Winter Code Sprint 2014 Ideas & Info

Foreword

The OWASP Winter Code Sprint (OWCS) is a program to involve students with Security projects. By participating in OWCS a student can get real life experience while contributing to an open source project and getting university credits.

Benefits

You get to work for a popular project. Since the project is open source your work is publicly visible. You get university credits while doing so. You are supervised by a person with real-world experience on security You make excellent contacts and you participate in an international team

Perks

Students who successfully(*) participate in the project will get:

(*) successful participation means a passing score granted by University authorities.

How it works:

Any project that will give you university credits can participate in OCWS. Each project will be guided by an OWASP mentor along with a professor. Students are graded by their University, based on success criteria identified at the beginning of the project.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. OWASP does not influence the way grades are allocated. The OWASP advisers will provide any information professors need in order to grade their students.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

How you can participate:

As a Student

  1. Review the list of OWASP Projects currently participating in OWCS
  2. Get in touch with the OWASP Project mentor of your choice.
  3. Agree deliverables with OWASP mentor and university professor.
  4. Work away during Autumn/Winter 2014
  5. Rise to Open Source Development Glory :-)

Students apply now!

As a Professor

  1. Review the list of OWASP Projects currently participating in OWCS
  2. Get in touch with the OWASP Project mentor of your choice.
  3. Promote the participating OWASP Projects among students. Here is a handy slide deck that could be useful
  4. Review student progress with help from OWASP mentors.
  5. Grade student work according to university scoring system.
  6. Provide student grade results to OWASP mentor/s.

As an OWASP Project Leader

  1. Edit this page adding your project and some proposed tasks as per the examples
  2. Promote the initiative to your academic contacts

Mailing List

Please subscribe to the following mailing list to receive updates or ask any particular questions:

OWASP Winter Code Sprint Google Group

How to Apply

Please fill up this form before the deadline.

https://docs.google.com/forms/d/1CFPzLIRje6Wb34MHq-8HwG0pjlkDixHA3xITVssN_Jw/viewform

Deadlines

To facilitate the participation in the initiative for as many universities as possible, there are 2 deadlines for applying. The first one is 15 September 2014 and the next one is 15 October 2014. The double deadline means that OWASP Leaders will review the submissions and announce the choosen projects two times. Once at the end of September and once at the end of October.

Participating OWASP Projects

OWASP OWTF - VMS - OWTF Vulnerability Management System (FREE!)

Brief Explanation:

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of “outdated software / apache / php detected”. with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable both from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:

Similar previous work for Nessus

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - HTTP Request Translator (FREE!)

Brief Explanation:

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a standalone tool that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)

Essential Function: “–output” argument

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had “User-Agent: X”, the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)

Basic additional arguments

OWTF integration

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to “export http request” + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user “select a number of transactions” first (maybe a checkbox?).

Desired input formats

Nice to have: Transforms

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy “macros” so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: “–transform-boundary=@@@@@@@ –transform-language=php”

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test Host: target.com …

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo ‘abc d’ | php -r “echo urlencode(fgets(STDIN));”) curl …… “http://target.com/path/to/$PARAM1/test”

OR a “curl command” like the following: PARAM1=$(echo ‘abc d’ | php -r “echo urlencode(fgets(STDIN));”); curl …… “http://target.com/path/to/$PARAM1/test”

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - JavaScript Library Sniper (FREE!)

Brief Explanation:

This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something really bad! :)- can be done with that or not.

To solve this problem, we propose a standalone tool that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and update a fingerprint JavaScript library database of:

3) Build and update a vulnerability database of:

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the “JavaScript library database”

Step 2) If a match is found: provide the list of known vulnerabilities against “JavaScript library X” to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won’t load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:

How many JavaScript libraries should be included?

Common JavaScript library fingerprinting techniques include:

Other Challenges:

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - Off-line HTTP traffic uploader (FREE!)

Brief Explanation:

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like: skipfish, hoppy, w3af, arachni, etc. Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of stupidly trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - Health Monitor (FREE!)

Brief Explanation:

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

Feature 1) Alerting mechanisms

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

Feature 2) Corrective mechanisms

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:

Additional mechanisms:

Feature 3) Target monitor

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka “problem to solve”:

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was still trying to scan THAT target (!!!!)

Desired situation aka “solution”:

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF “this target is dead: freeze(stop?) current tests, skip target in future tests”

’'’Feature 4) Disk space monitor’’’

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

Feature 5) Network/Internet Connectivity monitor

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

’'’Feature 6) Tool crash detection’’’

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - Installation Improvements and Package manager (FREE!)

Brief Explanation:

This project is to implement what was suggested in the following github issue: [https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster? Having a private server with:

– They could be hosted on Dropbox or a private VPS :)

2 Installation Modes

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - GSoC project extension

Brief Explanation:

This is a wildcard entry for all those GSoC project improvements that you had in mind. The actual work performed will depend on the GSoC project you would like to extend.

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

’'’Prerequisite:’’’

Ideally be the author of the relevant GSoC project you would like to extend :)

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - Testing Framework Improvements (TAKEN!)

WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply

Brief Explanation:

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

Top features

In this improvement phase, the Testing Framework should:

General background

The Unit Test Framework should be able to:

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP OWTF - Tool utilities module (TAKEN!)

’'’WARNING: This idea is taken from the 1st round of OWCS selections (Sept. 15th), please do NOT apply’’’

Brief Explanation:

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

Feature 1) Vulnerable software version database

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example: [http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

Feature 2) Nmap output file merger

Unify nmap files without losing data: XML, text and greppable formats For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

Feature 3) Nmap output file vulnerability mapper

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an old shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

Feature 4) URL target list creator

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

Feature 5) Hydra command creator

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

Feature 6) WP-scan command creator

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: OWASP OWTF

Expected results:

Knowledge Prerequisite:

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

OWASP OWTF Mentor:

Abraham Aranguren - OWASP OWTF Project Leader - Contact: [email protected]

OWASP Hackademic Challenges - Source Code testing environment

Brief Explanation:

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler’s functionality.

Expected results:

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

Knowledge Prerequisites

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

OWASP Hackademic Mentors:

Konstantinos Papapanagiotou, Spyros Gasteratos - Contact: [email protected] / [email protected]

OWASP Hackademic Challenges - Challenge Sandbox

Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend, we’d like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected. Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

Administrator’s point of view

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s). Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server. The student is expected to provide configuration scripts that do the above

Coder’s Way

This is better explained with an example: In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function. The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.). The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

Expected results

You should be able to upload a trully vulnerable web application as a hackademic challenge without compromising the server outside the sandbox.

OWASP Hackademic Challenges - CMS improvements

Brief Explanation:

The new CMS was created during 2012 GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome. For a complete list you can take a look at the issues in our github page here https://github.com/Hackademic/hackademic Some ideas to get you started: Ideas on this project:

Since it’s creation the project has received a good number of new features, but the visual/ux/ui part has never gotten much love. It would be good if we had a new template with proper ui design.

We’d like the admin to be able to create questionaires, assign rules for each question (e.g. correct answer +2pts incorrect answer -2, no answer 0) and assign them to students as homework/exams. The grading can either be done automatically (for multiple choice) or be submitted to the creator of the questionaire.

Now each user is served the latest article in their home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

A series of plugins and a template which allow the user to earn badges as they solve challenges and a better visual representation of their progress.

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can’t try the next one.

A user should be able to put tags on articles and challenges if they are a student and on users, classes, articles and challenges if they are a teacher. Also the user should be able to search according to the tags.

We welcome new ideas to make the project look awesome.

Expected results:

New features and security improvements on the CMS part of the project.

Knowledge Prerequisites:

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

OWASP Hackademic Mentors:

Konstantinos Papapanagiotou, Spyros Gasteratos - Contact: [email protected] / [email protected]

OWASP Hackademic Challenges - Fix issues

Hackdemic has an issues page [here https://github.com/Hackademic/hackademic/issues] some of the issues are small projects which can be solved in an afternoon, others need more work. If your professor agrees with the workload, you can fix one or multiple issues as part of OWCS. Additionally, you can open some issues that later you can fix, or propose new features.

Knowledge Prerequisites:

PHP and optionally some knowledge of application security.

NOTE

This “project” was added to encourage students to be creative and participate, we do accept projects outside the ones proposed if they can be integraded to the platform and are relevant to the purpose of Hackademic.

OWASP ZAP - Web UI

Brief explanation:

ZAP is already an extremely capable tool used by many different groups of users. Work has already been done to make ZAP useful in environments where it can’t run interactively (e.g. via the API). ZAP main Swing UI doesn’t provide convenient access to remote users; a UI which provides some functionality for for users in such environments would be very useful.

Adding a powerful HTML interface to ZAP would allow it to operate in an even wider range of situations.

Expected results:

Optional

Multi user / access controls, etc?

General background

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML, CSS and JavaScript. Some knowledge of application security would be useful, but not essential.

OWASP ZAP Mentor:Simon Bennetts - Contact: [email protected]

OWASP ZAP - Advanced reporting

Brief Explanation:

OWASP ZAP has a limited reporting feature. The actual version can print only the ‘Alerts’ results into a simple pdf, html or in xml format.

Expected results:

We want to be able to print more than the Alerts results , which includes many other outputs such as: Request and Response, Active Scan, Zest among others.

General background

During the Gsoc 2013, we did a research and a prototype module was created, using BIRT plugins for Advance reporting. Read more about the results of the explorative research : https://www.owasp.org/index.php/GSoC2013_Ideas/OWASP_ZAP_Exploring_Advanced_reporting_using_BIRT]

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

OWASP ZAP Mentor:Johanna Curiel - Contact: [email protected]

OWASP ZAP - CI Integration

Brief Explanation:

ZAP is ideally suited for performing security tests in a Continuous Integration environment.

Right now there are a lot of manual steps to perform. This development will be to investigate and implement code/plugins etc to make it much easier to integrate ZAP with tools like Selenium and Jenkins / Hudson.

Expected results:

Code, plugins and documentation to make it as easy as possible to integrate ZAP with common CI tools.

General background

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

OWASP ZAP Mentor:Simon Bennetts - Contact: [email protected]

OWASP ESAPI - Build Apache Struts 2 component

Brief Explanation:

Struts2 is one of the most widely used Java MVC frameworks, users of ESAPI are regularly looking for pluggable components that they can drop into their application to utilize ESAPI within the context of their application framework. The goal of this task is to create a set of pluggable components that integrate ESAPI into Struts2 to utilize ESAPI Encoders, Validation, and Intrusion Detection with the least amount of manual work and configuration.

Expected results:

A standalone project that uses ESAPI Components in a Struts2 add-on. This can be placed with the ‘contrib’ section of ESAPI.

Knowledge Prerequisites:

A solid understanding of Java and Apache Struts, comfort developing unit tests in JUnit and functional tests using Selenium or HttpUnit as well as maintaining a Maven build.

CCCC OWASP ESAPI Mentor: Kevin W. Wall - OWASP ESAPI for Java Project Leader - [email protected]

OWASP ESAPI – Port OWASP Swingset Interactive to use ESAPI 2.x

Brief Explanation:

The ESAPI Swingset Interactive is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. The goal of this project is to adapt the Swingset Interactive to work with the ESAPI 2.x libraries.

Expected results:

Make the current Swingset Interactive application compatible with ESAPI 2.x. Swingset Interactive currently comes with ESAPI 1.4. Various changes and improvements were made with ESAPI 2.x and it is generally recommended not to use 1.4 any longer for Java EE Projects.

Additional relevant references: Web site: https://www.owasp.org/index.php/Projects/OWASP_ESAPI_Swingset_Interactive_Project Mailing List: http://lists.owasp.org/pipermail/owasp-esapi-swingset/

Knowledge Prerequisite:

A basic knowledge of Java, Java Servlets is necessary, as is knowledge of HTML. A working knowledge of ESAPI would be helpful.

CCCC OWASP ESAPI Mentor: Kevin W. Wall - OWASP ESAPI for Java Project Leader - [email protected]

OWASP ESAPI 2.x - Enhance Security Configuration

Brief Explanation:

There are currently more than a half-dozen of open Google Issues in ESAPI regarding the security configuration component (e.g., see ESAPI Security Configuration Issues).

The ESAPI interface for its configuration (SecurityConfiguration) is overly complicated; it has a ‘getter’ method specific to almost every ESAPI configuration property. The rules for how and where the ESAPI.properties file is found are overly complicated making questions about it one of the most frequently asked questions on forums such as Stack Exchange and the ESAPI mailing lists. This complication leads to a unduly intricate, non-modular reference implementation (DefaultSecurityConfiguration) that makes it difficult to extend in terms of new functionality.

A new, simpler security configuration interface and implementation is needed. Such an implementation would not only be useful for ESAPI 2.x, but could very well be used to build the configurator needed by ESAPI 3.

Expected results:

As part of this Winder Code Sprint project, expectations would not only to address as many of the open security configuration issues as possible, but to also go beyond this to allow a framework for additional extensions in terms of functionality.

Specific expectations include:

Knowledge Prerequisite:

Since the ESAPI 2.x project is written in Java, a good knowledge of Java is essential. A strong knowledge of JUnit will also be helpful in creating unit test cases. A working knowledge of XML or JDBC may also prove helpful.

CCCC OWASP ESAPI Mentor: Kevin W. Wall - OWASP ESAPI for Java Project Leader - [email protected]

OWASP ESAPI 2.x - Miscellaneous multiple bug fixes

Brief Explanation:

Fix at least 5 bugs listed in Google Issues.

There are currently (as of Oct 11, 2014) 170 open issues for ESAPI listed at https://code.google.com/p/owasp-esapi-java/issues/list.

Students would be expected to fix at least 5 bugs, including at least 3 bugs that do NOT have the “FirstBug” label.

Expected results:

Students must write well documented code along with appropriate unit tests cases in JUnit. Code will be reviewed by mentor and must meet mentor’s possibly subjective code review with respect to correctness, completeness, and quality.

Knowledge Prerequisites:

A solid understanding of Java and comfort developing unit tests in JUnit as well as a beginner understanding of OWASP Top 10 issues. An understanding of ESAPI security controls would also be helpful.

CCCC OWASP ESAPI Mentor: Kevin W. Wall - OWASP ESAPI for Java Project Leader - [email protected]

Participating Universities, Professors

Here’s a small and not complete list of professors who are accepting participants (If your professor wants to accept more than one team, and you want to help your classmates please add institute name and professor/course here)

More info?

Please get in touch with the OWASP Winter Code Sprint Lead: [email protected]