This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "GSoC2013 Ideas/OWASP ZAP SAML Support"
(Updated code repository, and removed duplicate content from proposal) |
m (removed team as an heading) |
||
| Line 1: | Line 1: | ||
| − | |||
'''Student''' : Pulasthi Mahawithana <br> | '''Student''' : Pulasthi Mahawithana <br> | ||
'''Mentors''' : Prasad Shenoy, Kevin Wall <br> | '''Mentors''' : Prasad Shenoy, Kevin Wall <br> | ||
Revision as of 06:03, 2 July 2013
Student : Pulasthi Mahawithana
Mentors : Prasad Shenoy, Kevin Wall
Introduction
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is open-source under Apache License 2.0 and widely used by the computer security community.
SAML is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority (an identity provider), and a SAML consumer (a service provider). It enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO).
The Objective of this project is to develop a component for ZAP that will detect and fuzz various elements and attributes of a SAML Assertion.
Project Goals, Scope and Deliverables, Implementation Plan
Please refer the GSoC proposal for the project idea.
Project Code, Documentation
Development will be done in an external code repository hosted at GitHub.
Project Progress
Community bonding period (before 17th June)
Agreed to have video conference twice a week on Monday and Thursday to discuss the project progress and any issues that may occur.
- Clarification of project idea
- Read the SAML specs to get familiar with SAML standards and usages
- Identifying the use cases that need to be implemented
- Setting up the development environment.
Week 1 (17th June - 23rd June)
Week's progress
- Finalizing the use cases
- Setting up the Third party applications to generate SAML requests/responses
- Intercepting the SAML requests/responses from ZAP and get familiar with the parameters
- Studying on ZAP core and extensions to start the coding
Plans for next week
- Intercept the requests and responses and log them to console/file
Week 2 (24th June - 30th June)
Week's progress
- Created a project at GitHub for the development of the extension at https://github.com/pulasthi7/zap-saml-extension
- Created a passive scanner to intercept and log SAML requests/responses in their raw values
- Wrote a component that can decode the SAMLRequest/ SAMLResponse parameters in a HTTP request
- Updated the passive scanner to log the decoded SAML messages to the console
- Studied on the ZAP's extension API
Plans for next week
- Design the UI for the extension
- Provide ability to view SAML messages in a GUI in readable XML format
