GSOC2017 Ideas

=OWASP Project Requests=

Tips to get you started in no particular order: * Read the GSoC SAT * Check the Hackademic wiki page linked above * Contact us through the mailing list or irc channel. * Check our github repository and especially the open tickets

OWASP Juice Shop
OWASP Juice Shop Project is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.

Challenge Pack 2017
Brief Explanation:

Ideas for potential new hacking challenges are collected in GitHub issues labeled "challenge". This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.

Coming up with additional ideas for challenges would be part of the project scope, as the list of pre-existing ideas might not be sufficient for a GSoC project.

Expected Results:
 * 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges in, e.g. the Order Dashboard and Pomace Recycling user stories)
 * Each challenge comes with full functional unit and integration tests
 * Each challenge is verified to be exploitable by corresponding end-to-end tests
 * Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook

 Getting started: 
 * Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend
 * Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results
 * Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services

Knowledge Prerequisites: Javascript, Test Driven Development, experience with (or willingness to learn) AngularJS (1.x) and NodeJS/Express, some security knowledge would be preferable.

Mentors:
 * [mailto:bjoern.kimminich@owasp.org Bjoern Kimminich] - OWASP Juice Shop Project Leader

Tech Stack Update
Brief Explanation: t.b.d.

Expected Results: t.b.d.

 Getting started:  t.b.d.

Knowledge Prerequisites: t.b.d.

Mentors: t.b.d.

OWASP Mobile Hacking Playground
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:


 * Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
 * Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)

In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:


 * A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
 * Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

Creation of Android Code Samples
Brief Explanation:

An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.

For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App

Expected Results:

The following categories and their test cases are not fully added to the Android App:


 * Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
 * Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
 * Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
 * Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
 * Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)

For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.

As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.

 Getting started:  Here are a few suggestion on how to get started.
 * Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
 * Browse through the MASVS and check the different areas and their defined requirements.
 * Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).

Knowledge Prerequisites: General interest in Mobile and Security. Basic knowledge of Android and Java.

Mentors: [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader

OWASP Hackademic Challenges SAMPLE ENTRY
OWASP Hackademic Challenges Project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

REST API for the sandbox
Brief Explanation:

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances. What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project: Since the sandbox is written in python, you will be using Django to implement the api. The endpoint authorization can be done via certificates or plain signature or username/password type authentication. We would like to see what's your idea on the matter. However the communication between the two has to be over a secure channel.

Expected Results:
 * A REST style api which allows an authenticated remote entity control the parts of the sandbox engine it has access to.
 * PEP8 compliant code
 * Acceptable unit test coverage

 Getting started:  Since this has been a popular project here's a suggestion on how to get started.
 * Check the excellent work done by mebjas and a0xnirudh in their respective brances in the project's repository
 * Take a brief look at the code and try to get a feeling of the functionality included. (Essentially it's CRUD operations on vms or containers)
 * Read on what Docker and Vagrant are and take a look at their respective py-libraries
 * If you think that contributing helps perhaps it would be a good idea to start with lettuce tests on the current CRUD operations of the existing functionality(which won't change and can eventually be ported to the final project)

Knowledge Prerequisites: Python, test driven development, some idea what REST is, some security knowledge would be preferable.

Mentors: [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

New CMS
Brief Explanation:

The CMS part of the project is really old and has accumulated a significant amount of technical debt. In addition many design decisions are either outdated or could be improved. Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS. The new cms can be written in python using Django.

Expected Results:
 * New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
 * REST endpoints in addition to classic ones
 * tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.
 * PEP 8 code

 Note:  This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec. If you decide to take on this project contact us and we can agree on a list of routes. If you don't decide to take on this project contact us. Generally contact us, we like it when students have insightful questions and the community is active

 Getting Started: 
 * Install and take a brief look around the old cms so you have an idea of the functionality needed
 * It's ok to scream in frustration
 * If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)

Knowledge Prerequisites: Python, Django, what REST is, the technologies used, some security knowledge would be nice.

Mentors: [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

First Course Type Challenge
Brief Explanation: We have a wonderful sandbox engine which allows for complex guided challenges to be implemented. We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way. This is a very open-ended project on purpose to allow creative student to come up with nice ideas. Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
 * Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)


 * Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.


 * Guide to exploiting the TOP10. (Using ZAP?)


 * Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

 Getting started 
 * Check popular javascript guide tools such as: (http://introjs.com/ and http://github.hubspot.com/shepherd/docs/welcome/ )
 * If you're more interested in system or non-web challenges check serverspec and definitely check quest (https://github.com/puppetlabs/quest)
 * If you think contributing is a good idea to make yourself familiar with the project you can either port one of the existing simpler 1-page challenges to a docker container and submit a pull request or write a guide on how to create such a challenge

Expected Results:


 * One or more Course - style challenges provided either as a docker container or as a vagrant box.
 * Concrete documentation on how to build a challenge like this.

Knowledge Prerequisites: The technologies used.

Mentors: [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

Advanced Sandboxed Challenges
Brief Explanation:

In the spirit of the challenges above, we're looking for true ctf type challenges. This is an open ended task. We're expecting awesome fresh ideas.

Ideas on the project:
 * An application vulnerable to one or more TOP 10 elements.
 * A logic flaws based ctf
 * Your idea here

 Getting started: 
 * Check what Vagrant/Docker is
 * Port one simple 1-page challenge (you can use one we already have ) to docker or vagrant

Expected Results: Docker containers or Vagrant boxes that contain complete new challenges.

Knowledge Prerequisites: Knowledge of the technologies used

Mentors: [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

Your idea
Brief Explanation:

Amazing students, in our experience, the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project. The above should give you a general idea where we're going but don't let them constrain you. Do you wanna do something that would fit into Hackademic? Send us an email!

Ideas on the project: No idea, that's your turn to shine!

 Getting started 
 * Be awesome
 * Have an idea
 * Be a student
 * Explain definite proof of the p vs np solution(jk, an algorithm that breaks RSA in polynomial time would be totally acceptable)

Expected Results: If it's code, code according to our coding standards. If it's challenges, something new and interesting. If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.

In short we'd like some quality. ;-)

Knowledge Prerequisites:

Mentors: [mailto:konstantinos.papapanaqiotou@owasp.org Konstantinos Papapanagiotou][mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders

OWASP ZAP
OWASP Zed Attack Proxy Project (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.

We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the project label.

Field enumeration
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.

The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.

 Expected Results 


 * User able to specify a specific field to enumerate via the ZAP UI
 * A list of all valid characters to be returned from the sets of characters the user specifies
 * Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible

 Knowledge Prerequisite:  ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

 Mentors  [mailto:psiinon@gmail.com Simon Bennetts] and other members of the ZAP core team

Your idea
Brief Explanation:

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

 Getting started 
 * Get in touch with us :)

Expected Results:
 * Code that conforms to our Development Rules and Guidelines
 * A new feature that makes ZAP even better

Knowledge Prerequisites:
 * Experience with Java will definitely help

Mentors: Simon Bennetts [mailto:psiinon@gmail.com @] and the rest of the ZAP core team