GSoC 2023 Ideas

ZAPBug Logging Tool (BLT)MaryamSecureTeaPyGoatRiskAssessmentFrameworkJuice ShopOWASP WrongSecretsOWASP DevSecOps Maturity ModelOWASP secureCodeBoxOWASP ModSecurity Core Rule SetOWASP Nettacker

Tips to get you started in no particular order:

List of Project Ideas

OWASP ZAP

ZAP is the world’s most widely used web scanner. Previous GSoC contributors have added key features and are all listed in the ZAP Student Hall of Fame.

To get started with ZAP contributions see the ZAP Contributing Guide. We expect GSoC contributors who apply to work on ZAP to have had at least one code PR merged into one of the ZAP repos.

Import Postman API Definitions

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Import Postman API definitions into ZAP as per #6960

Import PCAP/PCAPNG Files

Preferred for "Medium" GSoC 2023 project

Difficulty: Easy

Import PCAP/PCAPNG Files into ZAP as per #4812

Browser Recorder

Not recommended for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Hard

Create a new browser extension using Type Script which will allow the user to record and replay browser interactions, for example during authentication as per #7139

Your Own Idea

Preferred for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Easy Difficulty: Medium Difficulty: Hard

We are always delighted to hear from contributors who have their own ideas for projects. You are encouraged to discuss these with the ZAP project leaders.

Mentors

All ZAP projects will be mentored by the ZAP Project Leaders:

Bug Logging Tool (BLT)

OWASP BLT is a bug-hunting & logging tool which allows users and companies to hunt for bugs, claim bug bounties and also to start bug-hunting sprees/contests respectively. It is preferred if the potential GSoC contributors get atleast one PR merged for the project.

Preferred for "Medium" GSoC 2023 project Possible for "Large" GSoC 2023 project

Explanation of Ideas

You can chose to work on one or a combination of ideas depending on the difficulty!

Difficulty: Medium

Getting Started

Expected Results

Reach out to us on Slack to discuss further on the scope, changes required, or if you have any other proposal.

Knowledge Prerequisites

Mentors

OWASP Maryam

OWASP Maryam is a modular/optional open source framework based on OSINT and data gathering. Maryam is written in Python programming language and it’s designed to provide a powerful environment to harvest data from open sources and search engines and collect data quickly and thoroughly.

Please see Development Guide.

Web interface for meta searcher

Preferred for "Medium" GSoC 2023 project

Difficulty: Easy

Implement a web interface for Iris module with JQuery. The interface is somehow like www.qwant.com.

Document Retrieval for Iris

Not recommended for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Hard

Implement a Document Retrieval Algorithm for Iris in order to rank web pages according to the Query. You need to Understand Machine Learning classic algorithms for document retrieval or use Deep neural networks for implementation.

Your Own Idea

Preferred for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Easy Difficulty: Medium Difficulty: Hard

If you have a new Idea regarding Iris(Meta searcher), let us chat.

Getting Started
Mentors

OWASP SecureTea

The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices). Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Expected results

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Getting started
Student Requirements
Mentor

OWASP PyGoat

Intentionally vuln web Application Security in django.

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Expected results

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Getting started
Student Requirements
Mentor

OWASP Risk Assessment Framework

The OWASP Risk Assessment Framework consist of Dynamic application security testing (DAST) and Risk Assessment tools. By using OWASP Risk Assessment Framework’s Testers will be able to analyse and review their application and vulnerabilities without any additional setup. OWASP Risk Assessment Framework can be integrated in the DevSecOps toolchain to help developers to write and produce secure application.

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Expected results

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Getting started
Student Requirements
Mentor

OWASP Juice Shop

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

To receive early feedback please:

Explanation of Ideas
Score Board UI/UX

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Hard

Juice Shop’s existing Score Board has been rewritten from scratch once when the project moved from AngularJS/Bootstrap to Angular/Material. Since then, new features, filters and information has been added to it over the years. It has grown to a point where it can be confusing for beginners. It also became pretty slow to render over time.

After a big facelift project for all the other UI screens, the Score Board now is the one screen left to require some special attention. As it is the heart and soul of the Juice Shop, any redesign or usability improvements must be thoroughly tested and strive for the best possible user experience.

Companion Guide Tech Stack

Preferred for "Medium" GSoC 2023 project Not recommended for "Large" GSoC 2023 project

Difficulty: Medium

The official companion guide eBook “Pwning OWASP Juice Shop” is today written in Markdown and compiled with the GitBook legacy CLI into HTML (for online reading) as well as EPUB/PDF (for the free eBook on LeanPub). As GitBook CLI is no longer maintained, it is only a question of time when the current build and publishing pipeline will start failing from outdated tooling in general and specifically unsupported old versions of Node.js etc. The CI/CD pipeline for publishing is currently running on AppVeyor whereas all other Juice Shop components are built with GitHub Actions.

With well over 12,000 readers on LeanPub alone, the eBook is definitely a cornerstone of Juice Shop’s success, so it should receive a long-overdue renewal of its technology stack. This includes a modern and future-proof authoring format (that still supports both online-reading and eBook export) as well as moving the CI/CD pipeline over to GitHub.

Add Web3 specific hacking and coding challenges

Preferred for "Medium" GSoC 2023 project Possible for "Large" GSoC 2023 project

Difficulty: Medium

The Juice Shop currently focuses primarily on Web2 challenges and it would be good to expose some web3 challenges natively as well as third-party integrations. The only concern we have is that playing around with the challenges should not impact the availability of the entire application. We are also open to having our own in-memory blockchain if that is needed. This is currently an open-ended and a flexible project idea that can be discussed and planned! Oh! Did I not mention we also have our own NFTs?!

Find and discuss more about the project idea here at juice-shop#1946

Advanced Cheat Detection

Preferred for "Medium" GSoC 2023 project Not recommended for "Large" GSoC 2023 project

Difficulty: Medium

The current Cheat Detection in Juice Shop is mostly based on expected timespans between solving two challenges. It takes challenge difficulty and availability of in-app hints into consideration, as well as possible correlations or dependencies between challenges. It leaves a lot of possible data sources out of its calculation, though. For example: Does the user always hit the solution on their first try, or do they explore the vulnerable functionality beforehand? Are the HTTP requests showing signs of hacking tool usage? Are the solution steps exactly reproduced from available official or even third party guides or videos?

Could maybe even techniques from banking fraud detection or actual game development be applied in the Juice Shop context?

Your own idea

Preferred for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Easy Difficulty: Medium Difficulty: Hard

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

Expected Results
Getting started
Mentors

OWASP WrongSecrets

Preferred for "Medium" GSoC 2023 project Possible for "Large" GSoC 2023 project

Explanation of Ideas
Getting Started

Repositories:

Please use the repositories’ issue tracker, GitHub discussions, and don’t forget to read the contributing guide.

Expected Results

Depending on the project:

Reach out to us on Slack to discuss these and other ideas!

Knowledge Prerequisites

Mentors

OWASP DevSecOps Maturity Model

The OWASP DevSecOps Maturity Model provides opportunities to harden DevOps strategies and shows how these can be prioritized. It contains of an application and the model data.

To receive early feedback please:

Medium Feature Pack for the Application

Preferred for "Medium" GSoC 2023 project

Large Feature Pack for the Application

Possible for "Large" GSoC 2023 project

Prerequisites

Mentors

Reach out to us on Slack to discuss these and other ideas!

OWASP OWTF

Possible for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Hard

Explanation of Ideas
Getting Started

Repositories:

Please use the repositories’ issue tracker, GitHub discussions, and don’t forget to read the contributing guide. Join the community at #owtf on OWASP Slack and share your questions, project ideas.

Knowledge Prerequisites

Mentors

OWASP secureCodeBox

secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. The secureCodeBox comes with many different scanners officially integrated (from Amass to Zap) and integration with vulnerability management backends like DefectDojo.

To receive early feedback please:

Explanation of Ideas
Rewrite DefectDojo Hook in Go(lang)

Preferred for "Large" GSoC 2023 project

Difficulty: Medium

The current implementation of our DefectDojo hook is written in Java. As the remainder of the project is written in Go & JavaScript the code does not fit into the remainder of the project and suffers from typical Java problems like a comparatively large memory footprint and slow boot times.

The goals of the project are:

Add a secureCodeBox CLI (scbctl)

Preferred for "Medium" GSoC 2023 project

Difficulty: Medium

The primary interface to interact with the secureCodeBox is through it’s Custom Resources (CRs) in the Kubernetes API. Writing the resource (e.g. Scans) is generally not hard but can be cumbersome as the require the creation of a new file / multi line string in the command line.

To make these interactions easier to use and more fun, a custom (but optional) secureCodeBox CLI should help by automatically connecting to the Kubernetes API.

More context & information are listed in the GitHub Issue

Your own idea

Preferred for "Medium" GSoC 2023 project Preferred for "Large" GSoC 2023 project

Difficulty: Easy Difficulty: Medium Difficulty: Hard

You have an awesome idea to improve the OWASP secureCodeBox? We’d love to hear it, please reach out via email / owasp slack / github to ensure that the idea fits into the project. :)

Getting started
Mentors

OWASP ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

Getting Started

CRS 💡 #1

Preferred for "Medium" GSoC 2032 project Possible for "Large" GSoC 2023 project

CRS Transformations review

Summary

Systematic review of transformations, develop a guideline how to transform which parameters and in which order, implement the necessary changes

Description

This is one for the nerds, or for somebody who is not afraid to dig into the hairy details of language encodings and their implementation. The ModSecurity SecLang rule language that CRS uses comes with a few dozen of transformation that can help to simplify payloads that make it easier to detect attacks. Think of removing white space or perform base64 decoding. CRS uses this, but we have to admit in an not overly systematic way. So what we would need is somebody who looks at the various options, looks at frequent attacks and tells us which transformations / decodings should be used and in which situation, so we can follow this guideline in a systematic way.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Easy

CRS 💡 #2

Preferred for "Medium" GSoC 2023 project Possible for "Large" GSoC 2023 project

SecLanguage platforms performance analysis
Summary

Systematic performance analysis on various SecLanguage platforms: Costs of operators, transformations and variables (depending on size of payload / varname+value and number of variables)

Description

This is a research project aiming to do a written report about the performance of the essential part of the SecRule language on various implementations, namely ModSecurity 2, libModSecurity 3, Coraza. The ModSecurity Handbook does not really go into enough detail of the performance impact of those constructs that CRS uses as its work horses. So we kind of depend on a gut feeling and a proper base and guideline would be very beneficial.

Without exaggerating too much, you need to keep in mind that CRS is running on millions of servers, some of them with hundreds of millions of requests per day (or more). If you now imagine that we could save some CPU cycles when we optimize the rules, then there is a big, big potential to good. Also to the planet in resource consumption.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Hard

CRS 💡 #3

Preferred for "Medium" GSoC 2023 project Possible for "Large" GSoC 2023 project

WAF Performance Testing Framework

Summary

Create a performance testing framework i. e. something like regression tests but for performance, so we can see impact on performance of every pull request.

Description

A frequent problem when developing new rules is their performance impact. Experience shows you do not really know the performance of a rule until you have tried it out. If you want to test it against a variety of payloads it’s quite a lot of manual work and since we do not have a documented test procedure, it’s all a bit random.

So the idea is to design a facility (typically a docker container) that is being configured with a rule and then used to test this rule with a variety of payloads and returns a standard report about the performance of the rule. Bonus points if multiple engines are covered (ModSecurity 2, libModSecurity 3, Coraza, …)

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Medium

CRS 💡 #4

Preferred for "Small" GSoC 2023 project Possible for "Medium" GSoC 2023 project

New plugin for <enter-your-cool-idea>
Summary

Write new plugins to prevent attacks.

Description

We have recently added plugin functionality to CRS. The Plugin Registry has a decent overview of existing plugins and this blog post does a good job describing a very cool plugin for inspiration.

Think about writing another cool plugin to complement the repository.

Expected Outcomes
Skills required/preferred
Mentors

The CRS team will assign a mentor to contributors. In the meantime, the following two CRS project leaders will be your contacts:

Difficulty: Easy

OWASP Nettacker

OWASP Nettacker is a Modular Automated Penetration Testing/ Information gathering Framework and Vulnerability Scanner fully written in Python. Nettacker can run a variety of scans discovering subdomains, open ports, services, vulnerabilities, misconfigurations, default credentials.

Difficulty: Medium Preferred for "Medium" GSoC 2032 project

Explanation of Ideas
Getting Started

Repositories:

Knowldege Requirements
Mentors