This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "GSoC2019 Ideas"
Ali Razmjoo (talk | contribs) |
(Add draft Juice Shop projects) |
||
Line 76: | Line 76: | ||
* [mailto:[email protected] Reza Espargham](Mentor) | * [mailto:[email protected] Reza Espargham](Mentor) | ||
* [mailto:[email protected] Abbas Naderi] (Mentor) | * [mailto:[email protected] Abbas Naderi] (Mentor) | ||
+ | |||
+ | == OWASP Juice Shop == | ||
+ | |||
+ | [[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs. | ||
+ | The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like! | ||
+ | |||
+ | To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!''' | ||
+ | |||
+ | === Challenge Pack 2019 === | ||
+ | |||
+ | '''Brief Explanation:''' | ||
+ | |||
+ | Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project. | ||
+ | |||
+ | Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project. | ||
+ | |||
+ | '''Expected Results:''' | ||
+ | * 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges) | ||
+ | * Each challenge comes with full functional unit and integration tests | ||
+ | * Each challenge is verified to be exploitable by corresponding end-to-end tests | ||
+ | * Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook | ||
+ | * Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc. | ||
+ | |||
+ | ''' Getting started: ''' | ||
+ | * Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend | ||
+ | * Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results | ||
+ | * Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services | ||
+ | |||
+ | '''Knowledge Prerequisites:''' | ||
+ | * Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable. | ||
+ | |||
+ | '''Mentors:''' | ||
+ | * [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader | ||
+ | * [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator | ||
+ | * Jannik Hollenbach - OWASP Juice Shop Project Collaborator | ||
+ | |||
+ | === Hacking Instructor === | ||
+ | |||
+ | '''Brief Explanation:''' | ||
+ | |||
+ | TODO | ||
+ | |||
+ | '''Expected Results:''' | ||
+ | |||
+ | TODO | ||
+ | |||
+ | ''' Getting started: ''' | ||
+ | |||
+ | TODO | ||
+ | |||
+ | '''Knowledge Prerequisites:''' | ||
+ | |||
+ | TODO | ||
+ | |||
+ | '''Mentors:''' | ||
+ | * [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader | ||
+ | |||
+ | === Your idea === | ||
+ | |||
+ | '''Brief Explanation:''' | ||
+ | |||
+ | You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it! | ||
+ | |||
+ | ''' Getting started ''' | ||
+ | * Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich] | ||
+ | |||
+ | '''Expected Results:''' | ||
+ | * A new feature that makes OWASP Juice Shop even better | ||
+ | * Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc. | ||
+ | |||
+ | '''Knowledge Prerequisites:''' | ||
+ | * Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable. | ||
+ | |||
+ | '''Mentors:''' | ||
+ | * [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader |
Revision as of 10:11, 10 January 2019
OWASP Project Requests
Tips to get you started in no particular order:
* Read Google Summer of Code Program(GSOC)` * Read the GSoC SAT * Read the GSOC Student Guidelines * Contact us through the mailing list or irc channel. * Check our github organization
OWASP-SKF (draft)
Idea 1: Build lab examples and write-ups (how to test) for different code languages delivered in Docker (these must correlate with a Knowledge base item in SKF)
- For example we have now around 20 lab challenges in Docker container build in Python:
- A Local File Inclusion Docker app example:
- A write-up example:
Idea 2: We want to extend the Machine learning chatbot functionality in SKF.
- Create a desktop version of the chatbot. Where people can install the setup file on their local machine.
- Extend the bots capability to do the google search(using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.
- Extend the bot capability to reply what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.
- Extend the bot to different platforms like Facebook, telegram, slack etc.
- Now the working chatbot implementation for example is only for Gitter
OWASP DefectDojo
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.
Option 1: Unit Tests - Difficulty: Easy
- If you're new to programming, unit tests are short scripts designed to test a specific function of an application.
- The project needs additional unit tests to ensure that new code functions properly.
Option 2: Feature Enhancement - Difficulty: Varies
- The functionality of DefectDojo is constantly expanding.
- Feature enhancements offer programming challenges for all levels of experience.
Option 3: Pull Request Review - Difficulty: Moderate - Hard
- Test pull requests and provide feedback on code.
OHP (OWASP Honeypot)
OWASP Honeypot is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.
Getting Start
It's best to start from GitHub wiki page, we are looking forward to add more modules and optimize the core.
Technologies
Currently we are using
- Docker
- Python
- MongoDB
- TShark
- Flask
- ChartJS
- And more linux services
Expected Results
...
Roadmap
...
Students Requirements
- Python
- Packet Analysis
- Docker
- Database
Mentors and Leaders
- Ali Razmjoo (Mentor & Project Leader)
- Reza Espargham(Mentor)
- Abbas Naderi (Mentor)
OWASP Juice Shop
OWASP Juice Shop Project is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.
The best way to get in touch with us is the community chat on https://gitter.im/bkimminich/juice-shop. You can also send PMs to the potential mentors (@bkimminich, @wurstbrot and @J12934) there if you like!
To receive early feedback please put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page in Draft Shared mode. Please pick juice shop as Proposal Tag to make them easier to find for us. Thank you!
Challenge Pack 2019
Brief Explanation:
Ideas for potential new hacking challenges are collected in GitHub issues labeled "challenge". This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.
Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.
Expected Results:
- 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)
- Each challenge comes with full functional unit and integration tests
- Each challenge is verified to be exploitable by corresponding end-to-end tests
- Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
- Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.
Getting started:
- Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
- Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
- Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services
Knowledge Prerequisites:
- Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.
Mentors:
- Bjoern Kimminich - OWASP Juice Shop Project Leader
- Timo Pagel - OWASP Juice Shop Project Collaborator
- Jannik Hollenbach - OWASP Juice Shop Project Collaborator
Hacking Instructor
Brief Explanation:
TODO
Expected Results:
TODO
Getting started:
TODO
Knowledge Prerequisites:
TODO
Mentors:
- Bjoern Kimminich - OWASP Juice Shop Project Leader
Your idea
Brief Explanation:
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!
Getting started
- Get in touch with Bjoern Kimminich
Expected Results:
- A new feature that makes OWASP Juice Shop even better
- Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.
Knowledge Prerequisites:
- Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.
Mentors:
- Bjoern Kimminich - OWASP Juice Shop Project Leader