GSoC2014 Ideas

OWASP Hackademic Challenges - New challenges and Improvements to the existing ones
'Brief Explanation:

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities. New challenges need to be created in order to cover a broader set of vulnerabilities. Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:


 * Simulated simple buffer overflows
 * SQL injections
 * Man in the middle simulation
 * Bypassing regular expression filtering
 * Your idea here

Expected Results:

New cool challenges

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP Hackademic Challenges - Source Code testing environment
'Brief Explanation:

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

Expected Results:

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

Knowledge Prerequisites:

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP Hackademic Challenges - Challenge Sandbox
Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend, we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected. Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

 *Administrator's point of view* 

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s). Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server. The student is expected to provide configuration scripts that do the above

 *Coder's Way* 

This is better explained with an example: In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function. The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.). The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

 * Your solution here * 

The above solutions are by no way complete,their intention is to start you thinking. This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.

 Expected results 

You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge

OWASP Hackademic Challenges - CMS improvements
'Brief Explanation:

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:


 *  Template *

Since it's creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love. It would be good if we had a new template with proper ui design.


 * Questionaire creation plugin *

We'd like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams. The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.


 * Ability to show different articles on the user's home screen

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.


 * Gamification of the user's progress *

A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.


 * Ability to define series of challenges

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.


 *  Tagging of articles, users, challenges 

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher. Also the user should be able to search according to the tags.


 * Your idea here

We welcome new ideas to make the project look awesome.

Expected Results:

New features and security improvements on the CMS part of the project.

Knowledge Prerequisites:

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

Mentors: Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

OWASP WebGoatPHP
Description: Webgoat is a deliberately insecure open source software made by OWASP using Java programming language. It has a set of challenges and steps, each providing the user with one or more web application vulnerability which user tries to solve. There are also hints and auto-detection of correct solutions. Since Java is not the most common web application programming language, and it doesn't have many of the bugs other languages such as PHP have when it comes to security, OWASP has dedicated in 2012 an amount of $5000 for promotion of WebGoatPHP.

If you want to know more about WebGoatPHP, I suggest downloading and giving WebGoat a try. It is one of OWASP prides (about 200000 downloads).

Expected Results: WebGoatPHP will be a deliberately insecure PHP web application which operates in different modes. A contest mode where challenges are selected by an admin and the system starts a contest. Admins can open up hints for participants and manage everything. A workshop mode, where the educator has control of the most of application features, as well as feedback of user activities and is ideal for learning environments, and a single mode where someone can browse challenges and solve them.

Knowledge prerequisite: You just need to know PHP. You are supposed to define flawed systems, which is not the hardest thing. Familiarity with web application security and SQL is recommended.

Mentor: Abbas Naderi

OWASP CSRF Guard
Description: CSRF is a complicated yet very effective web attack. The most important thing about CSRF is that it's hard to properly defend against it, specially when it comes to Web 2 and AJAX. We have had discussions on means of mitigating CSRF for years at OWASP, and are now ready to develop libraries for it. Many of the key ideas of this library can be found at.

Expected Results: A transparent Apache 2 module properly mitigating all POST CSRF attacks, as well as a lightweight PHP library doing the same.

Knowledge prerequisites: Knowing CSRF and at least one way to defend against it, PHP, C/C++, Linux.

Mentor: Abbas Naderi

OWASP PHP Security Project
Description: OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

Expected Results:  Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

Knowledge prerequisite: Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

Mentor: Abbas Naderi

OWASP RBAC Project
Description: For the last 6 years, improper access control has been the issue behind two of the Top Ten lists.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently PHPRBAC which is the PHP version of the RBAC project is released.

Expected Results: Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

Knowledge prerequisite: Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

Mentor: Abbas Naderi

Skill Level: Advanced

For more info, visit phprbac.net

OWASP OWTF - Zest support
Brief explanation:

The Mozilla foundation has done great work with the Zest iniciative, this provides a great automated mechanism to replicate exploitation of security vulnerabilities in a format that makes tool communication easier: For example, ZAP supports Zest, so if OWTF can create a Zest script for a vulnerability in an automated fashion, this may in turn be easier to import into ZAP and other tools.

More information on Zest can be found here

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * High performance
 * Reliability
 * Ease of use
 * Test cases
 * Good documentation

Knowledge Prerequisite:

Some previous exposure to security concepts, penetration testing, Python and development in general is important for this project.

OWASP OWTF - Improved Plug-n-Hack support
Brief explanation:

The Mozilla foundation has done great work with the Plug-n-Hack standard, this provides greatly improved interaction with the web browser. Although OWTF already supports Plug-n-Hack for MiTM purposes, there are many other features that could be implemented to leaverage Plug-n-Hack. The aim of this project would be to try to cover as much as possible from the Plug-n-Hack standard as relevant to OWTF.

Please see this demo to see the newest Plug-n-Hack additions

For more information about plug and hack please see this

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * High performance
 * Reliability
 * Ease of use
 * Test cases
 * Good documentation

Knowledge Prerequisite:

Python, experience is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org

OWASP OWTF - Stateful Browser with configurable authentication
Brief explanation:

The automated functionality of OWASP OWTF is currently limited to the non-authenticated portion of a website. We would like to implement authentication support through:

1) OWTF parameters

2) Configuration files

What we would like to do here is to leverage the powerful mechanize python library and build at least support for the following authentication options:
 * Basic authentication Already implemented here
 * Cookie based authentication
 * Form-based authentication

Additionally, we would welcome here a feature to detect when the user has been logged off, to log OWTF back in again before retrying the next request. <-- The proxy is probably a better place to implement this since external tools would also benefit from this. This feature will have to be coordinated with the MiTM proxy feature (already implemented).

The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * High performance
 * Reliability
 * Ease of use
 * Test cases
 * Good documentation

Knowledge Prerequisite:

Python, experience with the mechanize library or HTTP state is very welcome but not strictly necessary, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org

OWASP OWTF - SQL database
Brief explanation:

OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.
 * Keep the current text file format as an option
 * Add a database storage option using the sqlalchemy library

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * Reliability: Both with the sql database option and the text file options.
 * Test cases
 * Good documentation

Knowledge Prerequisite:

Python, sqlalchemy experience would be beneficial for this

Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org

OWASP OWTF - Unit Test Framework
Brief explanation:

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

The Unit Test Framework should be able to:
 * Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see this presentation for more background)
 * Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
 * Allow to regression test by test categories (i.e. "test only web plugins")
 * Allow to regression test everything (i.e. plugins + framework core: "test all")
 * Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
 * Allow for easy creation of _new_ unit tests specific to OWASP OWTF
 * Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
 * Perform well so that we can run as many tests as possible in a given period of time
 * Potentially leverage the python unittest library: http://docs.python.org/2/library/unittest.html

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * Performant and automated regression testing
 * Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
 * Good documentation

Knowledge Prerequisite:

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org

OWASP OWTF - Python version upgrade and compatibility
Brief explanation:

Right now OWASP OWTF works on Python 2.6.5-2.7.3 (might work on surrounding versions too), the aim of this project would be to change the existing codebase so that it additionally works on newer python versions too, for example Python 3.3. The intention here is to take advantage of improvements in newer python versions when available while letting OWASP OWTF work on older python versions too (i.e. 2.6.5) if that is the only option available. The solution will ideally be as simple and extensible as possible so that the codebase does not become unmaintanable due to compatibility.

For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF

Expected results:


 * Performant and reliable OWASP OWTF execution on multiple python versions, in particular the latest python version (i.e. 3.3.x) as well as the previous 2.6.5-2.7.3 range.
 * Test cases
 * Good documentation

Knowledge Prerequisite:

Python, experience with python version upgrades and python version compatibility implementations, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

Mentor: Abraham Aranguren - OWASP OWTF Project Leader - Contact: name.surname@owasp.org

OWASP PCI TOOLKIT
OWASP PCI toolkit is an Open Source project built using Google Engine App, that will help organizations scope the PCI-DSS requirements for their System Components. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

In order to comply with this standard, organizations need to understand the PCI-DSS requirements. Many of these requirements use OWASP guidelines as their baseline. The OWASP PCI toolkit is a project focused on helping organization understand how OWASP guidelines apply to the PCI-DSS requirements.

Expected results:

4 complete modules built as a Google App Engine: http://pci-toolkit.appspot.com/

Knowledge Prerequisite:

Python, HTML, CSS, Google App Engine.

Affinity with financial institutions, Web security and credit card-online transactions

OWASP project page:

https://www.owasp.org/index.php/Category:OWASP_PCI_Project

Mentor: Johanna Curiel - emai: firstname.lastname@owasp.org