Difference between revisions of "GSoC2012 Ideas"

From OWASP
Jump to: navigation, search
(ZAP Proxy)
Line 60: Line 60:
 
'''Expected results:'''
 
'''Expected results:'''
  
Example:
+
ZAP will be able to recognise when requests are associated with different sessions.
  
- Login as User A -> Crawl GUI and save as "user A crawl"
+
ZAP should allow the user to view the crawled URLs for each session independantly, and show which URLs are unique to each session.
  
- Login as User B -> Crawl GUI and save as "user B crawl"
+
It should also be able to check if any of the 'unique' pages can in fact be accessed by the other session.
  
- Have ZAP be able to login as User B and then check how much of the "user A crawl" is accessible (i.e. list accessible URLs)
+
'''Knowledge Prerequisite:'''
  
- Have ZAP be able to login as User A and then check how much of the "user B crawl" is accessible (i.e. list of accessible URLs)
+
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of crawlers and/or aplication security would be useful, but not essential.
 
+
'''Knowledge Prerequisite:''' TBD
+
  
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader
  
====Project 002 - Configurable actions ====
+
====Project 002 - Dynamically Configurable actions ====
 +
 
 +
'''Brief explanation:'''
 +
 
 +
ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.
 +
 
 +
It also supports a scripting interface, which is very powerful but at the moment difficult to use.
 +
 
 +
This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.
  
'''Brief explanation:''' Introduce a standard component for defining matching against requests and responses.
 
This could be reused for the history filter, similar filters on other tabs (eg sites), break points, passive scan rules, excludes, etc etc
 
It would need to be able to persist the rules to the db. I'd also like to be able to define complex rules, essentially replacing and extending the existing filter capability, but allowing users to define their own rules. That would include being able to replace any text, replace methods, potentially even custom functionality defined by a beanshell script.
 
 
The challenge will be to make it as usable as possible while still providing a wide range of functionality.
 
The challenge will be to make it as usable as possible while still providing a wide range of functionality.
  
 
'''Expected results:'''
 
'''Expected results:'''
  
I see this component providing a set of highly configurable 'actions' which the user would see up via a wizard.
+
This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.
 +
 
 
So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.
 
So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.
 +
 
Then they would define the actions, which could include:
 
Then they would define the actions, which could include:
 
* Changing the request (adding, removing or replacing strings)
 
* Changing the request (adding, removing or replacing strings)
Line 92: Line 97:
 
They would then be able to switch the actions on and off from the full list of defined actions using checkboxes
 
They would then be able to switch the actions on and off from the full list of defined actions using checkboxes
  
'''Knowledge Prerequisite:''' TBD
+
'''Knowledge Prerequisite:'''
 +
 
 +
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
  
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader
Line 98: Line 105:
 
====Project 003 - Extend Web API to cover all of the ZAP functionality ====
 
====Project 003 - Extend Web API to cover all of the ZAP functionality ====
  
'''Brief explanation:''' Extend Web API to cover all of the ZAP functionality
+
'''Brief explanation:'''  
 +
 
 +
ZAP provides a REST based API which can be used to control core aspects of the functionality provided by ZAP.
 +
 
 +
This project would extend that API to cover all/most of the ZAP functionality.
  
 
'''Expected results:''' Comprehensive Web API that will cover all of the ZAP Proxy functionality.
 
'''Expected results:''' Comprehensive Web API that will cover all of the ZAP Proxy functionality.
  
'''Knowledge Prerequisite:''' TBD
+
'''Knowledge Prerequisite:'''
 +
 
 +
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.
  
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader
Line 108: Line 121:
 
====Project 004 - Closer integration with OWASP AJAX ====
 
====Project 004 - Closer integration with OWASP AJAX ====
  
'''Brief explanation:''' TBD
+
'''Brief explanation:'''
 +
 
 +
ZAP provides a basic spider that can be used to explore an application, however it is very limited, especially when used with AJAX based applications.
 +
 
 +
The OWASP AJAX crawling tool (https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool) is specifically designed to crawl AJAX applications and can already use ZAP as a proxy.
 +
 
 +
This project would develop a ZAP plugin which integrates ZAP with the OWASP AJAX crawling Tool.
 +
 
 +
'''Expected results:'''
 +
 
 +
A new ZAP plugin would be produced which allows ZAP to crawl AJAX applications using the OWASP AJAX crawling tool.
 +
 
 +
The plugin would allow the 2 tools to be tightly integrated, while still allowing them to work completely independently.
  
'''Expected results:''' TBD
+
'''Knowledge Prerequisite:'''
  
'''Knowledge Prerequisite:''' TBD
+
Both ZAP and the AJAX tool are written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of crawlers and/or aplication security would be useful, but not essential.
  
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader
 
'''Mentor:''' Simon Bennetts - OWASP ZAP Project Leader

Revision as of 08:26, 27 February 2012

Contents

Guidelines

Information for Students

The ideas below were contributed by OWASP project leaders and users. They are sometimes vague or incomplete. If you wish to submit a proposal based on these ideas, you may wish to contact the corresponding project leaders and find out more about the particular suggestion you're looking at. Being accepted as a Google Summer of Code student is quite competitive. Accepted students typically have thoroughly researched the technologies of their proposed project and have been in frequent contact with potential mentors. Simply copying and pasting an idea here will not work. On the other hand, creating a completely new idea without first consulting potential mentors is unlikely to work out.

Adding a Proposal

Project:

Brief explanation:

Expected results:

Knowledge Prerequisite:

Mentor:

Ideas How to find ideas? Obvious sources of projects are the OWASP project wiki, bugs database, and project mailing lists.

Generic Sample Proposal

Accepted for GSoC 2011

Brief explanation:

KDE has developed a number of very interesting and powerful technologies, libraries and components but there is no easy way to show them to other people.

Expected results:

Something like Qt Demo but with KDE technologies.

Knowledge prerequisite:

C++ is the main language of KDE, therefore the demo should be in C++. The more you know about C++, Qt, KDE and scripting (for Kross and KDE bindings demos), the better. This idea encompasses so much different stuff the student is not expected to know everything before he starts coding (but will certainly know a lot when he's done!).

Skill level: medium

Mentor: Pau Garcia i Quiles as general mentor and someone to ask for directions. Specific help for each technology will probably require help from its developers.

OWASP Project Requests

ZAP Proxy

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Website: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Mailing List: http://groups.google.com/group/zaproxy-develop

Project 001 - Compare crawling sessions for authentication issues

Brief explanation: Develop a ZAP session crawler to be able to compare two crawling sessions of two logged in users and see what URLs or Actions could be performed from the other session.

Expected results:

ZAP will be able to recognise when requests are associated with different sessions.

ZAP should allow the user to view the crawled URLs for each session independantly, and show which URLs are unique to each session.

It should also be able to check if any of the 'unique' pages can in fact be accessed by the other session.

Knowledge Prerequisite:

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of crawlers and/or aplication security would be useful, but not essential.

Mentor: Simon Bennetts - OWASP ZAP Project Leader

Project 002 - Dynamically Configurable actions

Brief explanation:

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

Expected results:

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

  • Changing the request (adding, removing or replacing strings)
  • Raising alerts
  • Breaking (to replace existing break points)
  • Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

Knowledge Prerequisite:

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

Mentor: Simon Bennetts - OWASP ZAP Project Leader

Project 003 - Extend Web API to cover all of the ZAP functionality

Brief explanation:

ZAP provides a REST based API which can be used to control core aspects of the functionality provided by ZAP.

This project would extend that API to cover all/most of the ZAP functionality.

Expected results: Comprehensive Web API that will cover all of the ZAP Proxy functionality.

Knowledge Prerequisite:

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

Mentor: Simon Bennetts - OWASP ZAP Project Leader

Project 004 - Closer integration with OWASP AJAX

Brief explanation:

ZAP provides a basic spider that can be used to explore an application, however it is very limited, especially when used with AJAX based applications.

The OWASP AJAX crawling tool (https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool) is specifically designed to crawl AJAX applications and can already use ZAP as a proxy.

This project would develop a ZAP plugin which integrates ZAP with the OWASP AJAX crawling Tool.

Expected results:

A new ZAP plugin would be produced which allows ZAP to crawl AJAX applications using the OWASP AJAX crawling tool.

The plugin would allow the 2 tools to be tightly integrated, while still allowing them to work completely independently.

Knowledge Prerequisite:

Both ZAP and the AJAX tool are written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of crawlers and/or aplication security would be useful, but not essential.

Mentor: Simon Bennetts - OWASP ZAP Project Leader