GSoC/GCI Archive
Google Summer of Code 2014

OWASP Foundation

License: GNU Library or "Lesser" General Public License version 3.0 (LGPLv3)

Web Page: https://www.owasp.org/index.php/GSoC2014_Ideas

Mailing List: Each project has its own development mailing list (eg. ESAPI: http://lists.owasp.org/pipermail/esapi-dev/)

OWASP is the Open Web Application Security Project. It is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a “people, process, and technology” problem, because the most effective approaches to application security include improvements in all of these areas.

Projects

  • Advanced access control testing and user access comparison OWASP ZAP already has the capability to allow users to configure authentication methods, session management methods and Users for a web-application in order to automate the authentication/re-authentication process during scans. This project aims to enhance ZAP’s capabilities by adding a set of access control testing features and tools.
  • Improved Proxification and Plug-n-Hack support This project will implement the following features in OWASP OWTF: 1. Improved Tool and Plugin proxification At the moment not all tools or plugins are proxified in OWTF. This feature will ensure that the maximum number of plugins and tools send their HTTP requests through the OWTF MiTM proxy. 2. Improved Plug-n-Hack Phase 1/2/3 support OWASP OWTF will cover as much as possible from the Plug-n-Hack standard, with especial focus in improving OWTF report interactivity, browser integration.
  • OWASP - SeraphimDroid OWASP-SeraphimDroid is an android application with the basic aim to teach the user about the malicious use of permissions that an android application uses. The app will use heuristics, sandboxing,etc to stop such uses. It will also provide features to block calls and locate mobile in case its lost.
  • OWASP CSRF GUARD Cross Site Request Forgery is a very effective and hard to defend attack. OWASP CSRFGuard will be an attempt to mitigate all CSRF attacks in web application without developers’ intervention. Every CSRF attack would be identified by Apache and further actions will be taken as per configuration. Also a lightweight php library would be developed to mitigate CSRF attacks in web applications in such a way that developers can use them while building web applications or integrate to existing one.
  • OWASP Hackademic Challenges - Complete set of challenges and improvements This project proposal introduces improvements to make the OWASP Hackademic Challenges project more complete. It includes new challenges to cover the OWASP Top 10 and more, as well as enhancements to the existing challenges such as a clue plugin and new congratulation pages.
  • OWASP Hackademic Challenges-New challenges and Improvements to the Existing Improve the existing challenges both in terms of acceptance of broader set of valid answers, improving the concepts underlying each of them. Designing new challenges such that a broader set of vulnerabilities are covered. By the end of project, a new set of challenges which have covered all the major security vulnerabilities, covering each of the OWASP TOP 10 extensively will be designed.
  • OWASP HACKADEMIC CHALLENGES: NEW CHALLENGES We propose new cryptographic challenges for Hackademic. Each Challenge requires some understanding of cryptography and basic programming skills. The main motivation of these challenges is to explain students good implementation values, and common pitfalls. (NOTE: Due to the use of mathematical notations, the proposal here has been shortened. For Full the proposal, please refer to PDF file from the URL http://tinyurl.com/srm-hackademic.)
  • OWASP OWTF - Automated ranking system This project will implement an automated ranking system for the OWASP Offensive Web Testing Framework (OWTF). An initial automated severity ranking will significantly assist OWASP OWTF users to focus the analysis on seemingly weaker hosts/websites, especially on large security assessments.
  • OWASP OWTF - Flexible Mapping, Templating Engine, Passive Online Scanner Flexible Plugin Mapping: Plugins will be mapped to the following standards: - OWASP Testing Guide v4 - NIST 800-53. Dynamic Templating Engine: A component in charge of assembling vulnerability descriptions, penetration tester notes and fix recommendations, with the intention to expedite report writing via copy-paste. Passive Online Scanner: A modified interactive OWTF report that allows people to try OWTF without installing, simply visiting a URL.
  • OWASP OWTF - Zest support and ZAP integration This project will improve integration between the OWTF and external tools such as ZAP. This will be accomplished by adding the features such as Sending HTTP requests/Zest scripts from OWTF to third party tools. Zest scripts will provide an automated mechanism to replicate exploitation of security vulnerabilities in a format that facilitates information exchange between external tools which can reproduce the same vulnerabilities in their own environment.
  • OWASP PHP Security Project OWASP PHPSEC is an effort by a group of developers in securing PHP web applications, using a collection of decoupled flexible secure PHP libraries, as well as a collection of PHP tools. On top of a collection of libraries and tools, PHPSEC contains a sample framework to demonstrate proper usage of the tools and libraries. It can also be easily merged with existing PHP code, because it is both decoupled and flexible. Proper usage of PHPSEC will result in the target system being much more secure.
  • OWASP WebGoatPHP WebGoat is one of the most popular open source web applications developed by OWASP. It is a deliberately insecure web application developed using Java to provide a security awareness environment. It offers a set of challenges based on various vulnerabilities listed in OWASP. Since PHP is extremely popular in web applications and has many of the security flaws which Java doesn't, my work is to develop a deliberately insecure PHP web application.
  • OWASP ZAP: Advanced Fuzzing Throughout this project the fuzzing tool of the OWASP ZAP Attack Proxy is going to be reworked to implement several features that have been requested by users. This involves the completion and clean up of the existing packages as well as the implementation of several new ones on top of that.
  • OWASP ZAP: SOAP WEB SERVICE SCANNING The purpose of this project is to implement vulnerability scanning functionality for SOAP Web Services into the OWASP ZAP tool, since its current capabilities are very limited for this tasks.
  • OWASP-OWTF: Stateful Browsing, Session Management and Python upgrade (1) Stateful Browsing with configurable authentication It will provide the ability to maintain session state, distinguish user sessions and identify authentication flaws and additionally improve OWTF testing code coverage to the authenticated portion of the website. (2) Python version upgrade and compatibility - Most Linux distributions are moving to default python - Python 2.7 is the end of the python2 line. - python 3 is cleaner and easier
  • WAF bypasser OWTF module This project will implement a Web Application Firewall bypasser module for OWASP OWTF. The WAF bypasser module analyze and test the quality of Web Application Firewall rules. The following are the components that the OWTF WAF bypasser module will use.1)A fuzzer module.2)A payload collection. 3)A repository of attack characters extracted from the payload collection. These will be implemented in the framework as part of this project so that they are reusable by other modules down the line.