GSOC2018 Ideas

=OWASP Project Requests=

Tips to get you started in no particular order: * Read Google Summer of Code Program(GSOC) * Read the GSoC SAT  * Read the GSOC Student Guidelines * Contact us through the mailing list or irc channel. * Check our github organization

OWASP ZAP
OWASP Zed Attack Proxy Project (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the project label.

Zest Text Representation and Parser
Brief Explanation:

Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.

A standardized text representation and parser would be very useful and help its adoption.

Expected Results:
 * A documented definition of a text representation for Zest
 * A parser that converts the text representation into a working Zest script
 * An option in the Zest java implementation to output Zest scripts text format

 Getting started: 


 * Have a look at the ZAP CONTRIBUTING.md file, especially the 'Coding section.
 * We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as IdealFirstBug.

Knowledge Prerequisites: Mentors: Simon Bennetts [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
 * The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

Your Idea
Brief Explanation:

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

Expected Results:
 * A new feature that makes ZAP even better
 * Code that conforms to our Development Rules and Guidelines

 Getting started: 


 * Have a look at the ZAP CONTRIBUTING.md file, especially the 'Coding section.
 * We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as IdealFirstBug.

Knowledge Prerequisites: Mentors: Simon Bennetts [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team
 * ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.

SAMPLE: OWASP Hackademic Challenges
OWASP Hackademic Challenges Project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2016 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.
 * Check our github repository and especially the open tickets

REST API for the sandbox
Brief Explanation:

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances. What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project: Since the sandbox is written in python, you will be using Django to implement the api. The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter. However the communication between the two has to be over a secure channel.

Expected Results:
 * A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.
 * PEP8 compliant code
 * Acceptable unit test coverage

 Getting started:  Since this has been a popular project here's a suggestion on how to get started.
 * Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository
 * Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)
 * Read on what Docker and Vagrant are and take a look at their respective py-libraries
 * If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project)

Knowledge Prerequisites: Python, test driven development, some idea what REST is, some security knowledge would be preferable.

Mentors: [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

New CMS
Brief Explanation:

The CMS part of the project is really old and has accumulated a significant amount of technical debt. In addition many design decisions are either outdated or could be improved. Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS. The new cms can be written in python using Django.

Expected Results:
 * New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
 * REST endpoints in addition to classic ones
 * tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.
 * PEP 8 code

 Note:  This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec. If you decide to take on this project contact us and we can agree on a list of routes. If you don't decide to take on this project contact us. Generally contact us, we like it when students have insightful questions and the community is active

 Getting Started: 
 * Install and take a brief look around the old cms so you have an idea of the functionality needed
 * It's ok to scream in frustration
 * If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)

Knowledge Prerequisites: Python, Django, what REST is, the technologies used, some security knowledge would be nice.

Mentors: [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

Brief Explanation
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.

In a nutshell

- Training developers in writing secure code

- Security support pre-development ( Security by design, early feedback of possible security issues )

- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )

- Code examples for secure coding

Your idea / Getting started

 * Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)

Expected Results

 * Adding features to SKF project
 * https://github.com/blabla1337/skf-flask/issues/369
 * https://github.com/blabla1337/skf-flask/issues/367
 * https://github.com/blabla1337/skf-flask/issues/68
 * https://github.com/blabla1337/skf-flask/issues/95
 * Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )
 * Adding/updating knowledge base items
 * Adding CWE references to knowledgebase items
 * https://github.com/blabla1337/skf-flask/issues/35
 * Improve unit testing of the Angular quality, currently only 68% of the front-end is unit tested automated
 * https://github.com/blabla1337/skf-flask/issues/352

Knowledge Prerequisites
Mentors:
 * For helping in the development of new features and functions you need Python flask and for the frond-end we use Angular 4.0
 * For writing knowledgebase items only technical knowledge of application security is required
 * For writing / updating code examples you need to know a programming language along with secure development.
 * For writing the verification guide you need some penetration testing experience.

Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org] Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]

Brief Explanation
OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

if you need more details please visit the GitHub page or contact a leader([mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:reza.espargham@owasp.org Reza Espargham]).

Getting started

 * You may read the available documents in the wiki page. Developers and users documents are separated.

A Better Penetration Testing Automated Framework

Expected Results

 * Create more modules to the framework (web, network, IoT, etc.)
 * Create more categories to the framework (already has scan and brute)
 * Create API for the framework
 * Optimize the core (speed, hardware usage, user-friendly...)
 * Research and new methods and IDS/IPS detections.
 * Create a benchmark with other competitors frameworks
 * Improve documentation, languages and create a video library
 * Create GUI

Knowledge Prerequisites

 * The whole framework was written in Python language. You must be familiar with Python 2.x, 3.x.
 * Good knowledge of computer security (and penetration testing)
 * Knowledge of OS (Linux, Windows, Mac...) and Services
 * Familiar with IDS/IPS/Firewalls and ...
 * To develop the API you should be familiar with HTTP, Database...

Mentors
Mentors are: [mailto:ali.razmjoo@owasp.org Ali Razmjoo Qalaei], [mailto:abiusx@owasp.org Abbas Naderi Afooshteh]

OWASP Juice Shop
OWASP Juice Shop Project is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

Challenge Pack 2018
Brief Explanation:

Ideas for potential new hacking challenges are collected in GitHub issues labeled "challenge". This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

Expected Results:
 * 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the Order Dashboard user story])
 * Each challenge comes with full functional unit and integration tests
 * Each challenge is verified to be exploitable by corresponding end-to-end tests
 * Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook
 * Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

 Getting started: 
 * Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
 * Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
 * Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

Knowledge Prerequisites:
 * Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

Mentors:
 * Bjoern Kimminich - OWASP Juice Shop Project Leader

Frontend Tech/Design Update
Brief Explanation:

Development of OWASP Juice Shop started in 2014 and was based on - back then - quite recent Javascript frontend framework AngularJS 1.x along with Bootstrap 3. Several major releases later, there now are Angular 5 and Bootstrap 4 available as well as other mature web frontend frameworks. Migrating the OWASP Juice Shop to the latest version of Angular and Bootstrap is an important step to keep the application relevant as the most modern intentionally broken web application. Moving to entirely different frameworks might be taken into considerationas well. Furthermore, the OWASP Juice Shop could greatly benefit from involvement of someone with UI/UX Design expertise. Individual product images would be lovely, too.

Expected Results:
 * High-level target client-architecture overview including a migration plan with intermediary milestones
 * Execution of migration without breaking functionality or losing tests along the way
 * Code follows existing (or new) styleguides and passes all existing (or new) quality gates regarding code smells, test coverage etc.
 * Iterative and incremental redesign of the UI/UX as well as the product image catalog

 Getting started: 
 * Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
 * Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
 * Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

Knowledge Prerequisites:
 * Javascript, experience with latest Javascript frameworks for frontend, testing and building
 * Additional web and/or graphic design experience would be highly welcome

Mentors:
 * Bjoern Kimminich - OWASP Juice Shop Project Leader

Your idea
Brief Explanation:

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

 Getting started 
 * Get in touch with Bjoern Kimminich

Expected Results:
 * A new feature that makes OWASP Juice Shop even better
 * Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.

Knowledge Prerequisites:
 * Javascript, Unit/Integration testing, experience with (or willingness to learn) AngularJS and NodeJS/Express, some security knowledge would be preferable.

Mentors:
 * Bjoern Kimminich - OWASP Juice Shop Project Leader

OWASP OWTF
Offensive Web Testing Framework (OWTF) is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular.

OWASP OWTF - MiTM proxy interception and replay capabilities
Brief Explanation:

The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).

The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible Bonus:
 * ability to intercept the transactions
 * modify or replay transaction on the fly
 * add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code
 * Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).
 * Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)

Expected results: Knowledge Prerequisite: Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.
 * The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)
 * Create a browser instance and do the necessary login procedure
 * Handle the browser for the URI
 * When called to close the browser, do a clean logout and kill the browser instance.
 * IMPORTANT: PEP-8 compliant code in all modified code and surrounding areas.
 * IMPORTANT: OWTF contributor README compliant code
 * IMPORTANT: Sphinx-friendly python comments example Sphinx-friendly python comments here
 * CRITICAL: Excellent reliability
 * Good performance
 * Unit tests / Functional tests
 * Good documentation

OWASP OWTF Mentors: Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

OWASP OWTF - Report enhancements
Brief explanation:

The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as: For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF
 * HTML (pure static html here)
 * PDF
 * XML (for processing)
 * JSON (for processing)

Expected results: Knowledge Prerequisite: Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.
 * IMPORTANT: PEP-8 compliant code in all modified code and surrounding areas.
 * IMPORTANT: OWTF contributor README compliant code
 * IMPORTANT: Sphinx-friendly python comments example Sphinx-friendly python comments here
 * CRITICAL: Excellent reliability
 * Good performance
 * Unit tests / Functional tests
 * Good documentation

OWASP OWTF Mentors: Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders

OWASP OWTF - Distributed architecture
To be updated soon!