Difference between revisions of "OWASP Autumn of Code 2006 - Applications"

From OWASP
Jump to: navigation, search
(AoC 1 - Paolo :)
(AoC 25 - Matteo)
 
(8 intermediate revisions by one user not shown)
Line 187: Line 187:
 
2006.
 
2006.
  
Project Request:
+
'''Project Request:'''
  
First Choice: WebMaster the Owasp.org website for 3 months and implement all
+
* First Choice: WebMaster the Owasp.org website for 3 months and implement all missing functionality
missing functionality
+
* Second Choice: OWASP PHP Project
 +
* Third Choice: OWASP AJAX Security Project
  
Second Choice: OWASP PHP Project
+
'''Why:'''
 
+
Third Choice: OWASP AJAX Security Project
+
 
+
Why:
+
  
 
I have worked as a professional web developer for 6+ years and have
 
I have worked as a professional web developer for 6+ years and have
 
participated in several open source projects including tiki-wiki and other
 
participated in several open source projects including tiki-wiki and other
content management system projects. I am employed by the Ontario Libraries
+
content management system projects. I am employed by the [...] [...]
 
as a consultant on web development technologies and web server deployment
 
as a consultant on web development technologies and web server deployment
 
strategies. During my career, I have had the luxury of learning and
 
strategies. During my career, I have had the luxury of learning and
Line 219: Line 216:
 
services within the owasp.org website.
 
services within the owasp.org website.
  
Deliverables (Web Master):
+
'''Deliverables (Web Master):'''
  
 
1.    Website template and branding
 
1.    Website template and branding
Line 236: Line 233:
 
== AoC 8 - Josh==
 
== AoC 8 - Josh==
  
Project:
+
'''Project:''': Testing Guide
Testing Guide
+
  
Reasons to be sponsored:
+
'''Reasons to be sponsored:''': It happens to be "be nice to Josh day" today, besides I think I can express the ideas that we want to convey in a clear and readable manner.
It happens to be "be nice to Josh day" today, besides I think I can
+
express the ideas that we want to convey in a clear and readable manner.
+
  
Objectives:
+
'''Objectives:''': To deliver a readable and accurate guide on performing an application security review.
To deliver a readable and accurate guide on performing an application
+
security review.
+
  
 
I look forward to hearing from you,
 
I look forward to hearing from you,
Line 268: Line 260:
 
*Improve the user interface of the programs.
 
*Improve the user interface of the programs.
  
Deliverables:
+
'''Deliverables:'''
 
*November 15th - I will have most of the common errors fixed in SG and RG, at least 50% of the TO-DOs finished up for both of the programs and a start on the documentation.
 
*November 15th - I will have most of the common errors fixed in SG and RG, at least 50% of the TO-DOs finished up for both of the programs and a start on the documentation.
 
*December 31st - I will have the rest of the functionality, new installers and documentation of the programs on the OWASP wiki.
 
*December 31st - I will have the rest of the functionality, new installers and documentation of the programs on the OWASP wiki.
Line 443: Line 435:
 
computer security. Also i'm very involved in open source iniciatives,
 
computer security. Also i'm very involved in open source iniciatives,
 
and i'm the co-founder of the first and largest chilean forge
 
and i'm the co-founder of the first and largest chilean forge
(www.chileforge.cl). Also i'm a part-time professor at the Universidad
+
(www.chileforge.cl). Also i'm a part-time professor at the [...]
de Chile (one of the two best in Chile), in a Computer Security
+
de [...] (one of the two best in Chile), in a Computer Security
 
Diploma. And i really like to program complex stuff :D
 
Diploma. And i really like to program complex stuff :D
  
Line 626: Line 618:
 
== AoC 20 - George  ==
 
== AoC 20 - George  ==
  
My name is George [..], I am a member of the local chapter in Greece and I would be interested to help you complete the OWASP projects. My background is mainly programming and security since I have a degree in Computer Science from Athens University of Economics and Business and a MSc with distinction in Information Security from RHUL. Currently, I am working for Siemens as a software engineer and in the past 5 months I was involved in the architecture and development of Siemens communication framework as part of the security team in Munich. My main task was integrating the authentication of siemens' new phones into the security of our J2EE container using both JSocks and SOAP in HTTPS, which had an 25% effort in the architecture design and 75% effort in java programming. Currently, I work in a web management tool for softswitches using C++ and XML-XSL but unfortunately my participation to this project doesn't have any requirements about security which is my main interest.This is why I see the opportunity to work in a OWASP project as a chance to work again in a high level into security and gain more experience in this field but also to spend my free time doing the things I enjoy more. I also believe that working for OWASP is very interesting, will get me in touch with new trends in security and may open new carreer paths for me. Also, my professional experience so far has given me the ability to work in big projects and cooperate for their completion with collegues across the world, so I expect to be able to communicate, be synchronized with you and the other team members and be productive in a very short time.
+
My name is George [..], I am a member of the local chapter in Greece and I would be interested to help you complete the OWASP projects. My background is mainly programming and security since I have a degree in Computer Science from Athens University of Economics and Business and a MSc with distinction in Information Security from RHUL. Currently, I am working for [...] as a software engineer and in the past 5 months I was involved in the architecture and development of [...] communication framework as part of the security team in Munich.  
 +
 
 +
My main task was integrating the authentication of [...]' new phones into the security of our J2EE container using both JSocks and SOAP in HTTPS, which had an 25% effort in the architecture design and 75% effort in java programming. Currently, I work in a web management tool for softswitches using C++ and XML-XSL but unfortunately my participation to this project doesn't have any requirements about security which is my main interest. This is why I see the opportunity to work in a OWASP project as a chance to work again in a high level into security and gain more experience in this field but also to spend my free time doing the things I enjoy more.  
 +
 
 +
I also believe that working for OWASP is very interesting, will get me in touch with new trends in security and may open new carreer paths for me. Also, my professional experience so far has given me the ability to work in big projects and cooperate for their completion with collegues across the world, so I expect to be able to communicate, be synchronized with you and the other team members and be productive in a very short time.
  
 
The OWASP project that I mainly want to work with is WebScarab mainly because I've used it in the past and I liked it but also because my previous working experience in JSSE application involved SOAP and HTTPS which in my understanding are among the objectives for this project so I expect to be easier for me to work in similar concepts. Of course, I would be interested in working in other projects too , specifically the Java project, WebGoat and your research in .Net partial trust. My schedule in work till March is quite flexible so I am sure that I will have the necessary time to study, develop and deliver production code and documentation in time.
 
The OWASP project that I mainly want to work with is WebScarab mainly because I've used it in the past and I liked it but also because my previous working experience in JSSE application involved SOAP and HTTPS which in my understanding are among the objectives for this project so I expect to be easier for me to work in similar concepts. Of course, I would be interested in working in other projects too , specifically the Java project, WebGoat and your research in .Net partial trust. My schedule in work till March is quite flexible so I am sure that I will have the necessary time to study, develop and deliver production code and documentation in time.
Line 748: Line 744:
  
 
Thank you very much in advance,
 
Thank you very much in advance,
 +
 +
 +
== AoC 25 - Matteo ==
 +
 +
Hi Dinis,
 +
how are you?
 +
 +
I'd like to give an help to finish the OWASP Testing Project. I've written a paragraph months ago. http://www.owasp.org/index.php/How_to_perform_cookie_manipulation_test
 +
 +
How many things do you think still remain to do?
 +
 +
* Your contact details: Matteo Meucci, matteo.meucci@owasp.irg
 +
* Which project you want to be involved in: Testing
 +
* Why you should be sponsored for the project: I want to promote this project all around the world because I think it's the only valid webapp testing project.
 +
* What are the objectives and deliverables: the objective is to collect all the documentation, give a structure and release a final
 +
document
 +
 +
 +
 +
'''''{Follow-up email from Testing Guide Project Leader Eoin)'''''
 +
 +
Hi Dinis,
 +
 +
There is a large list of areas that need to be covered with the  testing
 +
guide.
 +
 +
List is as follows (May grow as time goes by):
 +
 +
Information gathering:
 +
* Error codes: SQL, IIS/.NET Stack Trace (Java)
 +
 +
Source code disclosure
 +
*SQL Injection: Oracle, mySQL, SQL Server
 +
*Extended stored procedures.
 +
*Stored procedure injection
 +
*Oracle +SQLServer ports and attacks. Listener attacks etc.
 +
 +
XSS:
 +
*incubated atacks.
 +
*Phishing (using java script)
 +
*HTTP Methods + XSS (TRACE)
 +
 +
AJAX:
 +
*Vulnerabilities
 +
*How to test/what to look for.
 +
 +
Automated testing.
 +
*Tools, how to's, refrences, tutorials.
 +
*Fuzzing with webscarab
 +
 +
Brute Force:
 +
*Login forms.
 +
*Basic Auth dialgoues
 +
 +
WebServices:
 +
*Structural Attacks
 +
*Content level attacks
 +
*DTD based attacks
 +
*HTTP/REST attacks
 +
*SOAP attachment attacks
 +
*Brute force
 +
 +
Writing Reports:
 +
*Context.
 +
*Executive report
 +
"*Real Risk" Vs Vulnerability

Latest revision as of 05:36, 27 September 2006

Contents

AoC 1 - Paolo :

Hi Dinis, the Owasp autumn of Code idea is great and it would be greate for me to partecipate. This is my submission informations:

Which project you want to be involved in: I'd like to be involved in Code Review project

3) Why you should be sponsored for the project: I've got a very strong background in software development. I reached a good C programming level (working at kernel level in Linux operating system) and a good Java programming level in web application development field.

My working field is however security as pen tester and code reviewer and I want to merge these two main field of interest: security and code.

I think I can improve Code Review project merging my theorical experience (writing doc about code review, secure coding and providing code snippets in various languages as a sort of Sample Library or knowledge base) with my pratical attidute. Looking ad Owasp LAPSE project, it would be a great idea to create a sort of common API building a sort of "code review tool engine".

This engine would be generic and devoted ONLY to code review related aspects. Using such engine as basis we could build a pletora of tools providing code review capability for common os IDE (extending LAPSE for eclipse, netbeans, ...) and for ad hoc command line tool.

What are the objectives and deliverables

My objectives are:

  • focusing people attention about how much code review and safe coding important are
  • providing people practical instruments to test their applications or to build their testing tool too

My deliverables are:

  • improving Code Review project documentation for my first objective
  • realize the engine core complete with a set of well known wrong code practice, providing a way to extend such engine and to provide a PoF testing tool using the aformentioned APIs

AoC 2 - Federico

Hello,

I would like to apply for OWASP’s AOC as an individual, with no relation to or sponsorship from PaySett.com (my current employer)

I would like to work on either the HoneyComb project (Especially the Java sections) or translate the current version of the 3.0 guide to Spanish.

I am a Mathematician and Computer Scientist who has been working for the last few months writing up the Security Assurance procedures that will be followed in all releases of our products.

Although security is not my main area of expertise, WebApplication development is my main area (especially Java) and therefore I feel that being part of OWASP’s target audience will help me write things in a clear and concise manner that will be easy for developers, architects and executives to understand.

I do not feel that one person can complete the honeycomb project in three months. However, for the given 3-month timeframe (considering my other responsibilities), I would acquire the following commitments:

  • Finish all Java-related articles in the Vulnerabilities section – and others I feel I have the expertise … not sure how many more
  • Organize and sort the articles in the Vulnerabilities and Attacks section
  • Create as many stubs, with basic info, as possible for Vulnerabilities and Attacks section
  • Finish all articles in the “principles” section
  • Finish all articles in the “threats” section
  • Translate all the above to Spanish

if instead OWASP would be more interested in the guide project, I would Translate the 3.0 guide to Spanish

Thank you for your time and consideration.

Please do not hesitate to contact me with any questions or comments.

Best regards,

AoC 3 - Tom

Hi Dinis,

I'm interesting in sorting out the owasp.org website and fixing things up... aka, "WebMaster the Owasp.org website for 3 months and implement all missing functionality". I'm just finishing up my MSc in Information Security at Royal Holloway, University of London. My thesis is on secure coding (investigations into security development lifecycles, how they interact with security assessments and all that lark) however it's not web related so I doubt it'll be useful.

[...]

Anyways,

Get back to me.

Cheers,

Tom

AoC 4 - Joshua

G'day Dinis,

I have been working with Eoin on the liveCD project and we are hoping to have a Beta version ready for Seattle. I would like to be considered for the "OWASP Autumn of Code" sponsorship.

I have been working very hard in my spare time to get the LiveCD up and running. Basically, I spent some time going through all the distros and testing different build methods. After all the testing Morphix was the easiest and most stable to work with.

So far we have a working version with the following tools installed; WebScarab Nmap Nessus Paros OWASP Guide 2.0 CAL9000 TCPDUmp Ethereal Nikto NetCat

Working on : WebGoat Branding ( Boot Menus, Wallpaper ) KDE Menu Slimming down the build Packaging on CD/DVD Prof. Custom Graphics / Icons RFID Tools VOIP Tools

This project was created because other LiveCD's don't focus on App testing and training. It's mostly infrastructure. That's where "labRat" the Live Distro fills the gap. This is also excellent to have all the OWASP resources during an onsite job or training in the lab. That's where the name came from-- spending those long hours in our security labs.

I'd like to hear your thoughts on the LiveCD project and if you feel it's worthy of sponsorship. I know that several chapter leads I know are anxious to get it up and going.

Cheers,

Joshua

AoC 5 - Jonathan

My name is Jonathan [...] and I am the Development Security Officer for [...] inc. In my current role I am responsible for the integration of security processes within our companies development lifecycle as well as managing our security engineering team. I have worked in the industry for six years, in which time I was promoted from developer, to architect, and into my current role as DSO.

I have much respect for OWASP and would find this sponsorship program to be an excellent way of getting involved with your organization (of course, the sponsorship money is nice too :). In reviewing the projects listed I have found the 'OWASP Testing Guide' to be the most interesting, but I admit that I have little or no experience with any of the projects. If there any projects you would like to refer me to as an experienced Java developer and understanding my current role, I would be very interested.

Thank you for your time.

AoC 6 - Hardik

Hello Dinis,

I would like to take one of the following projects. But currently i am not aware of exactly what are the remaining things in these projects and what you want to implement. If you can let me know the requirments for following projects then i can take one or multiple projects. I am also having some friends who might be intrested in working on these so we all can work on it. Following is the list of projects we are intrested in:- OWASP WebGoat Project OWASP Validation Project OWASP WebGoat Project - OWASP WebScarab Project If possible please provide me more details or contact of suitable person about the current status and what are the requirments,features needed.

Thanks & Regards,

Hardik

AoC 7 - Aaron

Greetings,

I would like to submit a project proposal for the OWASP Autumn of Code 2006.

Project Request:

  • First Choice: WebMaster the Owasp.org website for 3 months and implement all missing functionality
  • Second Choice: OWASP PHP Project
  • Third Choice: OWASP AJAX Security Project

Why:

I have worked as a professional web developer for 6+ years and have participated in several open source projects including tiki-wiki and other content management system projects. I am employed by the [...] [...] as a consultant on web development technologies and web server deployment strategies. During my career, I have had the luxury of learning and furthering my skills through the open-source community of developers who have offered one-on-one advice, project source code, and valuable insight. Without this guidance it would not have been possible for me to progress as quickly as I have, nor would my journey have been as enjoyable of an experience.

My primary interest includes PHP / MySQL development, server administration (FreeBSD / Linux), and graphics design / usability study. As a web developer I have had the opportunity to learn and use numerous technologies and programming languages running under a variety of environments. This has forced me to learn to adapt quickly under various circumstances and environments, and has taught me how to work both alone as well as within a team. I would like to use this unique experience to aid others within the community in any way possible, including the continued development of services within the owasp.org website.

Deliverables (Web Master):

1. Website template and branding 2. Prepare marketing materials (digital format) 3. Content updating and proofing (English) 4. Prepare website documentation for future developers 5. Work in conjunction with other teams (AJAX, JS, PHP) to audit and develop site 6. Develop features and functionality as identified by OWASP and community

Please feel free to contact me at your leisure to discuss my proposal. I will provide a detailed portfolio of my work if this is of interest and/or I can prepare a deliverables list for the other two projects if necessary.

Thank you,

AoC 8 - Josh

Project:: Testing Guide

Reasons to be sponsored:: It happens to be "be nice to Josh day" today, besides I think I can express the ideas that we want to convey in a clear and readable manner.

Objectives:: To deliver a readable and accurate guide on performing an application security review.

I look forward to hearing from you,

AoC 9 - Mike

OWASP Autumn of Code 2006 Application

Project Involvement: I want to work on finishing up SiteGenerator (SG) and OWASP Report Generator (ORG) projects.

Why I Should be Sponsored: I should be sponsored for finishing up SG and ORG because I know I can finish up these projects to a level that the project lead would be satisfied with. I have also been helping out with the OWASP .Net area for the past few years so I already have substantial background knowledge of these projects.

Objectives:

  • Fix errors that are currently in SG and ORG.
  • Create documentation for the programs and publish onto their corresponding wiki pages.
  • Make the SG install process easier by to consolidating the two installers into one.
  • Cleaning up of the code to make it easier for further development.
  • Finishing up the TO-DOs found on https://www.owasp.org/index.php/ORG_%28Owasp_Report_Generator%29.
  • Adding functionality and other items to SG based on the feedback from the project lead.
  • Improve the user interface of the programs.

Deliverables:

  • November 15th - I will have most of the common errors fixed in SG and RG, at least 50% of the TO-DOs finished up for both of the programs and a start on the documentation.
  • December 31st - I will have the rest of the functionality, new installers and documentation of the programs on the OWASP wiki.

Through out the process I will be focusing on cleaning up the code for clarity and future modifications as well as improving the user interface.

AoC 10 - Federico

Hello,

Browsing through the project page, I discovered LAPSE project to which I could make a valuable development contribution in time and skill.

I do not know the project enough to outline specific commitments but I will draft some as soon as I get to know the application a little bit.

Additionally, I currently have access to a full license of WebInspect, which could give us valuable information for the LAPSE project.

Thank you for considering me.

PS, The other documentation project, which I feel I could make a valuable contribution to, is the OWASP Java project.

Best regards,

AoC 11 - Siddharth

Hi Dinis,

I am interested to participate in "OWASP Autumn of Code 2006", So Please loook at the following details.

Contact detail:

[...]

Project:

I am interested to involve in following project,

  • Write more lessons for WebGoat, integrate it with SiteGenerator and

release it as a product?

Why: I am having about 1 year experience in software industry, and from last 4 months working in web application security.I am very hard working and dedicated to work.

As before 3 month I started learning about web application security, webgoat helped me a lot for practical exposure to pentesting and security review.

I am interested to work for this because I feel it is very useful for trainees and needs the improvements.

OWASP will be very happy to work with person with urge to learn and dedicated to the work.

Objectives and deliverable:

Web goat needs to be improved in the following points:

  • Should add more lessons on ?Analyzing the HTML source? which I feel one of the most important for most of the attacks.
    • Example: Can be used to break functional access control like enabling the controls or functionalities for that user is not authorized by java script.
  • Use of java script in attacks.
  • Should have a lesion on directory indexing hint including guessing the directory names.
  • Lesson to show ? Improper Error Handling? Example: some error showing path of server on the host like, file not found X:\app\app_name\filename

My idea is having 2 main objectives:

  • Make webgoat to cover all possible attacks.
  • To make it useful also for developers. Because today webgoat is concentrating on pentesters. Lessons should have Hints for mitigations and recommendations.

My goal is to make Web Application security popular to developers and get the web secure.

Thanks

AoC 12 - Pedram

Dear Mr Dinis Cruz,

I am writing in response to the announce posted on Owasp.org for the OWASP Autumn Of Code 2006. I want to involved in "OWASP PHP Project".

Please accept my attached resume as an application for this project. My experience closely fit the posted project description, and I am excited to apply. I have more than 5 years experience in PHP web developing specially secure web developing and more that 10 advisories on PHP web applications (SecurityFocus, Secunia, Security Team).

My ideas for this project:

  • Guide to creating a PHP security class for developers
  • Guide to define variable type, length, format, character set, reasonableness in PHP for input validation
  • Sample secure PHP application (e.g: Secure forms handling, Secure authentication, Secure poll, Secure search, Secure database handling, Secure file handing, ... )

Thank you. Sincerely,

AoC 13 - Rogan

Project

WebScarab-NG

Why I should be sponsored

WebScarab (original) is quite a high profile project within OWASP. I think it is one of the more widely used tools produced by OWASP, with many thousands of downloads over the past few years (more than 6400 of the latest version according to SourceForge).

I believe that I (through my development of WebScarab so far) have demonstrated my commitment to OWASP, as well as my ability to deliver.

Project Details

Classic WebScarab has many flaws, not least of which are usability related ones. WebScarab is hardly intuitive to a newcomer, and there are significant portions of functionality that I suspect only I know how to use properly.

WebScarab-NG was started as a clean-slate implementation of a Web Application Security tool. It is using a modern user interface toolkit (Spring Rich Client), which makes it possible (even easy!) to provide a standards-compliant user interface, that provides immediate "as you type" feedback to the user.

So far, only the proxy functionality has been implemented, and the ability to review conversations. As part of this project, I intend to re-implement the majority of the functions that classic WebScarab provides, so that WebScarab-NG is a compelling alternative to the classic WebScarab.

If you need any additional information, or would like to adjust the scope of this project, please feel free to contact me.

Sincerely,

Rogan

AoC 14 - Eugene

OWASP Autumn of Code 2006 Project Proposal

Project:

The OWASP Honeycomb Project

What are the objectives and deliverables:

  • Normalize the CLASP vulnerability taxonomy with Honeycomb categories
  • Help release the Honeycomb User's Guide
  • Article related tasks from the project roadmap:
    • Fill in the contents of the stub Honeycomb articles
    • Refine the content and structure of the Honeycomb articles
    • Eliminate redundancy in the articles and categories
    • Make sure that articles are tagged with appropriate categories

Why you should be sponsored for the project:

I have prior experience with the CLASP and would like to help make the Honeycomb articles more complete and consistent. Overtime Honeycomb has the potential to grow into a very powerful application security resource offering far more benefit than any flat taxonomy could ever provide.

AoC 15 - Alejandro

Hi, Mi name is Alejandro [...], and i'm really interested in participating in OWAP Autumm of Code 2006.

Project of interest: Help to Complete V2.0 of WebScarab and package it as product

Why i should be sponsored ? I have a strong background in Programming, Computer Security and Open Source. I worked several years in a local CA and in the largest bank in Chile, working full on computer security. Also i'm very involved in open source iniciatives, and i'm the co-founder of the first and largest chilean forge (www.chileforge.cl). Also i'm a part-time professor at the [...] de [...] (one of the two best in Chile), in a Computer Security Diploma. And i really like to program complex stuff :D

What are the objectives and deliverables: In this case i guess that the objetives and deliverables are already clear. If not, i could work in the definition and planning of this project.

Thank you very much

Alejandro

AoC 16 - Rodrigo

Project:

  • OWASP Guide Project

or

  • OWASP Code Review Project


Why:

I have a strong background in computer security area, documentation writing and I work as Linux Security Software Engineer.

My dedication will be interesting to the project, because I will use it in my master degree thesis too.

Objectives:

I can work in any of the both projects because I really believe when you write documentation about security pratices you teach how to avoid common mistakes (this mistakes need to be spoted by a code review).

The idea is to write about the common flaws, how it works and can be exploit, evoluting it to more advanced ways to bypass security mechanisms (like advances in sql injection, bypassing char filters, overflowing cgi applications, and so...).

Covered flaws and techniques (all flaws will be explaned with simple samples, that can be performed to everyone to understand how the flaw can be exploited, and seen the real impacts for the application):

  • SQL Injection
  • Cross-site Scripting
  • Buffer Overflows (heap, stack) - CGI programs
  • HTML Injection and client-side vulnerabilities (like many flaws that exist in orkut.com)
  • Many other input validation flaws
  • Cookie and session related problems

The reader will can understand what is the common security flaws that exist in web applications and how it can be exploited (it will give the notion to the developer of the impacts of insecure code).

Also, the reader can easily understand how to audit any web application tool developed, to spot this flaws.

The project will deliver the sections step-by-step, to ensure that readers can easily understand and test the practical samples showed.

Tks in advance,

AoC 17 - Chris

I would like to submit my CAL9000 project for consideration in your OWASP Autumn of Code 2006. I have put a significant amount of time into the project already - over 600 hours. While the tool is useful as-is, I still consider it a proof-of-concept and would like to include functionality that would take it to the next level. Listed below are the upgrades that I guarantee that I would be able to implement by year-end 2006.

XSS Attack Library Page:

  • Allow filtering of attacks based upon what browsers they are effective in.
  • Allow users to create/edit/delete their own attacks that will persist even if the RSnake XSS attack file is updated.
  • Allow display of all user-defined attacks in a print-ready format.
  • Enhance RegEx testing functionality. At a minimum, allow user- defined regex flags and replacement strings. Include show/replace/ split matches and the ability to test the regex against code.

HTTP Requests Page:

  • Give users (near)full control over generating and sending HTTP Requests. (There are some browser-dependent restrictions)
  • Allow users to define HTTP Method Type,Authentication Type w/ values, Schema, FQDN, Port, Absolute path of URL, Parameter, Query String, Request Headers/Body.
  • Allow Quick encoding of an entire request field or selected text (Url, Hex, Unicode, Base64, Md5 encoding types).
  • Allow users to quickly include from a list of Header Names and common Header Values, depending on the Name. (Or use their own)
  • Allow users to quickly include Browser-specific Headers/Values.
  • Allow users to quickly include Method-specific Headers/Values.
  • Allow users to include Request Name/Value pairs and add them to the Query String or the Response Body.
  • All Request/Response results will be saved in persistent History and easily redisplayed.

HTTP Responses Page:

  • Display Target URL, Response Status/Headers/Body.
  • Allow users to view Response Body as it would appear in a browser.
  • Allow users to extract and view Scripts/Forms/Cookies from the response.
  • Allow users to delete Scripts and Forms from Response Body and view the effect on the rendering of the page.
  • Allow display of Request/Response pairs in a print-ready format.

Misc Tools Page:

  • Allow user-defined characters for the String Generator.

Testing Checklist Page

  • Retain the current testing tips and add a testing checklist based on the OWASP Testing Guide. Include the ability for users to create/edit/delete their own checklist items and also create/edit/delete their results/notes for each test.
  • Allow display of all checklist items and results in a print-ready format.

Automater Page:

  • Allow users to create/edit/delete lists of attack strings and define the insertion points in a request. CAL9000 will automatically send a request for each attack string. Results will be available for review in the History. (Basically, this is a scanner where the user gets to define the tests)


Time permitting, I would also like to include some of the functionality of the AttackAPI (http://www.gnucitizen.org/projects/ attackapi/) and add some basic report generating capabilities. However, I can't guarantee these enhancements before year-end, as I haven't had the time yet to spec out what it would take to implement them.

Down the road, I may write a port to Java in order to get away from browser-specific limitations and to give me the ability to include a proxy. However, CAL9000 was created to be a complement to existing scanners and proxy tools, such as WebScarab, so I'm not sure how far I should take it. I am open to any ideas that you may have for future enhancements.

If you have any questions or would like any more information, feel free to contact me.

Thank you,

AoC 18 - Boris

Hi Dinis,

I have just read about the OWASP Autumn Of Code, and I feel rather excited about it! Not every day I do interesting stuff and make some money out of it :)

My name is Boris, and I'm a .NET guy from Belgrade, Serbia. I've been working with .NET (ASP.NET mostly) since its pre-beta days (Microsoft PDC 2000 Orlando pre-release). Lately I become more and more involved with application security domain, and I think I could use some of the knowledge I gained on OWASP Autumn Of Code. I worked on many .NET projects ranging from single-user desktop apps to distributed, BizTalk-based, SWIFT-based financial clearinghouse systems. I worked for Microsoft too :) (that was some time ago, in their Developer & Platform Evangelism group). I'm also a MCSD and MCAD (for .NET), if that matters to you.

So, I like your .NET projects (and overall OWASP goals) very much, and I would be very eager to work on the following item from your "Proejct Ideas" list:

  • Complete all OWASP .Net web tools (ANSA, SAM'SHE, Asp.Net reflector, etc..) and release them as a product

I think it's very important not to neglect security-related issues with the Microsoft Web platform because it's widespread, especially in the enterprise, and with ASP.NET 2.0 (IMHO, its productivity gains are unparalleled today), it will become even more widespread. So, I think that your target market will be very interesting in everything related to MS Web platform, especially because it has been somewhat neglected by security tools authors.

I sincerely hope that this piece of email is just a start :)

Regards, Boris

AoC 19 - thomas

ups - and now its to late, for they closed the owasp automn of code early 9/18th.

i just wanted to ask about participating on owasp's automn of code with checkomatik - a project for managing checks and reports.

checkomatik is based on php/mysql, brings a defined check-template with a handful of predefined texts and checks to a simple webinterface. simple checks like nikto, bannergrabs, whois and so on get handled either by serversniff.net/ (see http://www.serversniff.net/wiki_en/index.php?title=API) or by own functions and scripts.

the goal of the project is to handle and automate the doing, archiving and report of my (somewhat standartized) pen-tests whilst be as flexible as possible e.g. to add additional servers, ips, texts etc. to any check i do.

checks are extensible and completely self-defineable. There is currently an export to pseudo-xml, we are working on odf, rtf and simple html.

I'm using a custom version of checkomatik this since 2 years for my pentests - but i'd need some ressources to refine this for publishing. the code is messy, its not completely multiuser-capable, and its ugly. there is a playground of the actual stage of development at http://serversniff.net/checkomatik

nevermind if its to late anyway,

AoC 20 - George

My name is George [..], I am a member of the local chapter in Greece and I would be interested to help you complete the OWASP projects. My background is mainly programming and security since I have a degree in Computer Science from Athens University of Economics and Business and a MSc with distinction in Information Security from RHUL. Currently, I am working for [...] as a software engineer and in the past 5 months I was involved in the architecture and development of [...] communication framework as part of the security team in Munich.

My main task was integrating the authentication of [...]' new phones into the security of our J2EE container using both JSocks and SOAP in HTTPS, which had an 25% effort in the architecture design and 75% effort in java programming. Currently, I work in a web management tool for softswitches using C++ and XML-XSL but unfortunately my participation to this project doesn't have any requirements about security which is my main interest. This is why I see the opportunity to work in a OWASP project as a chance to work again in a high level into security and gain more experience in this field but also to spend my free time doing the things I enjoy more.

I also believe that working for OWASP is very interesting, will get me in touch with new trends in security and may open new carreer paths for me. Also, my professional experience so far has given me the ability to work in big projects and cooperate for their completion with collegues across the world, so I expect to be able to communicate, be synchronized with you and the other team members and be productive in a very short time.

The OWASP project that I mainly want to work with is WebScarab mainly because I've used it in the past and I liked it but also because my previous working experience in JSSE application involved SOAP and HTTPS which in my understanding are among the objectives for this project so I expect to be easier for me to work in similar concepts. Of course, I would be interested in working in other projects too , specifically the Java project, WebGoat and your research in .Net partial trust. My schedule in work till March is quite flexible so I am sure that I will have the necessary time to study, develop and deliver production code and documentation in time.

Below are my contact details:

[...]


Thank you for reading this and I hope to hear from you soon,

Best Regards,

AoC 21 - Simon

Madrid, Spain.

Which project you want to be involved in: OWASP Pantera Web Assessment Studio (WAS)

Why you should be sponsored for the project: As the project leader I was going to continue with the development of the project anyway. I believe OWASP AOC can help me to boost the development of the project and come up with a nice assessment framework.

What are the objectives and deliverables

Objectives: Create a powerful application assessment framework able to import data from different sources, analyze all this data using automated processes and manual techniques to verify all the security risks and deliver a comprehensive and accurate report with the findings.

Deliverables:

  • Mature and robust framework: The purpose of Pantera is to come up with a mature framework to perform application assessment where performance, portability and usability are key elements in the design.
  • Active Scanning Engine via a plug-in system: A complete vulnerability scanning engine in 3 phases (recon/spider, vulnerabilities, verify result)
  • Automated Analysis Tools (Auth brute force, decompiler, etc.): Automated tools to perform repetitive tasks like authorization brute force, fuzzing, etc.
  • Import data from well-know sources as Application Scanners and other Pentesting Proxies: Import all data into Pantera to replay attacks and/or correlate findings to obtain the best results possible.
  • Charts and pie generation of analyzed data: Visual charts and pies to get a better picture of the vulnerabilities and obtained data from the assessment.
  • Report generation with customization in different formats (HTML, XML, PDF, etc.): Generate report in different formats and able to customize to your taste.
  • Improved Data Mining capabilities: Better data mining analysis.
  • Assessment Timeframe: Create a timeframe of the assessment.


We have more in mind to enhance Pantera but all the deliverables described above are realistic and can be achieved in the project completion time established by OWASP.

Even though this proposal is not selected, we hope that the readers will find all the deliverables cool enough to step forward and help with the development.

Sincerely,

AoC 22 - Paul

Dear Mr. Cruz:

I am writing in regards to your offer to accept proposals for the OWASP Autumn of Code Project. After reviewing the list, I am including below my response for assisting with one of the projects. Please contact me if you are interested.

Thank you for your consideration!

Sincerely,


Which project you want to be involved in:: Organize the 'OWASP branding project' and make a 1st pass at the current abuses of the OWASP brand


Why you should be sponsored for the project:: I have over 15 years experience in IT as a technical writer, policy/procedure writer, and software tester. I am used to being the "lone wolf" on projects for my task, and often have to draft "strawman" policy statements for my current job. I also have received praise in the past for my ability to perform Internet research.

What are the objectives and deliverables:

  • Determine stakeholders and identify problems with existing branding method.
  • Research solutions and prepare proposal for stakeholder review/approval. Potential deliverables include:
    • New webpage text for branding statement
    • Modifications to "Disclaimers" section of website
    • New flyer prepared for education at tradeshows, local meetings etc.
    • e-mail sent to chapter members, etc.
  • Perform Internet research on existing usages of OWASP brand in marketplace. Categorize according to type, and prepare draft

communication for future send by stakeholders to those determined to be in potential violation.

AoC 23 - Eduardo

Hi,

I`m a curious in a computer security, specialy in a Web Security (Inection code, xss, sql injection), and I would like to contribute in OWASP PHP project.

I work with security and security research and dev for web since 1998.

My objectives are make a extensive documentation for developer, Architects, and deployers to make a web dev more security, but this is a big problem today, because any applications are running in web, but the most developers are not worried with this problem. Today my action for make the Web Dev more security is present lectures in Brazil.


Tks!

AoC 24 - Sherif

see "Sherif Web Goat Proposal.pdf"

AoC 25 - Alex

I would like to apply to the OWASP Autumn Of Code 2006. I’m very interested in contributing to the Java Project in the areas of:

  • J2EE Security for Architects
    • Design considerations
  • J2EE Security for Developers
    • Cross Site Scripting
    • LDAP Injection
    • Session Management
    • Authentication
    • Authorization
    • Encryption
    • Error Handling and Logging
    • Web Services Security

I’ve been developing software for the last 8 years and the experience Igathered makes me a suitable candidate for participating. My experience covers:

  • Authentication and authorization COM module written in Visual C++ 5.0 for the [...] of Ecuador
  • .NET authentication and authorization module written in C# (prototype)
  • Java-based authentication and authorization module using a LDAP server (Novell eDirectory) for [...] Atlantic University
  • Java-based custom SSO module using a LDAP server (Novell eDirectory) for law firm [...] & [...]
  • Committer to Spring Framework Modules
  • SOA project for [...][...]
  • Healthcare project for [...]
  • I also have experience with web frameworks such as Struts, Spring MVC and Webwork and currently learning JSF
  • I have used LDAP-based security (Oracle) for web applications in [...] [...]Services (Fortune 500 Company)

I’m also attaching my resume.

Thank you very much in advance,


AoC 25 - Matteo

Hi Dinis, how are you?

I'd like to give an help to finish the OWASP Testing Project. I've written a paragraph months ago. http://www.owasp.org/index.php/How_to_perform_cookie_manipulation_test

How many things do you think still remain to do?

  • Your contact details: Matteo Meucci, matteo.meucci@owasp.irg
  • Which project you want to be involved in: Testing
  • Why you should be sponsored for the project: I want to promote this project all around the world because I think it's the only valid webapp testing project.
  • What are the objectives and deliverables: the objective is to collect all the documentation, give a structure and release a final

document


{Follow-up email from Testing Guide Project Leader Eoin)

Hi Dinis,

There is a large list of areas that need to be covered with the testing guide.

List is as follows (May grow as time goes by):

Information gathering:

  • Error codes: SQL, IIS/.NET Stack Trace (Java)

Source code disclosure

  • SQL Injection: Oracle, mySQL, SQL Server
  • Extended stored procedures.
  • Stored procedure injection
  • Oracle +SQLServer ports and attacks. Listener attacks etc.

XSS:

  • incubated atacks.
  • Phishing (using java script)
  • HTTP Methods + XSS (TRACE)

AJAX:

  • Vulnerabilities
  • How to test/what to look for.

Automated testing.

  • Tools, how to's, refrences, tutorials.
  • Fuzzing with webscarab

Brute Force:

  • Login forms.
  • Basic Auth dialgoues

WebServices:

  • Structural Attacks
  • Content level attacks
  • DTD based attacks
  • HTTP/REST attacks
  • SOAP attachment attacks
  • Brute force

Writing Reports:

  • Context.
  • Executive report

"*Real Risk" Vs Vulnerability