GSoC2015 Ideas

=OWASP Project Requests=

OWASP Hackademic Challenges - New challenges and Improvements to the existing ones
Brief Explanation:

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities. New challenges need to be created in order to cover a broader set of vulnerabilities. Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:


 * Simulated simple buffer overflows
 * SQL injections
 * Man in the middle simulation
 * Bypassing regular expression filtering
 * Your idea here

Expected Results:

New cool challenges

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP Hackademic Challenges - Source Code testing environment
Brief Explanation:

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

Expected Results:

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP Hackademic Challenges - Challenge Sandbox
Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend, we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected. Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

 *Administrator's point of view* 

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s). Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server. The student is expected to provide configuration scripts that do the above

 *Coder's Way* 

This is better explained with an example: In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function. The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.). The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

 * Your solution here * 

The above solutions are by no way complete,their intention is to start you thinking. This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.

 Expected results 

You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge

OWASP Hackademic Challenges - New challenges and Improvements to the existing ones
Brief Explanation:

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities. New challenges need to be created in order to cover a broader set of vulnerabilities. Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:


 * Simulated simple buffer overflows
 * SQL injections
 * Man in the middle simulation
 * Bypassing regular expression filtering
 * Your idea here

Expected Results:

New cool challenges

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP WebGoat .NET - Vulnerable Website
Brief Explanation:

The actual WebGoat .NET is a vulnerable website built in ASP.NET using C#. There are some challenges already built in but we would like to add more vulnerable features https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET#tab=Overview

Expected Results:

We want to add more modules such as
 * WebSockets
 * CSRF challenge
 * Finalise testing an upgrade to the .NET framework 4.5
 * Retest and clean up actual modules

Knowledge Prerequisites:

Comfortable in .NET, HTML and C#. Good understanding of Application Security, source code analysis and related vulnerabilities.

Mentors: Johanna Curiel, Jerry Hoff - OWASP WebGoat Project Leaders

OWASP WebGoatPHP
Description: Webgoat is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has dedicated in 2012 an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

Expected Results: WebGoatPHP first version is ready, it needs thorough testing and delivery. It also needs new challenges added and a CTF hosted on it.

Knowledge prerequisite: You just need to know PHP and SQL. Familiarity with web application security is recommended.

Mentor: Abbas Naderi

OWASP CSRF Guard
Description: OWASP PureCaptcha is an OWASP project aiming to simplify CAPTCHA usage. Instead of proving rigorous APIs and many dependencies, it is a single source code file (library) that does not depend on anything and generates secure and fast CAPTCHAs, with little memory and processor footprint. PureCaptcha is currently released for PHP. The candidate will port this to several other programming languages (priority on web languages) and provide full test coverage.

Expected Results: PureCaptcha library for at least 3 new programming languages. Unit testing for the core version. A study on security of the generated captcha can also be performed.

Knowledge prerequisites: Any programming language you want to port into, as well as PHP.

Mentor: Abbas Naderi, Jesse Burns

OWASP PHP Framework
Description: OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP. The project has been done in the last two years, and now a framework has been built upon these libraries and security best practices. The framework intends to merge security practices with practical frameworks, and aims to be simple and lightweight.

Expected Results:  A secure yet robust and practical framework for PHP developers.

Knowledge prerequisite: This project requires at least one year of experience working with different PHP projects and frameworks. It will be too hard for someone with average PHP experience.

Mentor: Abbas Naderi, Rahul Chaudhary

Skill Level: Advanced

OWASP RBAC Project
Description: For the last 7 years, improper access control has been the issue behind two of the Top Ten lists.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP RBAC project has already implemented this, has a wide audience and has released several minor and two major versions. Many new features and modifications are expected by the community behind this.

Expected Results: OWASP RBAC project more mature by porting from PHP to other programming languages, OR adding new features and testing on the PHP version.

Knowledge prerequisite: Good SQL knowledge, library development skills, familiarity with one of the programming languages as well as PHP. We recommend average experience and high skills.

Mentor: Abbas Naderi, Rahul Chaudhary, Jesse Burns

Skill Level: Advanced

For more info, visit phprbac.net

OWASP PHP Widgets
Description: Pull MVC (widget-based web views) has been available for many years on all major web programming languages, and even for Javascript. PHP on the other hand, lacks these and suffers a lot from forcing push MVC on its developers. There are a few libraries around, not secure and not mature at all. Providing a robust set of widgets for PHP developers not only smoothes web development process, it automatically mitigates a lot of web attacks that are based on user inputs to forms and other web elements (e.g CSRF, SQL Injection, XSS).

Expected Results: OWASP PHP Widgets is currently in beta, and the candidate will spend time testing the functionalities, providing test coverage, adding new widgets and features, and building a user community.

Knowledge prerequisite: Average PHP programming. Good experience with web applications.

Mentor: Abbas Naderi

OWASP Seraphimdroid
Description: SeraphimDroid is educational application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version SeraphimDroid will evolve to application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.

Expected Results: After last year's GSoC first version of project was released on Google play. However, educational component, setting check, potential android widgets are still missing and would be beneficial. Also, malicious behavior prevention mechanisms should be added and some bugs should be fixed.

Knowledge prerequisite: Average Android and JAVA programming. Knowledge of XML and SQLite Good experience with mobile applications.

Mentor: Abbas Naderi