|
|
| Line 18: |
Line 18: |
| | The Google Code-in 2014 contest will run from '''December 1, 2014 to January 19, 2015'''. | | The Google Code-in 2014 contest will run from '''December 1, 2014 to January 19, 2015'''. |
| | | | |
| − | ==Code: Tasks related to writing or refactoring code == | + | =Task Categories= |
| − | '''1.Create login page with validations'''<br>
| |
| − | Create a HTML page with 2 textboxes:<br>
| |
| − | *a username textbox<br>
| |
| − | *a password textbox<br>
| |
| − | * a submit button. <br>
| |
| − | Your mission is to write one or more JavaScript functions that guarantee:
| |
| − | *When user press ‘submit’ button Username cannot be longer than 10 characters and not small than 3 characters
| |
| − | *The username he wrote will be wiped out(cleared) from the field if it doesn’t comply with the rule
| |
| − | *A pop up message will appear in case the username is longer than 10 characters saying "Username or Password is not valid"
| |
| − | *If the username or password field has the following characters filled by the user: “<” or “>” , a pop message must appear saying “These characters are not allowed”
| |
| | | | |
| − | Bonus point question(1 point) : Explain
| + | The tasks are grouped into the following categories: |
| − | Why should we sanitize user input in web forms like this?
| |
| − | What are the risks associated with not validating user input?
| |
| − | Provide a code example of an attack associated with input of 'evil' users
| |
| | | | |
| − | Bonus point question(1 point) : Explain
| + | '''Code:''' Tasks related to writing or refactoring code. |
| − | Why implementing these checks in JavaScript is not sufficient to guarantee security on the server.
| + | '''Documentation/Training:''' Tasks related to creating/editing documents and helping others learn more |
| − | | + | '''Outreach/Research:''' Tasks related to community management, outreach/marketing, or studying problems and recommending solutions |
| − | '''2. Fix the buffer overflow'''<br> | + | '''Quality Assurance:''' Tasks related to testing and ensuring code is of high quality |
| − | The following code has a buffer overflow. Buffer overflows are the cause of many security issues in C and C++ code. Take your time to understand first what is a buffer overflow and how can you fix this. Can you say where the problem, why and fix it?
| + | '''User Interface:''' Tasks related to user experience research or user interface design and interaction |
| − | | |
| − | void myData(char *loginId) {
| |
| − | char smallBuffer[10]; // size of 10
| |
| − | strcpy(smallBuffer, loginId);
| |
| − | }
| |
| − | int main(int argc, char *argv[]) {
| |
| − | char *loginId = "GoogleCodeInUser12345";
| |
| − | copyData (loginId); }
| |
| − | | |
| − | '''Bonus questions(1 point):'''
| |
| − | what is the relation between a 'worm' and a buffer overflow?<br>
| |
| − | Provide a code example of a buffer overflow that caused a "worm". <br>
| |
| − | Explain in your own words (max 500 words) how this happens
| |
| − | [[File:Worm.jpg]]
| |
| − | | |
| − | '''3. Clickjacking a website'''<br>
| |
| − | The following code allows you to check if a website can be ‘clickjacked’ or if you can use a clickjack attack. Google info about this security vulnerability. Your mission is to: Find a website that can be clickjacked<br>
| |
| − | Change the code so you can demonstrate the attack on the site you found to be vulnerable.
| |
| − | You win this tasks if you are able to make it look like a user is browsing the website and he can hardly see the difference between the ‘clickjack’ page and the real websites page
| |
| − | | |
| − | <html>
| |
| − | <head>
| |
| − | <title>Clickjack test page</title>
| |
| − | </head>
| |
| − | <body>
| |
| − | < p >Website is vulnerable to clickjacking!< /p >
| |
| − | <iframe src="http://www.target.site" width="500" height="500"></iframe>
| |
| − | </body>
| |
| − | </html>
| |
| − | | |
| − | [[File:Clickjacking_description.png]]
| |
| − | | |
| − | '''Bonus question (1 point)''' : How can you avoid clickjacking? Explain with a code example what can we do to avoid this attack (max 500 words) | |
| − | | |
| − | '''4. Playing with Firebug and DOM (Document Object Model)'''<br>
| |
| − | Firebug is a Mozilla plugin that allows you to change the code of the webpage cached in your browser.
| |
| − | Your mission, go to www.owasp.org and change the text that says “Welcome to OWASP”
| |
| − | Create a print screen to show us how you changed the code to “Welcome to Code-In 2013”
| |
| − | [[File:FirebugOwasp.jpg]]
| |
| − | | |
| − | '''Bonus question (1 point) :'''<br>
| |
| − | What kind of attacks can you do to a website by manipulating the DOM? Provide an example.
| |
| − | | |
| − | ==Documentation/Training: Tasks related to creating/editing documents and helping others learn more==
| |
| − | | |
| − | '''5. Create a flyer promoting secure coding: OWASP TOP TEN FLYER'''<br> | |
| − | Go the OWASP website and search for the OWASP top ten security vulnerabilities. Create a nice Poster (A3 format) with graphics about these security issues. Try to explain this using as much as you can graphics instead of words
| |
| − | | |
| − | '''6. XSS info on the OWASP website'''<br>
| |
| − | We need your help finding all the URL links related to XSS in the Wiki pages of OWASP, your mission is to: Search and find all the webpages that mentioned or describe what is XSS(Cross Site Script)
| |
| − | Read the documentation about this and create a document with all the links you found in the OWASP site about this topic.<br>
| |
| − | *Is it clear for you after reading all the links what is XSS?
| |
| − | *If it’s not clear what kind of recommendations will you give us? What should be changed?
| |
| − | | |
| − | '''7. Find out outdated Incubator CODE Projects''' <br>
| |
| − | OWASP has many projects that are in a beginning phase, unfortunately, some of these pages have not been updated in a long time. We need help identifying when it was the last time these wiki pages were updated. The task: Go to https://www.owasp.org/index.php/OWASP_Project_Inventory#Incubator_Projects and create a table with the following info
| |
| − | Name of the project | Last updated on: (date written as day/month/year)<br>
| |
| − | '''8. Find out outdated Incubator TOOL Projects''' <br>
| |
| − | OWASP has many projects that are in a beginning phase, unfortunately, some of these pages have not been updated in a long time. We need help identifying when it was the last time these wiki pages were updated. The task: Go to https://www.owasp.org/index.php/OWASP_Project_Inventory#Incubator_Projects and create a table with the following info
| |
| − | Name of the project | Last updated on: (date written as day/month/year)
| |
| − | | |
| − | ==Outreach/research: Tasks related to community management, outreach/marketing, or studying problems and recommending ==
| |
| − | '''9. Improve navigation in OWASP website'''<br> | |
| − | Go and navigate the OWASP website. How do you find the navigation of the website? provide us recommendations on how to improve it(max 1000 words)
| |
| − | | |
| − | '''10. Search for opinions about OWASP'''<br>
| |
| − | We want to know what’s been said on the web about us. Do a google search and find as much as possible what is been said about us. Is it positive? Negative? Write your findings in an A4 format page ( 1000 words -word doc) and make sure to include references of all the URL and links you find out about OWASP
| |
| − | | |
| − | '''11. Analyze the Marketing Plan OWASP'''<br>
| |
| − | We have a marketing plan available on the website: https://www.owasp.org/images/7/7c/OWASP_Background-Research_Phase1_Final_%281%29.pdf
| |
| − | From this marketing plan answer the following questions:<br>
| |
| − | *Who are the Top visitors countries of the website and why do you think is the reason for?<br>
| |
| − | *Check the Word Cloud. Select a word that captures most your attention and explain why this word has to do with OWASP (except the word OWASP )<br>
| |
| − | '''12. Analyze SEO Content Audit''' | |
| − | The following research is published in our website: https://www.owasp.org/images/4/48/OWASP-SEO-Content-Audit-Final-6-7-2013.pdf
| |
| − | Research what is the whole purpose of SEO and why OWASP should focus on 3 important strategies mentioned in the report?
| |
| − | | |
| − | ==Quality Assurance: Tasks related to testing and ensuring code is of high quality ==
| |
| − | '''Discover and test- find security bugs in WebGoat-'''<br> | |
| − | You might be wondering how hackers ‘hack’. This is a great chance for you to find out how to bypass security in a web application and act as a Hacker. OWASP has an unsecured website called WebGoat. The tasks are related to this web application
| |
| − | You will need to install web goat:<br>
| |
| − | https://www.owasp.org/index.php/WebGoat_Installation (It’s very easy to install)
| |
| − | Use the testing guide to find more info about these issues: https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
| |
| − | | |
| − | '''13. Tasks testing 1'''<br>
| |
| − | Go to the lesson on Hidden Form Field Manipulation. Explain in less than 250 words how this happens and how can you fix this issue<br>
| |
| − | '''14. Task testing 2''' <br>
| |
| − | Go to the lesson Parameter Manipulation. Explain in less than 250 words how this happens and how can you fix this issue<br>
| |
| − | '''15. Testing task 3'''<br>
| |
| − | Go to the lesson Cross-site Scripting (XSS). Explain in less than 250 words how this happens and how can you fix this issue<br>
| |
| − | '''16. Test task 4'''<br>
| |
| − | Go to the lesson Dangers of HTML Comments. Explain in less than 250 words how this happens and how can you fix this issue
| |
| − | | |
| − | | |
| − | ==User Interface: Tasks related to user experience research or user interface design and interaction==
| |
| − | | |
| − | '''Create cool wiki pages for OWAPS project pages'''<br>
| |
| − | We want to revamp and create a new wiki template for OWASP project pages.
| |
| − | For example this project has a nice landing page
| |
| − | https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
| |
| − | And this one is less fancy
| |
| − | https://www.owasp.org/index.php/OWASP_PHPRBAC_Project
| |
| − | | |
| − | Revamp the following wiki pages following the BRAND Guidelines (https://owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES ). Code for the wiki pages should be delivered in a text format (just notepad++ text file). If you are using images, please deliver them in jpg format. The entire package should be delivered as a zip file (in case of multiple files)
| |
| − | | |
| − | 17. Task 1: Revamp https://www.owasp.org/index.php/OWASP_PHP_Security_Project<br>
| |
| − | 18. Task 2: Revamp https://www.owasp.org/index.php/OWASP_RBAC_Project<br>
| |
| − | 19. Task 3: Revamp https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project<br>
| |
| − | 20. Task 4: Revamp https://www.owasp.org/index.php/OWASP_O2_Platform<br>
| |
