GSoC/GCI Archive
Google Summer of Code 2013

OWASP

Web Page: https://www.owasp.org/index.php/GSoC2013_Ideas

Mailing List: https://groups.google.com/forum/?fromgroups#!forum/owasp-gsoc

OWASP is the Open Web Application Security Project. It is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a “people, process, and technology” problem, because the most effective approaches to application security include improvements in all of these areas. 

Projects

  • Enhanced HTTP Session Handling and users/roles awareness OWASP ZAP currently has the capability to identify existing HTTP sessions or to force the creation of new ones, through the existing HTTP Sessions Extension. However, an enhancement of the existing features and addition of new ones is required in order to offer ZAP users a full suite of HTTP Session related tools to be used when testing web applications.
  • OWASP ModSecurity CRS - Port to Java The goal of this GSOC project is to have a ModSecurity version that can be used within Java servers (e.g. Tomcat). In order to achieve this, the standalone C code will be wrapped using the JNI framework and the resulting ModSecurity Java project will be used as a module for Tomcat server. Also, we will collaborate with the OWASP WebGoat team in order to integrate ModSecurity for Java into it.
  • OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES This project will create an inbound proxy module in the OWASP Offensive Web Testing Framework (OWTF) so that human navigation of a website can take advantage of the functionality in OWTF plugins in an automated fashion regardless of authentication, mandatory fields, client/server side redirects or HTTP response codes that might confuse automated tools. This will ensure increased efficiency in the security testing process and also help in complete identification of the attack surface of a website by identifying and automatically analysing all application entry points as soon as the user accesses them through the proxy.
  • OWASP OWTF - Multiprocessing In this project, we will modify OWTF to use multiprocessing while scanning multiple URLs which is presently done sequentially (one after another). This will improve efficiency while scanning multiple URLs.
  • OWASP OWTF - Reporting A common complaint about OWASP OWTF so far has been that the report is not very shiny. The intention here is to: Move as much of the HTML away from python files into template files: This will facilitate web designer's work in the future. Apply some nice web design to the report so that it is more nice and comfortable to work with: Clear the HTML, CSS, etc Identify and fix areas of improvement in click flow: For example, try to reduce the distance to move the mouse (mouse is sweeping left to right all the time now to rank vulnerabilities and then click on the next plugin) Improve the interactive report load time: The report will be pretty big when you scan 30+ websites, we might have to change things so that each plugin is retrieved via AJAX instead of loading every iframe on load Reduce the interactive report load and improve responsiveness: Big reports can take a few seconds to load and warnings like "this site is not responding" are undesired, we would like to reduce the HTML and JavaScript load to make the report faster to use.
  • OWASP OWTF - Unit Test Framework As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that existing functionality remains intact. In this project we would like to create a unit testing framework so that creating OWASP OWTF unit tests is as simple as possible. The goal of this project is to create the Unit Test Framework and as many unit tests as possible to verify OWASP OWTF functionality.
  • OWASP PHP Security Project To make some stand-alone libraries to strengthen security in PHP and to alleviate some of the security risks as cited in the OWASP Top 10 list. Then to extend the collection of these libraries into a basic framework which would evolve in time.
  • OWASP ZAP - SAML 2.0 Support This project will enhance the ZAP's capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.
  • Plugin api and plugin actions interface in OWASP Hackademic Challenges This project aims to develop a plugin API for the OWASP Hackademic Challenges CMS. The API will allow third party developers to use Actions, Filters and Themes to customise the system.
  • ZAP - Exploring Advanced reporting using BIRT OWASP ZAP is an open source penetration testing tool for finding vulnerabilities in web applications. Reporting is a key component of ZAP as it gives users an insight into the test results. The propose project is to explore the current capabilities of ZAP reporting and enhance it with the help of BIRT integration with ZAP. The proposed outcome will use the existing ZAP result outputs and generate reports for the end-users to analyse the testing results in a productive way.
  • ZAP Proxy : CMS Scanner The Project is an Implementation of a ZAP extension to help in CMS Scanning (WordPress Joomla and Drupal as a first step)