GSoC2021 Ideas

OWASP Project Requests

Tips to get you started in no particular order:

List of Project Ideas

OWASP Juice Shop

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

To receive early feedback please:

Explanation of Ideas
Score Board

Juice Shop’s existing Score Board has been rewritten from scratch once when the project moved from AngularJS/Bootstrap to Angular/Material. Since then, new features, filters and information has been added to it over the years. It has grown to a point where it can be confusing for beginners. It also became pretty slow to render over time.

After a big facelift project for all the other UI screens, the Score Board now is the one screen left to require some special attention. As it is the heart and soul of the Juice Shop, any redesign or usability improvements must be thoroughly tested and strive for the best possible user experience.

Your own idea

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

Expected Results
Getting started
Mentors

OWASP Maryam

Explanation of Ideas

OWASP Maryam is a modular open-source OSINT based framework. Maryam is written in Python and it’s designed to provide a powerful environment to harvest data from open-sources and search-engines and collect data quickly and thoroughly.

Getting Started
Expected Results
Knowledge Prerequisites
Mentors

Zed Attack Proxy (ZAP)

Idea One: APIBlueprint or RAML Support (or both)

ZAP does not currently support parsing and subsequent testing of APIBlueprint or RAML definitions.

Expected Results
Getting Started
Mentors

Idea Two: Re-test Functionality

ZAP is currently able to detect vulnerabilities of various types, however it doesn’t have a user friendly mechanism for re-testing or re-validating identified weaknesses.

Refer to Issue 375 for further details, and to this User Group thread for discussion and staged implementation ideas.

Expected Results
Getting Started
Mentors

Idea Three: Your Idea

ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don’t worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.

Expected Results
Getting Started
Mentors

OWASP SecureTea

The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices).

Expected results
Getting started
Student Requirements
Mentor

OWASP Intelligent Intrusion Detection System

Explanation of Ideas

OWASP IIDS is an open source software that leverages the benefits of Artificial Intelligence to detect intrusions and alert the respective network administrator.

Getting Started

Expected Results

Knowledge Prerequisites

Mentors

OWASP OWTF

Offensive Web Testing Framework (OWTF) is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment.

OWASP OWTF - Passive Online scanner improvements

Brief Explanation

OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy “Search for vulnerability” search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a “script” that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF “without installing anything”, simply visiting a URL.

This would be a normal OWTF interactive report where the user can:

The passive online scanner, simply makes OWTF passive testing through third party websites more accessible to anybody, however it is the user that must

  1. click the link manually +
  2. do something bad with that afterwards +
  3. doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal More information about why this is not illegal here (recommended reading!)

For background on OWASP OWTF please see: OWASP OWTF

Expected results:
Knowledge Prerequisite:

A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.

OWASP OWTF Mentors:

OWASP OWTF - Web interface enhancements

Brief Explanation:

The current owtf web interface is implemented in ReactJs with Redux as the state manager. The project involves - (1) integration of Typescript in the code to ease the refactoring process, (2) upgrading the UI to remove additional dependencies and improve user experience . Check out the current implementation of the web interface at OWTF on GitHub.

For background on OWASP OWTF please see: OWASP_OWTF

Expected results:
Getting Started:
Knowledge Prerequisite:
OWASP OWTF Mentors:

OWASP OWTF - Login/Signup Implementation

Brief Explanation:

Some pages of the new OWTF interface has been under progess for a very long time. Complete implementation of the Login/Signup Page (APIs + frontend) with proper unit/functional tests will be deliverable for this project. Check out the current implementation of the web interface at OWTF on GitHub.

For background on OWASP OWTF please see: OWASP_OWTF

Expected results:
Getting Started:
Knowledge Prerequisite:
OWASP OWTF Mentors:

OWASP OWTF - General Improvements

Brief Explanation:

There are many small but important enhancements in the issue tracker which are too small to make a single project, but they can be grouped together to make a suitable GSoC project. The aim of the project is to implement some of the enhancements suggested in the issue tracker to improve user experience (adding new useful features and making the owtf tool easier to use), security and performance.

For background on OWASP OWTF please see: OWASP_OWTF

Expected results:
Knowledge Prerequisite:
OWASP OWTF Mentors:

OWASP Python Honeypot

Explanation of Ideas

OWASP Honeypot is an open-source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 3.x and tested on Mac OS X, and Linux.

Getting Started

Expected Results

Knowledge Prerequisites

Mentors

OWASP Nettacker

Explanation of Ideas

OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP, and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

Getting Started

Expected Results

Knowledge Prerequisites

Mentors