GSoC 2022 Ideas

JuiceShop - ZAP - Maryam - DSOMM - SecureTea - PyGoat - PurpleTeam - Threat Dragon - Coraza Web Application Firewall - ModSecurity Core Rule Set - OWTF - Python Honeypot - Nettacker - Security Knowledge Framework - Bug Logging Tool (BLT)

Tips to get you started in no particular order:

List of Project Ideas

OWASP Juice Shop

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

To receive early feedback please:

Explanation of Ideas
Score Board UI/UX

Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Difficulty: Hard

Juice Shop’s existing Score Board has been rewritten from scratch once when the project moved from AngularJS/Bootstrap to Angular/Material. Since then, new features, filters and information has been added to it over the years. It has grown to a point where it can be confusing for beginners. It also became pretty slow to render over time.

After a big facelift project for all the other UI screens, the Score Board now is the one screen left to require some special attention. As it is the heart and soul of the Juice Shop, any redesign or usability improvements must be thoroughly tested and strive for the best possible user experience.

Replacement for Protractor end-to-end test suite

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Difficulty: Medium

The Angular team plans to end development of Protractor at the end of 2022 (in conjunction with Angular v15).

(Source: https://github.com/angular/protractor/issues/5502)

With the Angular 15 release end of 2022, development support for Protractor will be terminated by the Angular team. In order to not get stuck on a <15 version of Angular or running into a probably increasing number of issues with Protractor, it is time for Juice Shop to look into end-to-end testing alternatives. This project would migrate all existing Protractor tests to a new test framework. The framework choice should follow recommendations of the Angular team in order to avoid incompatibility issues in the future.

Your own idea

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

Expected Results
Getting started
Mentors

OWASP ZAP

ZAP is the world’s most widely used web scanner. Previous GSoC contributors have added key features and are all listed in the ZAP Student Hall of Fame.

To get started with ZAP contributions see the ZAP Contributing Guide. We expect GSoC contributors who apply to work on ZAP to have had at least one code PR merged into one of the ZAP repos.

Import PCAP/PCAPNG Files

Preferred for "Medium" GSoC 2022 project

Difficulty: Easy

Import PCAP/PCAPNG Files into ZAP as per #4812

Modern Web App Framework Handling: Angular / VueJS / React

Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Difficulty: Medium Difficulty: Hard

Enhance ZAP to handle one modern framework better - either Angular, VueJS or React. This project should allow ZAP to extract more information from one of the top JavaScript frameworks and potentisally tune attacks to target known issues with that framework.

Browser Recorder

Not recommended for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Difficulty: Hard

Create a new ZAP add-on which will allow the user to record and replay browser interactions, for example during authentication as per #7139

Param Miner

Not recommended for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Difficulty: Hard

Implement the equivalent on the Burp Pram Miner add-on which identifies hidden, unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities as per #7140

Your Own Idea

Preferred for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Difficulty: Easy Difficulty: Medium Difficulty: Hard

We are always delighted to hear from contributors who have their own ideas for projects. You are encouraged to discuss these with the ZAP project leaders.

Mentors

All ZAP projects will be mentored by the ZAP Project Leaders:

OWASP Maryam

OWASP Maryam is a modular open-source framework based on OSINT and data gathering. It is designed to provide a robust environment to harvest data from open sources and search engines quickly and thoroughly.

Explanation of Ideas
Iris

Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Iris currently has been added to Maryam as some basic Natural Language Processing Operations. We want to improve it. It has a simple document clustering module, a simple meta search engine, and sentiment analysis. What we want to do add new clustering methods that use neural networks(CNN, RNN, LSTM, …) in order to create clusters, a topic modeling module to extract topics from documents, and a model that recognizes the most relevant documents by the given query.

Getting Started
Mentors

OWASP DSOMM

New Application

The OWASP DevSecOps Maturity Model is used to assess and present the devsecops maturity of an organization. It consits of an application and devsecops maturity model information. The application is used to present and assess the model itself. As it is aged, a new modern application with a frontend in angular is to be developed. Please also add your own ideas for enhancements in the propsal. Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Your Own Idea

You have an awesome idea to improve OWASP DSOMM? Great, please submit it!

Preferred for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Getting Started
Mentors

OWASP SecureTea

The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices). Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Expected results

Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Getting started
Student Requirements
Mentor

OWASP PyGoat

Intentionally vuln web Application Security in django.

Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Expected results

Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Getting started
Student Requirements
Mentor

OWASP PurpleTeam

PurpleTeam is a Developer focussed security regression testing CLI and SaaS targeting Web applications and APIs. The CLI is specifically targeted at sitting within your build pipelines but can also be run manually. The SaaS that does the security testing of your applications and APIs can be deployed anywhere.

The core components are detailed here.

Getting Started

Idea 1: Fork docker-compose-ui

Description

PurpleTeam local relies on docker-compose-ui to start stage two containers. docker-compose-ui is now no longer maintained. In order to use the latest versions of docker-compose docker-compose-ui needs to be forked and made to support the latest docker-compose version. Additional getting started resources here.

Expected Outcomes
Skills Required/Preferred
Mentors
Expected Size of Project

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Difficulty: Medium

Idea 2: Add Authentication Techniques

Description

Most of this work would be added to EmissaryAuthentication, as per #44. We will point you in the right direction for the Zaproxy authentication documentation. This functionality will require modifications to the Job file, schema which resides in the CLI and orchestrator and a separate schema in the App Tester. Changes will need to be made for both Browser App and API Job file schemas and documentation.

Expected Outcomes
Skills Required/Preferred
Mentors
Expected Size of Project

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Difficulty: Medium

Idea 3: Create Better Dockerfiles

Description

Take the working stage one PurpleTeam local Dockerfiles and make them as small and fast as possible to build and run. The Dockerfiles are core to how PurpleTeam is developed and debugged. The smaller and faster these are, the faster PurpleTeam can be developed and deployed to both local and cloud environments. As per issue #92

Expected Outcomes
Skills Required/Preferred
Mentors
Expected Size of Project

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Difficulty: Easy

Idea 4: Create API System Under Test (SUT)

Description

Find a purposely vulnerable API ideally that offers multiple authentication types and multiple types of API (openApi, SOAP, graphQl, generic). Containerise it if it isn’t already. Add it to the purpleteam-iac-sut project so that it can be deployed (with terragrunt apply) and destroyed (with terragrunt destroy). This is so that the PurpleTeam core team can test against a vulnerable set of APIs to confirm that PurpleTeam (via Zaproxy) is producing the correct results.

Expected Outcomes
Skills Required/Preferred
Mentors
Expected Size of Project

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Difficulty: Medium

Idea 5: Provide the ability to remove alerts from reports by marking as false positive

Description

This is another way for PurpleTeam users to manage false positives. There’s an option in the Zap API to updateAlertsConfidence for specific alerts. We can change the confidence level to 0 - False Positive. This doesn’t change the number of alerts raised, but the specific alert won’t be included in the reports. We’ve tested (PoC) this HTML and JSON reports. Full details on the backlog item #100.

Expected Outcomes
Skills Required/Preferred
Mentors
Expected Size of Project

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Difficulty: Easy

Idea 6: Implement Server Scanner

Description

Implement the Server Scanner as the third PurpleTeam Tester as per #61. We’re going to be using Nikto. The majority of the code will be in https://github.com/purpleteam-labs/purpleteam-server-scanner. This is mostly green fields work. We have the app-scanner and tls-scanner fully implemented to use as a reference for what Testers look like. The diagram here shows where Testers fit into the architecture.

Expected Outcomes
Skills Required/Preferred
Mentors
Expected Size of Project

Possible for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Difficulty: Hard

Pick idea from Product Backlog

Pick an idea that we already have listed or supply one of your own. Please talk with us about what you’re thinking of.

OWASP Threat Dragon

Threat Dragon is a threat modeling tool that is widely used by many organisations and companies to create threat model diagrams. It is an OWASP Lab project and is in the process of developing a new version 2.0 using Vue and Node.

Explanation of Ideas

Of the various features that are waiting to be implemented for Threat Dragon, the one chosen for GSoC is self contained and directly visible to users of the project.

Enable Threat Dragon as a part of CI/CD Pipelines

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Difficulty: Hard

It is not easy to use Threat Dragon in a CI/CD pipeline, and it would be great if CI/CD pipeline integration was provided by Threat Dragon. This is a feature that is at the beginning of development, which allows the developer to design it from scratch and see it all the way through to acceptance by the Threat Dragon community.

Expected Results
Getting started
Mentors

OWASP Coraza Web Application Firewall

OWASP Coraza is a golang enterprise-grade Web Application Firewall framework that supports Modsecurity’s seclang language and is 100% compatible with OWASP Core Ruleset. OWASP Coraza is super extensible; each feature from seclang can be easily extended and integrated with other technologies.

Getting Started
Explanation of Ideas
Implement new directive for rate limiting

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Rate limiting is a feature that needs to be concocted using a combination of SecRules that adds complexity and it is mandatory for the today Web. While you have the scaffolding to create it, is should be easy to create and maintain.

Basic example

The proposal is to add a new directive, maybe SecRuleRateLimit, where you define:

Advanced example

The advanced setting should be able to synchronize this limit using a persistent storage or other communication method. Depending on the load, it will be very common to run a cluster of Coraza protected servers. Hence the need for syncing between all deployed servers.

There are many examples on how to do this using, for example, in memory or Redis. We should discuss if this requires additional go modules, which one is the best for this case.

Expected Results

Student Requirements

Mentors

Difficulty: Medium

Apache module

Most OWASP Core Ruleset users are currently running their ruleset using apache 2 and mod_security2. In order to bring OWASP Coraza features to these users, we should provide a production-ready Apache module.

Not recommended for "Medium" GSoC 2022 project Preferred for "Large" GSoC 2022 project

Expected Outcomes

This project has two parts, making libcoraza stable enough to support the Apache implementation, and implementing an Apache module PoC that can evaluate seclang rules using Coraza and process the 5 Coraza phases efficiently.

Some considerations:

The following project can be used as a baseline, but there is no stable release yet: https://github.com/SpiderLabs/ModSecurity-apache

Student Requirements

Mentors

Difficulty: Hard

coraza-server

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

coraza-server was originally created as an experiment, but it has been the most successful sub-project. It allows to run OWASP Coraza as an HPOA server for HAProxy, but it was originally designed to support multiple protocols, like GRPC and Rest. Currently, it only supports SPOA.

Expected Outcomes

Student Requirements

Mentors

Difficulty: Medium

GraphQL body processor

Preferred for "Medium" GSoC 2022 project Not recommended for "Large" GSoC 2022 project

OWASP Coraza supports multiple body processors, they are used to read the request body and transform the content into a processable format, for example, it can transform multipart data into a list of temporary files and arguments, or it can transform a JSON payload into arguments.

Expected Results

The GraphQL Body Processor must provide a safe way to read the GraphQL from JSON and create a simple introspection that could feed the ARGS_POST variable.

Student Requirements

Mentors

Difficulty: Medium

OWASP ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

Getting Started

CRS 💡 #1

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Machine Learning plugin integration
Summary

Enhance / finish / develop / integrate the machine learning plugin, including the documentation and showcase project for people to reproduce

Description

There have been a few diploma or master thesis working with ModSecurity / CRS and machine learning. Most of the students really struggled to understand ModSecurity and were hardly able to concentrate on the more interesting ML research. The idea of this project is to finish / polish the existing proposal for a ML framework for CRS, so that future students have an easier time getting started with ML and ModSecurity / CRS.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Medium

CRS 💡 #2

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

CRS Transformations review

Summary

Systematic review of transformations, develop a guideline how to transform which parameters and in which order, implement the necessary changes

Description

This is one for the nerds, or for somebody who is not afraid to dig into the hairy details of language encodings and their implementation. The ModSecurity SecLang rule language that CRS uses comes with a few dozen of transformation that can help to simplify payloads that make it easier to detect attacks. Think of removing white space or perform base64 decoding. CRS uses this, but we have to admit in an not overly systematic way. So what we would need is somebody who looks at the various options, looks at frequent attacks and tells us which transformations / decodings should be used and in which situation, so we can follow this guideline in a systematic way.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Easy

CRS 💡 #3

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

SecLanguage platforms performance analysis
Summary

Systematic performance analysis on various SecLanguage platforms: Costs of operators, transformations and variables (depending on size of payload / varname+value and number of variables)

Description

This is a research project aiming to do a written report about the performance of the essential part of the SecRule language on various implementations, namely ModSecurity 2, libModSecurity 3, Coraza. The ModSecurity Handbook does not really go into enough detail of the performance impact of those constructs that CRS uses as its work horses. So we kind of depend on a gut feeling and a proper base and guideline would be very beneficial.

Without exaggerating too much, you need to keep in mind that CRS is running on millions of servers, some of them with hundreds of millions of requests per day (or more). If you now imagine that we could save some CPU cycles when we optimize the rules, then there is a big, big potential to good. Also to the planet in resource consumption.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Hard

CRS 💡 #4

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

WAF Performance Testing Framework

Summary

Create a performance testing framework i. e. something like regression tests but for performance, so we can see impact on performance of every pull request.

Description

A frequent problem when developing new rules is their performance impact. Experience shows you do not really know the performance of a rule until you have tried it out. If you want to test it against a variety of payloads it’s quite a lot of manual work and since we do not have a documented test procedure, it’s all a bit random.

So the idea is to design a facility (typically a docker container) that is being configured with a rule and then used to test this rule with a variety of payloads and returns a standard report about the performance of the rule. Bonus points if multiple engines are covered (ModSecurity 2, libModSecurity 3, Coraza, …)

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Medium

CRS 💡 #5

Preferred for "Small" GSoC 2022 project Possible for "Medium" GSoC 2022 project

New plugin for <enter-your-cool-idea>
Summary

Write new plugins to prevent attacks.

Description

We have recently added plugin functionality to CRS. The Plugin Registry has a decent overview of existing plugins and this blog post does a good job describing a very cool plugin for inspiration.

Think about writing another cool plugin to complement the repository.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Easy

CRS 💡 #6

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Automated WAF CVE testing and reporting
Summary

Setup automatic workflow to scan existing CVE PoC repository and run PoCs against sandbox

Description

This takes threat intelligence and threat analysis to the next level. The idea is to hook up on the Trickest GitHub Repo with Proof of Concept exploits of CVEs, extract them automatically, run them against our sandbox and report; namely if we do not catch the exploit.

If you manage to pull this off, this would be real milestone for the WAF / security industry. On top, this looks like a lot of fun.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Hard

OWASP OWTF

Offensive Web Testing Framework (OWTF) is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment.

OWASP OWTF - Passive Online scanner improvements

Brief Explanation

OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy “Search for vulnerability” search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a “script” that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF “without installing anything”, simply visiting a URL.

This would be a normal OWTF interactive report where the user can:

The passive online scanner, simply makes OWTF passive testing through third party websites more accessible to anybody, however it is the user that must

  1. click the link manually +
  2. do something bad with that afterwards +
  3. doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal More information about why this is not illegal here (recommended reading!)

For background on OWASP OWTF please see: OWASP OWTF

Expected results:
Knowledge Prerequisite:

A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.

OWASP OWTF Mentors:

OWASP OWTF - Web interface enhancements

Brief Explanation:

The current owtf web interface is implemented in ReactJs with Redux as the state manager. The project involves - (1) integration of Typescript in the code to ease the refactoring process, (2) upgrading the UI to remove additional dependencies and improve user experience . Check out the current implementation of the web interface at OWTF on GitHub.

For background on OWASP OWTF please see: OWASP_OWTF

Expected results:
Getting Started:
Knowledge Prerequisite:
OWASP OWTF Mentors:

OWASP OWTF - Login/Signup Implementation

Brief Explanation:

Some pages of the new OWTF interface has been under progess for a very long time. Complete implementation of the Login/Signup Page (APIs + frontend) with proper unit/functional tests will be deliverable for this project. Check out the current implementation of the web interface at OWTF on GitHub.

For background on OWASP OWTF please see: OWASP_OWTF

Expected results:
Getting Started:
Knowledge Prerequisite:
OWASP OWTF Mentors:

OWASP OWTF - General Improvements

Brief Explanation:

There are many small but important enhancements in the issue tracker which are too small to make a single project, but they can be grouped together to make a suitable GSoC project. The aim of the project is to implement some of the enhancements suggested in the issue tracker to improve user experience (adding new useful features and making the owtf tool easier to use), security and performance.

For background on OWASP OWTF please see: OWASP_OWTF

Expected results:
Knowledge Prerequisite:
OWASP OWTF Mentors:

OWASP Python Honeypot

Explanation of Ideas

OWASP Honeypot is an open-source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 3.x and tested on Mac OS X, and Linux.

Getting Started

Expected Results

Knowledge Prerequisites

Mentors

OWASP Nettacker

Explanation of Ideas

OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP, and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanner making it one of the bests.

Getting Started

Expected Results

Knowledge Prerequisites

Mentors

Security Knowledge Framework (SKF)

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Explanation of Ideas

OWASP SKF is an open source web application that explains secure coding and its goal is to help you learn and integrate security by design in your software development and build applications that are secure by design. We have more then 70 SKF Labs for developers to practice the skills in security in terms of identifying and testing vulnerabilities. Apart from that, we also have writeup written for every lab here and this Markdown files have images and text explicitly.

So now the idea is to create a Video Editor, which is a web-based application for OWASP SKF, which will take those Markdown files as an input and separate those images and text, and will convert them into a Video or Presentation.

In technical Terms, We can do is to make a video editor in React or some other Framework, that will take a file like writeup.pdf or in other format. Then in the UI side you have options to put text in blocks. A block will contain text, time interval in video and an image which we will show at that time interval. That’s how we can make multiple blocks and after submitting the data. We will call the backend RestAPIs in django or flask, which will take those blocks data which contain time intervals images and text. And convert that text into speech and ultimately combine all those into a MP3 or any video file which user can get after the request is complete.

This will be the initial version of the project. We can advance it more using deep learning and some video editor libraries.

Difficulty: Medium

Getting Started

Expected Results

Knowledge Prerequisites

Mentors

Bug Logging Tool (BLT)

Preferred for "Medium" GSoC 2022 project Possible for "Large" GSoC 2022 project

Explanation of Ideas

Difficulty: Medium

Getting Started

Expected Results

Reach out to us on Slack to discuss further on the scope, changes required, or if you have any other proposal.

Knowledge Prerequisites

Mentors