Revision as of 10:51, 20 December 2017

OWASP Project Requests

Tips to get you started in no particular order:

* Read Google Summer of Code Program(GSOC)
* Read the GSoC SAT 
* Read the GSOC Student Guidelines
* Contact us through the mailing list or irc channel.
* Check our github repository and especially the open tickets

OWASP ZAP

OWASP Zed Attack Proxy Project (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the project label.

Zest Text Representation and Parser

Brief Explanation:

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

Expected Results:

• A documented definition of a text representation for Zest
• A parser that converts the text representation into a working Zest script
• An option in the Zest java implementation to output Zest scripts text format

Getting started:

• Have a look at the ZAP CONTRIBUTING.md file, especially the 'Coding section.
• We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as IdealFirstBug.

Knowledge Prerequisites: The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

Mentors: Simon Bennetts @ and the rest of the ZAP Core Team

SAMPLE: OWASP Hackademic Challenges

OWASP Hackademic Challenges Project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2016 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

REST API for the sandbox

Brief Explanation:

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances. What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project: Since the sandbox is written in python, you will be using Django to implement the api. The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter. However the communication between the two has to be over a secure channel.

Expected Results:

• A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.
• PEP8 compliant code
• Acceptable unit test coverage

Getting started: Since this has been a popular project here's a suggestion on how to get started.

• Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository
• Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)
• Read on what Docker and Vagrant are and take a look at their respective py-libraries
• If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project)

Knowledge Prerequisites: Python, test driven development, some idea what REST is, some security knowledge would be preferable.

Mentors: Konstantinos PapapanagiotouSpyros Gasteratos - Hackademic Challenges Project Leaders

New CMS

Brief Explanation:

The CMS part of the project is really old and has accumulated a significant amount of technical debt. In addition many design decisions are either outdated or could be improved. Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS. The new cms can be written in python using Django.

Expected Results:

• New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
• REST endpoints in addition to classic ones
• tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.
• PEP 8 code

Note: This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec. If you decide to take on this project contact us and we can agree on a list of routes. If you don't decide to take on this project contact us. Generally contact us, we like it when students have insightful questions and the community is active

Getting Started:

• Install and take a brief look around the old cms so you have an idea of the functionality needed
• It's ok to scream in frustration
• If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)

Knowledge Prerequisites: Python, Django, what REST is, the technologies used, some security knowledge would be nice.

Mentors: Konstantinos PapapanagiotouSpyros Gasteratos - Hackademic Challenges Project Leaders