GSOC2016 Ideas

=OWASP Project Requests=

Tips to get you started in no particular order: * Read the GSoC SAT * Check the Hackademic wiki page linked above * Contact us through the mailing list or irc channel. * Check our github repository and especially the open tickets

OWASP Hackademic Challenges
OWASP Hackademic Challenges Project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

Example Idea
Brief Explanation:

After a very successfull OWASP Winter Code Sprint we have a brand new Sandbox feature which uses Linux Containers to create virtual space for each user. So we can host properly vulnerable challenges and maybe execute some code server side. However, the sandbox is not fully complete, we need many features here and there to make it easily deployable and improve it's administration.

Ideas on the project:


 * Simple sandbox administration frontend for the web. -- An admin console to start and kill sandboxes manually and to list the status and resources used by each one.
 * Secure the implementation -- Now we have a functioning prototype, we know that Linux Containers are quite safe but we haven't explicitly tested our configuration and use of them.
 * Your idea here...

Expected Results:

Better sandboxing

Knowledge Prerequisites:

Comfortable in Linux administration and some security knowledge depending on the specific project.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

Example Idea
Brief explanation:

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
 * Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
 * Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1, PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
 * Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
 * Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
 * Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

Similar previous work for Nessus

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * IMPORTANT: PEP-8 compliant code in all modified code and surrounding areas.
 * IMPORTANT: OWTF contributor README compliant code
 * IMPORTANT: Sphinx-friendly python comments example Sphinx-friendly python comments here
 * CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
 * Good performance
 * Unit tests / Functional tests
 * Good documentation

Knowledge Prerequisite:

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp.org

OWASP ZAP
We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.

You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ

Example Idea
Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.

Expected Results

 * Report data will be a distinct type of data returned via API calls
 * An add-on that provides report data - so this becomes 'plug-able'
 * Report data and meta data should be fully internationalized
 * Users can specify which sites / contexts report data should apply to

Knowledge Prerequisite:
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

Mentors
Johanna Curiel [johanna.curiel [at] owasp.org and Simon Bennetts

Example Idea
Brief explanation:

We would like the OWASP Testing Guide to be much more easily consumable by web testing tools (such as ZAP). This would require adjustments to the Testing Guide, or separate Testing with X Guides, to explain how testing is completed with given tools. The tools would of course need to be changed to make full use of OTG and this project could include such changes to OWASP tools like ZAP.

Expected outputs:

Amended OTG or Testing with X Guides. Either option would require the document to integrate with all web testing tools (Using ZAP as the baseline). Optional ZAP changes or add-on to make better use of the OTGs

Knowledge required:

Writing skills

OTG Web Testing Tool Integration mentor:

Andrew Muller - OTG Project Co-Leader - Contact: Andrew.muller@owasp.org

OWASP AppSensor
OWASP AppSensor Project provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.

* Check the AppSensor wiki page linked above * Contact us through the mailing list. * Check our github repository and the open tickets * Also see our appsensor website

Example Idea
Brief Explanation:

This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work.

Expected Results:

We want to support a number of integrations. Some that have been requested by our community are:
 * SNMP
 * JMX
 * SCOM
 * syslog
 * CEF
 * AppDynamics

Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them.

Knowledge Prerequisites:

Comfortable in Java and unit testing.

Mentors: John Melton - OWASP AppSensor Project Leader (Development)

Example Idea
Brief Explanation:

OWASP Passfault has the potential to be the best password policy available. However, it's only available to java developers. This effort will make Passfault available to every Linux administrator. It would offer an alternative to the pam module libcrack to measure password complexity.

Expected Results:

When complete an administrator should be able to do the following:
 * Enforce password complexity for all password changes with OWASP Passfault (for example when passwd is called)
 * Adjust password complexity threshold
 * (stretch goal) Install Passfault via package management: apt, yum, rpm, deb, etc.

Knowledge Prerequisites:
 * Bash scripting
 * Linux administration

Mentors:
 * Cam Morris - OWASP Passfault Project Leader (Development)
 * John Jolly - Linux Kernel Engineer for SUSE Linux on IBM System z Mainframes (Development)

Web.config Security Analyzer v1.0 =>.NET Framework Config Security Analyzer v1.0
Brief Explanation:

OWASP WCSA is a very helpful tool to analyze proper security settings on ASP.NET applications. This tool once quoted by Troy Hunt, has important limitations such as rules support limited to single elements, a single condition, and just equals comparison. e.g. "Debug" attribute in "Compilation" Element should be "false".

The tool requires a rules update (and potentially a UI refresh) to bring up many of the new security settings on .NET Framework 4.x to the tool including web service bindings and many others. Limitations described will not allow verification of web services bindings where you can have multiple elements named the same, one for each binding, and depending of a binding type the value (even if absent) is secure or not.

Additionally, since conf files in .NET are pretty much universal to all framework application types and with the upgrade of IIS metabase to XML format for IIS 7.0 and 7.5, the tool could now be used for securing desktop applications and IIS 7.x servers.

The proposal is then to empower the tool by creating XML based rules and using XQuery to overcome all the limitations of the current version and allowing support for new rules in a familiar language that would support multiple cases which can then be applied to all of the config files for .NET framework seamlessly.

Expected Results:
 * Support for duplicated elements and multiple conditions
 * Support for easily created custom rules via XQuery
 * Updated rules for 4.0 and 4.5 frameworks
 * Support for stand alone app.config files
 * New Rules for IIS 7.x Web Server

Knowledge Prerequisites:
 * C# programming
 * Basic XQuery knowledge
 * (Nice to know) Advanced Web.config knowledge
 * (Nice to know) IIS 7.x configuration knowledge

Mentors: Juan C Calderon (Development)