This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Code Kids 2015 Ideas"
A V Minhaz (talk | contribs) (→Task 4: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki) |
m (Seccoale moved page GCI2014 Ideas to OWASP Code Kids 2015 Ideas: It is no more a Google Code In) |
||
| (8 intermediate revisions by 5 users not shown) | |||
| Line 17: | Line 17: | ||
=== OWASP ZAP Task 1 === | === OWASP ZAP Task 1 === | ||
| − | '''Brief | + | '''Brief description:''' |
| + | |||
| + | Write a blogpost about CMS-scnanning techniques, this will include web-apps fingerprinting methods, vulnerability checking using on-line databases and a survey of existing tools. | ||
| + | |||
| + | '''Task Category:''' | ||
| + | |||
| + | Documentation | ||
| + | |||
| + | '''Expected Results:''' | ||
| + | |||
| + | A professional blogpost that will be published on OWASP website | ||
| + | |||
| + | '''Knowledge Prerequisites:''' | ||
| + | |||
| + | Good understanding of web security basics, Knowledge on how do CMSs work and good writing skills. | ||
| + | |||
| + | '''Mentors:''' Abdelhadi | ||
| + | |||
| + | |||
| + | === OWASP ZAP Task 2 === | ||
| + | |||
| + | '''Brief description:''' | ||
| + | |||
| + | Rebuild the CMSscanner GUI including a progress bar that shows scanning progress and a textzone to display tried strings and paths used by the scanner in real time | ||
| + | |||
| + | '''Task Category:''' | ||
| + | |||
| + | Code/Design | ||
| + | |||
| + | '''Expected Results:''' | ||
| + | |||
| + | New GUI with progress bar and displaying paths when scanning | ||
| + | |||
| + | '''Knowledge Prerequisites:''' | ||
| + | |||
| + | Java language, GUI design. | ||
| + | |||
| + | '''Mentors:''' Abdelhadi | ||
| + | |||
| + | === OWASP ZAP Task 3 === | ||
| + | |||
| + | '''Brief description:''' | ||
| − | + | In this task you are required to reproduce vulnerabilities in OWASP web goat using Owasp ZAP and zest scripts. The chosen challenge must be solved using ZAP and the resolution must be stored as a zest script. This task should help documenting of web goat and providing some working examples of Mozilla Zest scripts. | |
'''Task Category:''' | '''Task Category:''' | ||
| − | + | Code | |
'''Expected Results:''' | '''Expected Results:''' | ||
| − | + | Zest scripts which reproduces some of the vulnerabilities challange of Owasp WebGoat. | |
'''Knowledge Prerequisites:''' | '''Knowledge Prerequisites:''' | ||
| − | Comfortable in | + | Comfortable in Javascript and HTML. Good understanding of Application Security and related vulnerabilities. |
| − | '''Mentors:''' | + | '''Mentors:''' Alessandro Secco |
== OWASP OWTF == | == OWASP OWTF == | ||
| Line 301: | Line 342: | ||
Familiarity with wiki. | Familiarity with wiki. | ||
| + | |||
'''Reference''' | '''Reference''' | ||
| + | |||
[https://github.com/mebjas/CSRF-Protector-PHP/wiki Github wiki for CSRF Protector php] | [https://github.com/mebjas/CSRF-Protector-PHP/wiki Github wiki for CSRF Protector php] | ||
| + | |||
'''Mentors:''' Minhaz | '''Mentors:''' Minhaz | ||
| Line 348: | Line 392: | ||
'''Mentors:''' Minhaz | '''Mentors:''' Minhaz | ||
| + | |||
| + | == OWASP Code Review Project == | ||
| + | https://www.owasp.org/index.php/OWASP_Code_review_V2_Project | ||
| + | |||
| + | === Task 1: Code Samples === | ||
| + | |||
| + | '''Brief Explanation:''' | ||
| + | |||
| + | Code review guide has example code in .Net and Java and in some cases C++. We also want to include sample code in PHP and Ruby. We have existing example code in Java, .Net c#. | ||
| + | |||
| + | '''Task Category:''' | ||
| + | |||
| + | Code | ||
| + | |||
| + | '''Expected Results:''' | ||
| + | |||
| + | Follow existing code samples we need you to create Ruby and PHP where needed. All work will be shown in code review guide wiki. Please review code samples in code review guide wiki. | ||
| + | |||
| + | '''Knowledge Prerequisites:''' | ||
| + | |||
| + | php, and or Ruby | ||
| + | |||
| + | '''Mentors:''' Larry Conklin, Gary Robinson | ||
| + | |||
| + | === Task 1.1: Code Samples === | ||
| + | Session Handling. Need php and Java code examples | ||
| + | https://www.owasp.org/index.php/CRV2_SessionHandling | ||
| + | |||
| + | === Task 1.2: Code Samples === | ||
| + | Input validation. Need php code examples | ||
| + | https://www.owasp.org/index.php/CRV2_InputValIntro | ||
| + | |||
| + | === Task 1.3: Code Samples === | ||
| + | Handling Error Messages. Need pho code examples | ||
| + | https://www.owasp.org/index.php/CRV2_ErrorHandlingMessages | ||
| + | |||
| + | === Task 1.4: Code Samples === | ||
| + | Persistent – The Anti pattern. Need Ruby code examples. | ||
| + | https://www.owasp.org/index.php/CRV2_RevCodePersistentAntiPatternRuby | ||
| + | |||
| + | === Task 1.5: Code Samples === | ||
| + | Reflected - The Anti pattern. Need Ruby code examples. | ||
| + | https://www.owasp.org/index.php/CRV2_RevCodeReflectedAntiPatternIRuby | ||
| + | |||
| + | === Task 1.6: Code Samples === | ||
| + | Ruby - AntiPatttern | ||
| + | https://www.owasp.org/index.php/CRV2_AntiPatternPHP | ||
| + | |||
| + | === Task 2: Documentation === | ||
| + | Reviewing by Technical Control | ||
| + | https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents#Reviewing_by_Technical_Control | ||
| + | |||
| + | Reviewing by Vulnerability | ||
| + | https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents#Reviewing_by_Vulnerability | ||
| + | We need content from last two sections pulled from the wiki and added to a word doc and if possible have the content put into the following word doc template. Email me and I will send you the word template. | ||
| + | |||
| + | We realize that all of the content will not easily fit into the word template but they can do the best they can and that will be fine with us. We only have three rules. | ||
| + | |||
| + | Don’t delete anything even if you don’t agree with it. | ||
| + | Don’t add anything unless it is well marked that you added it. | ||
| + | Have fun and please ask questions. Please remember we have full time jobs and families. We will answer questions but maybe not as quickly as you would like. Yea, we are old grouchy men. | ||
| + | |||
| + | '''Knowledge Prerequisites:''' | ||
| + | |||
| + | Basic understanding wiki editing, word understanding and ability to format text. | ||
| + | |||
| + | '''Mentors:''' Larry Conklin, Gary Robinson | ||
| + | |||
| + | == OWASP Security Controls in Web Application Development Lifecycle == | ||
| + | https://www.owasp.org/index.php/OWASP_Security_Controls_in_Web_Application_Development_Lifecycle | ||
| + | |||
| + | === Task 1: Web Application Architecture === | ||
| + | |||
| + | '''Brief Explanation:''' | ||
| + | |||
| + | To come out with a diagrammatic explanation of how a web application works. Each and every section in the diagram must be explained. | ||
| + | |||
| + | '''Task Category:''' | ||
| + | |||
| + | Architecture | ||
| + | |||
| + | '''Expected Results:''' | ||
| + | |||
| + | The architecture must clearly explain how a web application works irrespective of any technology. | ||
| + | |||
| + | '''Knowledge Prerequisites:''' | ||
| + | |||
| + | Good understanding of web applications | ||
| + | |||
| + | === Task 2: Project Logo === | ||
| + | |||
| + | '''Brief Explanation:''' | ||
| + | |||
| + | To come out with a suitable logo for the project matching the project title | ||
| + | |||
| + | '''Task Category:''' | ||
| + | |||
| + | Designing Logo | ||
| + | |||
| + | '''Expected Results:''' | ||
| + | |||
| + | Project Logo | ||
| + | |||
| + | '''Knowledge Prerequisites:''' | ||
| + | |||
| + | Creative imagination | ||
| + | |||
| + | === Task 3: Secure web application coding === | ||
| + | |||
| + | '''Brief Explanation:''' | ||
| + | |||
| + | How to code a web application securely? E.g: Session Management, Input Validation, Error Logging, Configuration etc. with code examples. Technology : .NET / Java | ||
| + | |||
| + | '''Task Category:''' | ||
| + | |||
| + | Research & code snippets | ||
| + | |||
| + | '''Expected Results:''' | ||
| + | Theory and Code | ||
| + | |||
| + | '''Knowledge Prerequisites:''' | ||
| + | |||
| + | Good research skills, proper understanding of coding in .NET and Java | ||
| + | |||
| + | '''Mentor:''' Nilay Sangani | ||
Latest revision as of 08:40, 19 February 2015
Task Categories
The tasks are grouped into the categories described below. Please make sure each task is assigned a category.
Code: Tasks related to writing or refactoring code.
Documentation/Training: Tasks related to creating/editing documents and helping others learn more
Outreach/Research: Tasks related to community management, outreach/marketing, or studying problems and recommending solutions
Quality Assurance: Tasks related to testing and ensuring code is of high quality
User Interface: Tasks related to user experience research or user interface design and interaction
OWASP ZAP
OWASP ZAP Task 1
Brief description:
Write a blogpost about CMS-scnanning techniques, this will include web-apps fingerprinting methods, vulnerability checking using on-line databases and a survey of existing tools.
Task Category:
Documentation
Expected Results:
A professional blogpost that will be published on OWASP website
Knowledge Prerequisites:
Good understanding of web security basics, Knowledge on how do CMSs work and good writing skills.
Mentors: Abdelhadi
OWASP ZAP Task 2
Brief description:
Rebuild the CMSscanner GUI including a progress bar that shows scanning progress and a textzone to display tried strings and paths used by the scanner in real time
Task Category:
Code/Design
Expected Results:
New GUI with progress bar and displaying paths when scanning
Knowledge Prerequisites:
Java language, GUI design.
Mentors: Abdelhadi
OWASP ZAP Task 3
Brief description:
In this task you are required to reproduce vulnerabilities in OWASP web goat using Owasp ZAP and zest scripts. The chosen challenge must be solved using ZAP and the resolution must be stored as a zest script. This task should help documenting of web goat and providing some working examples of Mozilla Zest scripts.
Task Category:
Code
Expected Results:
Zest scripts which reproduces some of the vulnerabilities challange of Owasp WebGoat.
Knowledge Prerequisites:
Comfortable in Javascript and HTML. Good understanding of Application Security and related vulnerabilities.
Mentors: Alessandro Secco
OWASP OWTF
OWASP OWTF Task 1
Brief Explanation:
Task description
Task Category:
Eg. Code Category
Expected Results:
Describe the expected results of the task
Knowledge Prerequisites:
Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.
Mentors: XXXXXX
OWASP WIKI
Task 1: Latam Tour 2015 logo
Brief Explanation:
Design a new logo for the Latam Tour 2015. The logo must resemble previous editions of the Tour and represent the Latin America region. It would be better if the new logo is based on the OWASP logo. As a reference, here is the Latam Tour 2014 Logo:
Task Category:
Design
Expected Results:
Latam Tour 2015 logo in either psd or jpeg format.
Knowledge Prerequisites:
Familiarity with Photoshop/GIMP or any other designing software.
Mentors: Fabio Cerullo
OWASP WebGoatPHP
Task 1: Implement "remember me" feature
Brief Explanation:
Implement a secure "Remember me" feature in user login form using cookies. At present the remember me check box is present in the form but it does nothing.
Task Category:
Code
Expected Results:
If user checks the "remember me" check box when logging in, then the user will not be required to login every time he visits the application within X days.
Knowledge Prerequisites:
Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.
Reference:
https://github.com/shivamdixit/WebGoatPHP/issues/45
Code:
app/control/user/login.php
Mentors: Shivam Dixit
Task 2: Make workshop mode dashboard responsive
Brief Explanation:
In workshop mode of the application, the side panel of admin dashboard is not responsive i.e it does not fits well in smaller size screen resolutions. If the screen size is small the side panel should shrink into a smaller panel preferably at the bottom of the application.
Task Category:
Code
Expected Results:
Panel perfectly adjusts on small screen resolutions.
Knowledge Prerequisites:
CSS (media queries), HTML
Reference:
https://github.com/shivamdixit/WebGoatPHP/issues/26
Code:
style/dashboard.css
Mentors: Shivam Dixit
Task 3: WebGoatPHP logo
Brief Explanation:
Design a new logo for the application. The logo must resemble various aspects of the application. It would be better if the new logo is based on the OWASP logo.
Task Category:
Design
Expected Results:
WebGoatPHP logo in either psd or jpeg format.
Knowledge Prerequisites:
Familiarity with Photoshop/GIMP or any other designing software.
Mentors: Shivam Dixit
Task 4: WebGoatPHP deployment screencast
Brief Explanation:
Deploy the application on the local server without using vagrant and record a screencast of the process. Upload to a video streaming service and comment link on the melange for mentor to review.
Task Category:
Code
Expected Results:
The screencast should clearly contain all the steps required for the deployment and how to troubleshoot most common errors in the whole process.
Knowledge Prerequisites:
Familiarity with an operating system (Linux/Windows)
Mentors: Shivam Dixit
Task 5: Create a SQL injection challenge
Brief Explanation:
Single user mode of WebGoatPHP consist of set of challenges. These challenges simulate various real world security vulnerabilities in web applications. You have to add a challenge under category "Injection Attacks" which simulates a SQL injection vulnerability in single user mode. The input data must be of type string and the challenge should mimic some real world scenario.
Task Category:
Code
Expected Results:
A challenge which helps user understand SQLi vulnerability by allowing him to exploit the vulnerability.
Knowledge Prerequisites:
Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.
Reference:
https://www.owasp.org/index.php/SQL_Injection
https://github.com/shivamdixit/WebGoatPHP/blob/master/README.md#adding-a-lessonchallenge
Mentors: Shivam Dixit
Task 6-20: WebGoatPHP challenges screencast series
Brief Explanation:
In this task you are required to record screencast of how to solve a particular single user mode challenge. The screencast should start by providing an overview of the vulnerability that will be exploited, then step by step instructions on how to exploit the vulnerability. The screencast should conclude on a note that how to avoid this vulnerability in your application. The length of the screencast would vary according to the challenge but it should neither be too long nor too short.
Task - Screencast of challenge.....
Task 6 - HTTP Basic
Task 7 - Using Access Control Matrix
Task 8 - Business Layer Access Control
Task 9 - Path Based Access Control
Task 10 - Same Origin Policy Protection
Task 11 - Forgot Password
Task 12 - Discover clues in HTML
Task 13 - JS Obfuscation
Task 14 - XSS 1 (Reflected)
Task 15 - XSS 2 (Stored)
Task 16 - XSS 3 (DOM)
Task 17 - Fail Open Authentication
Task 18 - Log Spoofing
Task 19 - Numeric SQL Injection
Task 20 - XPATH injection
Task Category:
Code
Expected Results:
A screencast explaining the vulnerability involved in a particular challenge.
Knowledge Prerequisites:
Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.
Mentors: Shivam Dixit
OWASP CSRF Protector
Task 1-2: CSRF Protector logo
Brief Explanation:
Design logos for the for CSRF Protector Project, possibly two versions one for php library and another one for Apache module. Both of them should resemble OWASP logo.
Task Category:
Design
Expected Results:
OWASP CSRF Protector logo in either psd or jpeg format.
Knowledge Prerequisites:
Familiarity with Photoshop/GIMP or any other designing software.
Mentors: Minhaz
Task 3: Porting CSRF Protector PHP Wiki (from Github) to OWASP Wiki
Brief Explanation:
Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.
Task Category:
Documentation
Expected Results:
Wiki for CSRF Protector php library in OWASP.ORG .
Knowledge Prerequisites:
Familiarity with wiki.
Reference
Github wiki for CSRF Protector php
Mentors: Minhaz
Task 4: Porting mod_csrfprotector Wiki (from Github) to OWASP Wiki
Brief Explanation:
Currently we have wiki on how to use and deploy, at github. The task is to port them to OWASP Wiki as well so that it can be accessed directly.
Task Category:
Documentation
Expected Results:
Wiki for mod_csrfprotector library in OWASP.ORG .
Knowledge Prerequisites:
Familiarity with wiki.
References
Github wiki for mod_csrfprotector
Mentors: Minhaz
Task 5-6: Create screencasts on how to deploy both version of CSRF Protector individually
Brief Explanation:
Create two screencasts, one for each, which explains how to deploy CSRF Protector in your existing web application.
Task Category:
Screencast
Expected Results:
Screencasts explaining how to use CSRF Protector with existing web applications.
Knowledge Prerequisites:
Experience with php, HTML, and Apache (for mod_csrfprotector)
Mentors: Minhaz
OWASP Code Review Project
https://www.owasp.org/index.php/OWASP_Code_review_V2_Project
Task 1: Code Samples
Brief Explanation:
Code review guide has example code in .Net and Java and in some cases C++. We also want to include sample code in PHP and Ruby. We have existing example code in Java, .Net c#.
Task Category:
Code
Expected Results:
Follow existing code samples we need you to create Ruby and PHP where needed. All work will be shown in code review guide wiki. Please review code samples in code review guide wiki.
Knowledge Prerequisites:
php, and or Ruby
Mentors: Larry Conklin, Gary Robinson
Task 1.1: Code Samples
Session Handling. Need php and Java code examples
https://www.owasp.org/index.php/CRV2_SessionHandling
Task 1.2: Code Samples
Input validation. Need php code examples
https://www.owasp.org/index.php/CRV2_InputValIntro
Task 1.3: Code Samples
Handling Error Messages. Need pho code examples
https://www.owasp.org/index.php/CRV2_ErrorHandlingMessages
Task 1.4: Code Samples
Persistent – The Anti pattern. Need Ruby code examples.
https://www.owasp.org/index.php/CRV2_RevCodePersistentAntiPatternRuby
Task 1.5: Code Samples
Reflected - The Anti pattern. Need Ruby code examples.
https://www.owasp.org/index.php/CRV2_RevCodeReflectedAntiPatternIRuby
Task 1.6: Code Samples
Ruby - AntiPatttern
https://www.owasp.org/index.php/CRV2_AntiPatternPHP
Task 2: Documentation
Reviewing by Technical Control
https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents#Reviewing_by_Technical_Control
Reviewing by Vulnerability
https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents#Reviewing_by_Vulnerability
We need content from last two sections pulled from the wiki and added to a word doc and if possible have the content put into the following word doc template. Email me and I will send you the word template.
We realize that all of the content will not easily fit into the word template but they can do the best they can and that will be fine with us. We only have three rules.
Don’t delete anything even if you don’t agree with it. Don’t add anything unless it is well marked that you added it. Have fun and please ask questions. Please remember we have full time jobs and families. We will answer questions but maybe not as quickly as you would like. Yea, we are old grouchy men.
Knowledge Prerequisites:
Basic understanding wiki editing, word understanding and ability to format text.
Mentors: Larry Conklin, Gary Robinson
OWASP Security Controls in Web Application Development Lifecycle
https://www.owasp.org/index.php/OWASP_Security_Controls_in_Web_Application_Development_Lifecycle
Task 1: Web Application Architecture
Brief Explanation:
To come out with a diagrammatic explanation of how a web application works. Each and every section in the diagram must be explained.
Task Category:
Architecture
Expected Results:
The architecture must clearly explain how a web application works irrespective of any technology.
Knowledge Prerequisites:
Good understanding of web applications
Task 2: Project Logo
Brief Explanation:
To come out with a suitable logo for the project matching the project title
Task Category:
Designing Logo
Expected Results:
Project Logo
Knowledge Prerequisites:
Creative imagination
Task 3: Secure web application coding
Brief Explanation:
How to code a web application securely? E.g: Session Management, Input Validation, Error Logging, Configuration etc. with code examples. Technology : .NET / Java
Task Category:
Research & code snippets
Expected Results: Theory and Code
Knowledge Prerequisites:
Good research skills, proper understanding of coding in .NET and Java
Mentor: Nilay Sangani
