This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

GSoC2015 Ideas

From OWASP
Revision as of 20:04, 9 February 2015 by Conpap (talk | contribs) (Created page with "=OWASP Project Requests= == OWASP Hackademic Challenges == === OWASP Hackademic Challenges - New challenges and Improvements to the existing ones === '''Brief Explanation:''...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OWASP Project Requests

OWASP Hackademic Challenges

OWASP Hackademic Challenges - New challenges and Improvements to the existing ones

Brief Explanation:

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities. New challenges need to be created in order to cover a broader set of vulnerabilities. Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

  • Simulated simple buffer overflows
  • SQL injections
  • Man in the middle simulation
  • Bypassing regular expression filtering
  • Your idea here

Expected Results:

New cool challenges

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.


Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP Hackademic Challenges - Source Code testing environment

Brief Explanation:

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

Expected Results:

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP Hackademic Challenges - Challenge Sandbox

Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend, we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected. Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

*Administrator's point of view*

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s). Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server. The student is expected to provide configuration scripts that do the above

*Coder's Way*

This is better explained with an example: In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function. The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.). The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

* Your solution here *

The above solutions are by no way complete,their intention is to start you thinking. This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.

Expected results

You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge


OWASP WebGoatPHP

OWASP WebGoatPHP

Description:


Expected Results:


Knowledge prerequisite:

Mentor: Abbas Naderi

OWASP CSRF Guard

OWASP CSRF Guard

Description:

Expected Results:

Knowledge prerequisites:

Mentor:


OWASP PHP Security Project

OWASP PHP Security Project

Description:


Expected Results:


Knowledge prerequisite:

Mentor:

OWASP RBAC Project

OWASP RBAC Project

Description:

Expected Results:

Knowledge prerequisite:

Mentor:

Skill Level:


OWASP OWTF

OWASP PCI TOOLKIT

OWASP PCI TOOLKIT

OWASP iGoat

OWASP iGoat

OWASP ZAP

OWASP ESAPI 2.x

OWASP Seraphimdroid Project

OWASP Seraphimdroid Project

'

OWASP ModSecurity Core Rule Set (CRS)

=== OWASP ModSecurity Core Rule Set (CRS) -

OWASP ByWaf (CRS)

'