This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Spring Of Code 2007 Applications

From OWASP
Revision as of 15:07, 26 March 2007 by Egeirnaert (talk | contribs) (Erwin Geirnaert - OWASP WebGoat Walkthroug)

Jump to: navigation, search

This page contains project Applications to the OWASP_Spring_Of_Code_2007

If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application

See OWASP_Spring_Of_Code_2007#How_To_Participate for what do to one you completed your Application



Proposed template: {for longer proposals, in addition to these details you can create a PDF}:

{Your first name or Alias} - {Project name}

Please remember that projects will be selected and funded based on how well they meet the Selection Criteria.

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

  • Your educational and professional background
  • Application security experience and accomplishments
  • Participation and leadership in open communities
  • The opportunity, challenges, issues or need your proposal addresses
  • Objectives or ways in which you will meet the goal(s)
  • Specific activities and who will carry out these activities
  • Specific deliverables and a rough project schedule so we can track progress
  • Long-term vision for the project
  • Any other reasons why you and your project should be selected

Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [1] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[2].

In my free time I like playing with my Punk-Pop band [3], Futurabanda. [4], and maintaining my Restaurants, Wines and Recipes site. [5]. I have to admit that my first priorities are my beloved son [6] and my wonderful wife [7].

Accomplishments

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [8]. I'm currently writing an Internet Draft to be proposed for RFC regarding Enigform.

Community

I run the official 2600 meetings site for Argentina [9], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio and newspaper appearances [10] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs, answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [11].

My Project

Enigform [12] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [13].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [14]. The Smutty PHP MVC Framework already supports Enigform [15].

Long Term

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers and/or programming languages, and also provide OpenPGP De/Encryption support.


Why should I be selected

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the international security community, and I firmly believe Enigform is my greatest idea so far.

Eoin Keary - Code review Project

  • Executive Summary:

I am proposing that I complete the OWASP Code review guide during this period. The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world. Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done. Code review methodologies also need to be discussed.


  • Objectives and Deliverables:

Update of the code review guide:

  • Add additional areas relating to the code review process such as:
    • Benefits and pitfalls
    • Methodology
    • The code review process
      • Transactional analysis
      • Managing the code review process
      • Assigning risk to findings
    • Technical guides
      • Language specific best practice
      • Java
      • .NET
      • PHP
      • MySQL
      • Stored Procs
      • C/C++
    • Code review by vulnerability:
      • Reviewing Code for Buffer Overruns and Overflows
      • Reviewing Code for OS Injection
      • Reviewing Code for SQL Injection
      • Reviewing Code for Data Validation
      • Reviewing code for XSS issues
      • Reviewing Code for Error Handling
      • Reviewing Code for Logging Issues
      • Reviewing The Secure Code Environment
      • Reviewing code for Authorization Issues
      • Reviewing code for Authentication Issues
      • Reviewing code for Session Integrity
      • Reviewing code for Cross Site Request Forgery
      • Reviewing code for Cryptography implementation issues
      • Reviewing code Dangerous HTTP Methods (Deployment)
      • Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.


  • Why I should be sponsored for the project:

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

Paolo Perego - Owasp Orizon Project

  • Executive Summary:

Owasp Orizon [16] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.


  • Objectives and Deliverables:

Completing the static code review API section

  • improving programming language to XML translator
  • improving security best practices code review scan library
  • improving secure coding fashion best practices library
  • writing the pattern matching scan using the aformentioned libraries

Writing the java source code enforment objects

  • writing an object to handle form data values to avoid XSS
  • writing an object to handle form data values to avoid SQL Injection
  • writing an object to handle HttpRequest and HttpSession objects


  • Why I should be sponsored for the project:

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

Sebastien Deleersnyder - OWASP Education Project

  • Executive Summary:

This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

  • Objectives and Deliverables:

Currently the project goals are to create Educational Tracks:

  • Complete the consolidation page of OWASP presentations performed in the past
  • A "Web Application Security Primer" Track for beginners (4 hours)
  • A "What developers should know on Web Application Security" Track for developers (4 hours)
  • Why you should be sponsored for the project:

I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

  • More details:

The detailed road map can be found here. The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

Subere - OWASP JBroFuzz Project

Overview

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

Fuzzing

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

Objectives

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

  • Open Source Tab
  • NTLM Brute Force over HTTP/S Tab
  • Pure HTTP/S Fuzzing using HTTPClient
  • Blind SQL Injection Fuzzing Tab

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

  • TCP Fuzzing tab allowing graph outputs
  • TCP Sniffing tab update thread Agent Queue
  • Update Generators file format
  • Include SOAP and XML fuzzing

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

Deliverables

Based on the above, the new code elements that will be added are as follows:

  • Open Source Tab: Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules
  • NTLM Brute Force over HTTP/S Tab: Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.
  • Pure HTTP/S Fuzzing: Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading
  • Blind SQL Fuzzing Tab Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

  • TCP Fuzzing tab allowing graph outputs: Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.
  • TCP Sniffing tab update thread Agent Queue: Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.
  • Update Generators file format: Update the generators file format to allow for the parsing and creation of recursive generators.
  • Include SOAP and XML fuzzing: Include an up to date list of SOAP and XML fuzzing templates.

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

Background

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

Why should JBroFuzz be sponsored?

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

Joshua Perrymon - OWASP LiveCD Project

  • Executive Summary:

I am proposing that I complete the second version of the OWASP LiveCD during this period. The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

  • Objectives and Deliverables:

Update of the LiveCD:

  • Complete OWASP branding
  • Add OWASP wiki
  • Add encryption capabilities
  • Add more OWASP tools
  • Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..


  • Why I should be sponsored for the project:

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.



Mark Curphey – A Better Web Security Evaluation Criteria

Problem PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……

Solution and Deliverables As opposed to continuing to say what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. This project would address the;

Standard

  • The technical things people should care about
  • The operational / management things people should care about

Business Model

  • A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc)

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

Erwin Geirnaert - OWASP Java Project

  • Executive Summary:

I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.


  • Objectives and Deliverables:

The main objective I see is to gather all information in one place, where security experts and developers can find the information they need. In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

  • Why you should be sponsored for the project:

I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe. And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe. I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,... I'm also member of the OWASP Belgium board that started in March 2007.

Erwin Geirnaert - OWASP WebGoat Solutions Guide

  • Executive Summary:

WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.


  • Objectives and Deliverables:

The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

  • Why you should be sponsored for the project:

I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe. And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe. I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,... I'm also member of the OWASP Belgium board that started in March 2007.