
In order to prevent attacks on the users, this project aims to develop a set of guidelines and application that will ensure that users are using their devices in a secure manner. Project is and always will remain open for everyone to participate and all project deliverables will be free and open source.<br />
<br />
<br />
<br />
Project development is done on GitHub: https://github.com/nikolamilosevic86/owasp-seraphimdroid <br />
<br />
Release of OWASP Seraphimdroid is available on Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
<br />
==Description==<br />
<br />
<br />
The aim of this project is to research all threats and risks for users of Android operating system. We want to develop, as a community an free and open source security and privacy protection application and a set of security guideline for Android users. The project tend to be research oriented and we are willing to innovate in Android security field using machine learning, heuristics and other innovative techniques in order to protect our users, their privacy and money. The project is community driven and everyone is open to participate. The main aim of OWASP SeraphimDroid application should keep user data and money safe.<br />
<br />
So far the main features include:<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. <br />
* Application and service locker. With OWASP Seraphimdroid, user may lock access to certain or to all of your applications and system services (WiFi, network, BlueTooth) with password<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Outgoing call and SMS blocker. This feature will allow user to perform normally outgoing calls and SMS, but it will block outgoing calls and inform about outgoing SMS performed by trojan applications.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* Remote location. If user lost your phone, he is able to send SMS with a defined secret code as a content and his phone and it will reply with the location coordinates of the device. <br />
* Remote lock and lock<br />
<br />
==Licensing==<br />
GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is OWASP SeraphimDroid? ==<br />
* Free and open source project<br />
* Android security and privacy protection app<br />
* Educational platform (planned)<br />
<br />
OWASP SeraphimDroid provides:<br />
<br />
* Documentation on how Android permissions can be misused<br />
* Security guide for Android users<br />
* Security Android application<br />
* Application that keeps user secure and teaches him about risks<br />
<br />
==Donate for OWASP Seraphimdroid==<br />
<paypal>OWASP Seraphimdroid project</paypal><br />
<br />
==Mailing list==<br />
[https://lists.owasp.org/mailman/listinfo/owasp_seraphimdroid_project Project mailing list]<br />
<br />
<br />
== Presentations ==<br />
* [youtube https://www.youtube.com/watch?v=WccEBFaBXOw]<br />
* [http://www.slideshare.net/nikolamilosevic86/mobile-security-owasp-mobile-top-10-owasp-seraphimdroid OWASP Mobile Top 10 and OWASP Seraphimdroid], presented in OWASP Serbia local chapter on april 2015 meeting.<br />
<br />
== Project Leader ==<br />
<br />
Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Project]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/owasp-seraphimdroid<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" | <br />
<br />
== Quick Download ==<br />
<br />
* Google Play: https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid<br />
* Code: https://github.com/nikolamilosevic86/owasp-seraphimdroid<br />
* Documents and publications:<br />
** [http://inspiratron.org/OWASPSeraphimdroid/SeraphimdroidDocumentation.pdf User guide and Documentation] <br />
** Article about android permissions, published by Digital Forensics magazine: http://inspiratron.org/AndroidSecurity.pdf<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= News and Events =<br />
* (6.9.2015) New version (v2.0) of OWASP Seraphimdroid is released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play store]. Blog post about new features can be [http://inspiratron.org/new-version-of-owasp-seraphimdroid-v2-0-is-published/ read here]<br />
* (10.7.2015) OWASP Seraphimdroid is participating at [https://www.owasp.org/index.php/Summer_Code_Sprint2015 OWASP Summer Code Sprint 2015]<br />
* (2.10.2014) OWASP Seraphimdroid was featured on a front page and interview with a project leader was published in Libre!, Serbian online magazine about open source. Issue 29 of the Libre! magazine, where the interview was published can be seen [https://libre.lugons.org/index.php/broj-29/ here]<br />
* (5.9.2014) The first release of OWASP Seaphimdroid was released on [https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid Google play]. Blog post about features can be [http://inspiratron.org/owasp-seraphimdroid-android-security-published/ read here]<br />
* (1.6.2014) OWASP Searaphimdroid participates on [https://www.google-melange.com/gsoc/project/details/google/gsoc2014/furquan/5639274879778816 Google Summer of Code] <br />
* (2.2.2014) Article about malicious use of Android permissions was published by Digital Forensics magazine. This paper was a result of research conducted on OWASP Seraphimdroid project. Article can be viewed [http://inspiratron.org/AndroidSecurity.pdf here]<br />
<br />
=Features and Functionalities=<br />
==OWASP Seraphimdroid is==<br />
* Android application<br />
* Open source<br />
* Completely free (no paid for 'Pro' version)<br />
* Community based, with involvement actively encouraged<br />
* Under active development by an international team of volunteers<br />
<br />
==OWASP Seraphimdroid has two aims:==<br />
* To protect user's privacy and secure the device against malicious features and threats<br />
* To educate user about threats and risks for their privacy, privacy of their data and security of their device.<br />
<br />
==Features:==<br />
* Permission scanner. Permission scanner will show you the list of all installed application and the permission they are using. Also app will describe potential malicious use of certain permissions. Seraphimdroid is using machine learning in order to predict whether application might be malicious (be a virus, Trojan, worm, rootkit, etc) or not and will notify the user. Currently, we use SVM/SMO model trained on M0Droid malware/goodware dataset, which performed with accuracy of 88%. <br />
* Application locker. With OWASP Seraphimdroid, you may lock access to certain or to all of your application with password<br />
* Service locker. This feature enables user to lock usage of WiFi, mobile network and Bluetooth with a password.<br />
* Install lock. This feature can lock all installing and uninstalling action on your device. Great for parental control.<br />
* Incoming SMS blocker. This feature will scan all incoming messages and alert user if it find in the content potential phishing<br />
* Outgoing SMS scanner. The application will monitor outgoing SMS and alert user if the some of the application is trying to send SMS. This is the usual scenario how malware creators earn money - by sending premium SMS messages.<br />
* Outgoing call blocker. This feature will allow you to perform normally outgoing calls, but it will block outgoing calls performed by other installed applications. Similarly to outgoing SMSes, this is the scenario malware creators use to earn money.<br />
* Geo-fencing. This feature allows user to set a location range where the device should be. If the device exits the range it may set up alarm or start sending messages to the defined number with its location.<br />
* SIM change detector. Ask password when SIM card is changed in order to assure that the owner of the device is changing SIM card. Perfect for theft protection.<br />
* Remote location. If you lost your phone, you'll be able to send SMS with a defined secret code as a content and your phone will reply with the location coordinates of the device. <br />
* Remote lock. Similarly, you may lock your device using a message with secret code<br />
* Remote wipe. If your phone is stolen, you may send a message with secret code and wipe all user data from the phone.<br />
<br />
=FAQs=<br />
<br />
; Q1: '''What is OWASP Seraphimdroid?'''<br />
: A1: OWASP Seraphimdroid is a privacy and security protection app for Android devices. It enables users to protect their devices against malicious software (viruses, trojans, worms, etc.), phishing SMS, MMS messages, execution of dangerous USSD codes, theft and loosing. Also, it enables user to protect their privacy and to control the usage of applications and services via various kinds of locks. <br />
<br />
; Q2: '''Does it requires device root access?'''<br />
: A2: No. The application is designed in order to protect usual users, without any advanced skills (i.e. rooting the device).<br />
<br />
= Acknowledgements =<br />
==Volunteers and contributors==<br />
OWASP SeraphimDroid is developed by a worldwide team of volunteers. The primary contributors to date have been:<br />
<br />
* Nikola Milosevic<br />
* Aleksandar Abu Samra<br />
* Chetan Karande<br />
* Ali Tekeoglu<br />
* Furquan Ahmed<br />
* Kartik Kohli<br />
<br />
==Corporate sponsors==<br />
<br />
==Individual sponsors==<br />
<br />
==Others==<br />
<br />
= Road Map and Getting Involved =<br />
===As of SeraphimDroid, the priorities are:===<br />
* MVP development of Android security application with educational content<br />
* Documenting approaches taken during the development<br />
* Try to publish some papers<br />
* Further development and improvement<br />
<br />
'''Involvement in the development and promotion of SeraphimDroid is actively encouraged! You do not have to be a security expert in order to contribute.'''<br />
<br />
<br />
===Some of the ways you can help:===<br />
* Help coding open source security app<br />
* Write project documentation<br />
* Help with marketing and reaching more users and contributors<br />
* Design logo or controls<br />
* Research possible permission misuse, models for fraud and spam detection, new anti-theft approaches<br />
* Just let us know what as a user you would like to see new or improved<br />
<br />
===Future development should include:===<br />
* Handling spam messages (SMS, MMS) in a better way<br />
* Developing Seraphimdroid as extendable platform with plugins made by other developers<br />
* Handling dangerous and malicious web pages while surfing<br />
* Advanced behavioral and machine learning based malware analysis<br />
* Developing educational content within the application<br />
* Advanced anti-theft and anti-loss measures<br />
<br />
<br />
If you want to contribute please contact project leader Nikola Milosevic [mailto:nikola.milosevic@owasp.org]<br />
<br />
=Project About=<br />
{{:Projects/OWASP_SeraphimDroid_Project}} <br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=202618Manchester2015-10-24T16:03:00Z<p>Nikola Milosevic: </p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 12th November 2015, 18:00<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' https://www.eventbrite.co.uk/e/owasp-manchester-meeting-12th-november-2015-tickets-19093911403 <br />
<br />
'''Event sponsors:''' [http://www.ukfast.co.uk/ UKFast] (venue and drinks), [http://avecto.com Avecto] (pizza)<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
===Speakers===<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=202481Manchester2015-10-21T20:36:31Z<p>Nikola Milosevic: </p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 12th November 2015, 18:00<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' https://www.eventbrite.co.uk/e/owasp-manchester-meeting-12th-november-2015-tickets-19093911403 <br />
<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
===Speakers===<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=202479Manchester2015-10-21T20:26:48Z<p>Nikola Milosevic: </p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' https://www.eventbrite.co.uk/e/owasp-manchester-meeting-12th-november-2015-tickets-19093911403 <br />
<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
===Speakers===<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=202158Manchester2015-10-15T11:52:03Z<p>Nikola Milosevic: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
===Speakers===<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=202157Manchester2015-10-15T11:51:41Z<p>Nikola Milosevic: /* Upcoming Events */</p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevichttps://wiki.owasp.org/index.php?title=Manchester&diff=202156Manchester2015-10-15T11:50:19Z<p>Nikola Milosevic: </p>
<hr />
<div>{{Chapter Template|chaptername=Manchester|extra=<br />
<br />
This [[UK]] chapter was started in 2011, having grown out of the successful [[Leeds_UK]] chapter. <br />
<br />
You can follow [https://twitter.com/OwaspMcr @OwaspMcr] on Twitter and view some of the chapter meeting videos on [https://www.youtube.com/channel/UCAX1Mg9r4KeLoJq6bHxOP0Q YouTube].<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Manchester|emailarchives=http://lists.owasp.org/pipermail/owasp-Manchester}}<br />
<br />
= Next Meeting =<br />
<br />
'''Date:''' Thursday, 12th November 2015<br />
<br />
'''Location:''' UKFast, Birley Fields, Manchester M15 5QJ<br />
<br />
'''Registration:''' TBA <br />
<br />
<br />
==Speakers==<br />
* '''Scott Helme'''<br />
<br />
''Abstract:''<br />
Modern browsers have introduced new security features that websites can activate using server headers: CSP, HSTS and HPKP. I analysed the use of these headers on the Alexa Top 1 Million sites. The results are not what you might expect and the data shows some interesting trends.<br />
<br />
''Speaker bio:''<br />
Scott Helme is an Information Security Consultant who blogs about security, privacy and performance online. He develops tools and tutorials to help you deploy the latest web security features. Read more at scotthelme.co.uk.<br />
<br />
* '''Nikola Milosevic'''<br />
<br />
''Abstract:''<br />
Android users face many threats and risks. Since modern mobile devices are almost all the time exposed to the internet and other types of mobile networks, they are always exposed to the attacks. Users are usually not aware of the threats. [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid] is an OWASP project initiative with an aim to protect users from the threats by giving them the right tools in the form of mobile application and to educate them trough it. In this talk Nikola will present the current state and some interesting features of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid].<br />
<br />
''Speaker bio:'' Nikola is a project leader of [https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project] and one of the chapter leaders in Manchester. Previously, he founded and led OWASP local chapter in Serbia in 2012. At the moment he is doing his PhD at the University of Manchester. Read more at http://inspiratron.org/<br />
<br />
<br />
<br />
Please email the list if you want to speak<br />
<br />
= Upcoming Events =<br />
<br />
<br />
== Summer / Autumn Social ==<br />
<br />
We will probably be having a social event between August and October -- details will appear here as soon as we have them.<br />
<br />
== November Meeting ==<br />
<br />
To be announced closer to the time.<br />
<br />
= Past Events =<br />
<br />
'''2015 Dates'''<br />
<br />
[[2015_06_17_Manchester|17th June]]<br />
<br />
[[2015_02_17_Manchester|17th February]]<br />
<br />
'''2014 Dates'''<br />
<br />
[[2014_09_08_Manchester|8th September]]<br />
<br />
[[2014_05_13_Manchester|13th May]]<br />
<br />
[[2014_02_27_Manchester|27th February]]<br />
<br />
'''2013 Dates'''<br />
<br />
[[2013_04_30_Manchester|30th April]]<br />
<br />
'''2012 Dates'''<br />
<br />
[[2012_09_11_Manchester|11th September]]<br />
<br />
[[2012_05_30_Manchester|30th May]]<br />
<br />
[[2012_02_01_Manchester|1st February]]<br />
<br />
'''2011 Dates'''<br />
<br />
[[2011_11_16_Manchester|16th November]]<br />
<br />
[[2011_08_24_Manchester|24th August]] As part of the Leeds Chapter<br />
<br />
[https://www.owasp.org/index.php/Leeds_UK 22nd June] As part of the Leeds Chapter<br />
<br />
'''2010 Dates'''<br />
<br />
[[8th_December_Leeds|8th December]] As part of the Leeds Chapter<br />
<br />
= Chapter Leaders =<br />
<br />
The chapter leaders are:<br />
<br />
* [[User:Simon Bennetts|Simon Bennetts]]<br />
* [[User:Simon Ward|Simon Ward]]<br />
* [[User:Andy_Hornsby-Jones|Andy Hornsby-Jones]]<br />
* [[User:Dominic_Chell|Dominic Chell]]<br />
* [[User:Redcrag|Daniel Pollard]]<br />
* [[User:Nikola Milosevic|Nikola Milosevic]]<br />
* [[User:Stuw|Stuart Walker]]<br />
We are actively seeking more chapter leaders - please get in touch if you would like to become one!<br />
<br />
= Sponsorship =<br />
<br />
We are looking for organizations to sponsor the Manchester chapter.<br />
<br />
You can sponsor the chapter for one year at the following levels:<br />
* £300 Silver<br />
* £600 Gold<br />
* £1200 Platinum<br />
<br />
You can also sponsor a meeting by hosting the event or donating £100.<br />
<br />
If you are interested in sponsoring the chapter then please get in touch with one of the chapter leaders.<br />
<br />
<br />
= Local Organizations =<br />
<br />
Other related organizations in the Manchester area:<br />
<br />
* [http://manchester.bcs.org/ BCS Manchester]<br />
* [http://geekup.org/ GeekUp]<br />
* [http://madlab.org.uk/ MadLab]<br />
* [http://libreplanet.org/wiki/Manchester Manchester Free Software]<br />
* [http://www.manlug.org/ Manchester Linux Users Group]<br />
* [http://nuksg.org/ Northern UK Security Group]<br />
* [http://nwdc.org.uk/ North West Digital Communities (NWDC)]<br />
* [http://www.meetup.com/North-West-Tester-Gathering North West Tester Gathering]<br />
* [http://www.bsidesmcr.org.uk/ Security BSides Manchester]<br />
<br />
Please get in touch with one of the chapter leaders to get your organization listed here.<br />
<br />
And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-Manchester Manchester mailing list] to publicise related events.<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United Kingdom]]</div>Nikola Milosevic