|Timestamp||What is the name of the Project?||What type of project would you like to create?||Which open source license will your project be using?||Project leader name||What is your email address?||What is your SourceForge ID (if you have one)?||What do you expect to be your project's tangible deliverable?||How would you describe your project in 250 characters?||What is the roadmap for your project?||Additional Comments||What is your OWASP Wiki ID (if you have one)?||Will you require a GitHub repository for your project?||If so, then what is your GitHub account name?||Project Details Page||Notes|
|10/12/2011 4:20:50||Top 10 Defenses||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License||Andrew van der Stockfirstname.lastname@example.org||ajv||Wiki + PDF||A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.||https://www.owasp.org/index.php/TODO:_Top_10_Defenses||See commentary in Leaders list as well as recommendation by Mark Curphey et al for a new project.||vanderaj||https://www.owasp.org/index.php/Projects/OWASP_Top_10_Defences/Roadmapemail@example.com||Completed|
|10/12/2011 13:31:48||ESSS||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License||Mike Boberskifirstname.lastname@example.org||A series of "standards" documents||While third-party penetration test reports might provide a clean bill of health, no vulnerabilities, this does little satisfy concerns that enterprise software was designed and developed in a well-constructed manner. It's that part ESSS addresses.||ESSS#1: Mandatory Injection Protection - Draft Version 0.1|
ESSS#2: Comprehensive Secret Protection - Draft Version 0.1
ESSS#3: Transaction Protection - Draft Version 0.1
ESSS#4: Inherent Web Service Protection - Draft Version 0.1
ESSS#5: Non-Bypassable Access Control Protection - Under Construction
ESSS#6: PKI & WS-Security Protection - Under Construction
ESSS#7: PKI & SAML Protection -Under Construction
ESSS#8: Inherent Mobile Code Protection - Under Construction
|Project content is currently hosted at http://www.openesss.org, the new OWASP project page would include links to that site, similar to OpenSAMM. Please see openesss.org for current project email@example.com||1. Project already underway. Waiting for GPC advice to see if we should create OWASP version of it2. Request withdrawn by submitter. (7 Aug 2012: Mike has gotten back to me. He has gone ahead and started this project without owasp. He is not too keen on creating an OWASP version, but is willing to do it if other's are interested. I have asked the board for their input. Waiting to hear back from them) (9 Aug 2012: Board got back to me with their input. I have contacted Mike to ask if he would be interested in labeling his project as an OWASP project so he can benefit from the brand and the community. I am waiting to hear back from him.) (10 Aug 2012: Mike has gotten back to me. He asked to have the project set up as an OWASP Project. The project set up is now complete.) (23 Aug 2012: Mike has decided to withdraw the project. He found the release review process too complicated/fussy)|
|10/13/2011 5:26:41||File Hash Repository||Tool Project||Apache 2.0 License||Lucas C. Ferreirafirstname.lastname@example.org||Executables: server and several clients. If possible a running instance of the server for clients to query.||The goal of this project is to build a repository of hashes of executable and source files. This repository can then be queried by clients to determine the status os of files based on their hashes. Some statuses are GOOD, MALWARE, SOURCE CHECKED, etc. This repository can consolidate several available sources (NIST, MHR, VirusTotal, etc) and provide better query capabilities.||1. have a running version of the server able to answer queries via DNS|
2. transform proof-of-concept code into production-ready code
3. have the server query sources for unknown hashes
4. implement other query interfaces
5. incorporate new information sources
6. produce an upload interface
|proof-of-concept code is available.||sapao||https://www.owasp.org/index.php/Projects/OWASP_File_Hash_Repository/Roadmap||https://www.owasp.org/index.php/Projects/OWASP_File_Hash_Repository||Project seems to already be set up. Contacted Lucas to make sure it has been and if he needs anything else. (Aug 7 2012: Lucas has contacted me to confirm his project has already been set up. This project set up is now complete.)|
|10/20/2011 4:40:59||WebGoat.NET||Tool Project||GNU GPL v3||Jerry Hoffemail@example.com||WebGoat.NET ASP.NET Web Application||WebGoat.NET is a purposefully broken ASP.NET web application. It contains many common vulnerabilities, and is intended for use in classroom environments.||WebGoat.NET current has multiple modules that have been completed, and many that are not complete. I intend to elicit help from the OWASP community to continuously add and improve WebGoat.NET, in addition to working on this as often as I can to build WebGoat.NET into an enterprise-level training tool.||Thank you!||Jerry Hoff||https://www.owasp.org/index.php/Projects/OWASP_WebGoat.NET/Roadmap||owasp-webgoat||https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project||Project seems to already be set up. Contacted Jerry to make sure it has been and if he needs anything else.|
|10/28/2011 16:17:30||AJAX Crawling Tool||Tool Project||GNU GPL v3||Skyler Onkenfirstname.lastname@example.org||Runnable JAR||A tool which will automate the crawling of AJAX applications. It can be daisy-chained with other proxies (like ZAP or Burpe) to allow the functionality of those tools to be used on aspects of a web app that traditional spidering tools will miss. Here is a demo of the tool so far: http://vimeo.com/31059474||Eventually this tool will have another optional component that will allow fuzzing of these requests from within the tool itself if desired. However, at this point the AJAX crawling functionality is the true value. The target would be to have an automated fuzzing tool that would crawl a target site (including SOAP and REST) and then fuzz those discovered requests. At the end, the tools deliverables would be for QA/Researchers to discover unprotected entry points and malformed input.||https://www.owasp.org/index.php/Projects/OWASP_AJAX_Crawling_Tool/Roadmap||https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool||Project seems to already be set up. Contacted Skyler to make sure it has been and if he needs anything else. Skyler got back to me. Set him up with an Email and mailing list. Set up complete.|
|11/8/2011 8:09:10||smart city administration||Tool Project||Apache 2.0 License||manish email@example.comfirstname.lastname@example.org||it will clearly tangible||this project will provide the direct interface between the people and the administrator.||this project will provide the direct interface between the people and the email@example.com||I don't feel I have enough information. I have sent an e-mail to ask for more before I set this up. (7 Aug 2012: Have not heard back from Manish. I will leave this until the end of the week. If I have not heard back, then I will mark this project incomplete. (10 Aug 2012: I have not heard from Manish regarding this application. This project is now an incomplete application)|
|11/8/2011 8:09:29||smart city administration||Tool Project||Apache 2.0 License||manish firstname.lastname@example.orgemail@example.com||it will clearly tangible||this project will provide the direct interface between the people and the administrator.||this project will provide the direct interface between the people and the firstname.lastname@example.org||Duplicate Application|
|11/11/2011 13:16:01||Java/J2EE Secure Development Curriculum||Documentation Project||Creative Commons Attribution-NoDerivs 3.0 Unported||Dr. A. L. Gottliebemail@example.com||PDF document||The OWASP Java/J2EE software security curriculum is offered as prescriptive guidance for those wishing to educate themselves or others on how to secure Java/J2EE software development. Included are core education tracks based on job|
description and specialization tracks based on specific areas of software security.
Course descriptions are provided as a point of reference for those wishing to know what content OWASP recommends.
|Because so few developers secure their software development, this curriculum shows:|
1. The scope of software security is vast with respect to content throughout the SDLC
2. There are many appealing career paths within software security
3. What demonstrable skills need to be transferred to students
4. How to train an entire software development workforce to develop securely
5. What to do when a development shop must adopt secure software best practices
|Contacted Dr. Gottlieb and asked him if he has this project set up already. I want to make sure before I start the process. Set up is pending while we wait for his confirmation. (7 Aug 2012: Was contacted by Dr. Gottlieb. He asked for the project to be set up. I have set it up for him. This set up is now complete.|
|12/19/2011 9:37:01||xsser||Tool Project||GNU GPL firstname.lastname@example.org||https://xsser.sf.net||a Debian community package||Cross Site "Scripter" (XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.|
It contains several options to try to bypass certain filters, and various special techniques of code injection.
|XSSer is currently in version 1.6b (01/12/2011), called "Grey Swarm"|
The next step in the Roadmap is to stabilize the tool (bugfixing), to improve accuracy of the injections and to grow on the community.
Actually, XSSer allows WebSockets technology that are necessary to be researched in order to connect all the tools in a single direction. The name of this feature is "swarm", and needs to be tested as well as having new developments.
It is also necessary to investigate new XSS vectors.
Also, to implement a messaging system and enhance the functionality of connection between XSSer participants.
Finally, it is necessary to give more visibility to the tool
|The main objective is to provide a free software tool specialized in the exploitation of XSS attacks, the second most common vulnerability as ranked by OWASP.||Looks like a great project. Waiting for him to confirm his name as he left this field blank so I can't set up an e-mail for him. Project set up pending his reply. (7 Aug 2012: Have not had a reply from him. I will wait until the end of the week. If I hear no reply, I will mark this project incomplete.) ( 14 Aug 2012: He/she has not supplied me with his real name so I am marking this application as incomplete) (Aug 23 2012: Epsylon has come back to me with his real name. Fabio Cerullo and I had a meeting to discuss this project as Epsylon would like to donate his project to OWASP. I saw no issue with this as he was honest about his identity, as far as we could tell, and he only wanted to donate the project. I have set him up with all the necessary materials, and I have communicated the donation process to him. This project set up is now complete.)|
|12/20/2011 0:06:45||AW00t||Code Project||GNU GPL v2||Nitin Aryaemail@example.com||Revealing the beuty of small code that changes a malicious file to a trusted one. Combining them will make a quick payload generator .||Its an implementation of binary stubs from basic to the polymorphic code that will show how viruses and malicious files get themselves undetected from the Antiviruses.|
The generated stubs can be appended to any program and also a new approach of AV avoidance will be shown also special programs for hunting down the signatures and extracting them, and editing them for better use will be incorporated.
|This program will help in generating a better AV approach via understanding the basics of signature pattern and other latest techniques that fail at some point in detecting the malicious code .|
We can personally configure our AV for better protection after we go deep in this project.
|Th AW00T will be provided both as command line and separate binaries for its implementation .It will enable us to have a deeper study about malicious codes as well as we will we will be testing all the AV vendors side by side.||Nitin arya||This project is waiting confirmation that it has not been set up for him yet. (9 Aug 2012: He has responded to me message, but it was not clear as to whether he wanted this project set up or not. I have contacted him again for further confirmation) Nitin has gotten back to me and confirmed that he wants the project set up. This project set up is now complete.|
|1/2/2012 21:39:52||Passfault||Code Project||GNU LGPL v3||Cam Morrisfirstname.lastname@example.org||3683875||JAR||Passfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.||The core library is complete as well as a Java Applet and JSON Service. Remaining to do items follow:|
- Maven build. Currently the core library is ant. The applet is a NetBeans project and the JSON service is an eclipse project.
- Document each pattern finder on the OWASP wiki
- ESAPI Authenticator Decorator: Implement an ESAPI Authenticator that will enhance an existing authenticator with passfault implementing the "verifyPasswordStrength" method.
- JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password
- Configuration File: Current configuration of word lists and pattern finders is in code only.
|I was pursuing the possibility of selling this tool, but I decided I'd like it on OWASP. Passfault is currently published under AGPL, but if accepted by OWASP I think LGPL would be more appropriate. |
Here some links that may be of interest:
Demo site: https://passfault.appspot.com
Below is a list of patents I applied for while researching this approach (Novell owns them and I ceased employment there in 2008). Passfault does not infringe on any of these patents but they should probably be listed up front. Passfault implements an alternative to the first patent. The rest of the patents could be implemented using passfault.
|2/8/2012 14:12:36||OctoMS||Code Project||Creative Commons Attribution ShareAlike 3.0 License||Valentino-Jivko Radosavleviciemail@example.com||A zip archive containing the PHP Framework||OctoMS is a free open-source PHP Framework designed on the MVC pattern that focuses on delivering useful debugging information and both offline & online documentation inside the application that is being developed through an intuitive AJAX interface.||OctoMS is an open-source project hosted on Google Projects: http://code.google.com/p/octoms/|
The main attribute of the framework is a "Wizard", an AJAX interface that replaces the page the developer is currently working on if:
1. The script encounters a handleable error
2. The script fails to catch an Exception
3. The developer writes help(); in the controller that serves the current page
4. The developer appends ?debug:firstname.lastname@example.org to the current page's URL
This wizard consists of 2 windows:
1. Search area
The developer can search for detailed usage information on any of the methods created in the application.
Example: searching for "view -core" will return the list of methods found in the view core library with the following information:
* List of parameters
* Return values
* Code examples
* How to deploy the "view" core library in the controller
This information is gathered by reading the application source-files and indexing the method comments.
The developer can also search for online help and use task management tools through the SSL-encrypted API provided by www.octoms.com. This section of the project is a Software as a Service (SaaS) and is available for an individual monthly fee.
2. Debugging area
In the event of an error the debugging area shows a new window detailing where the error occured and a backtrace. Code previews from the files listed in the backtrace tree are also shown.
The developer can debug any web page of the application. The debugging information returned is:
* Routing directives
* Controller information
* List of loaded object (libraries and models)
* List of available helper functions
* Memory and time consumption
* Headers list
* Output buffer
|2/9/2012 12:50:19||PHP Test||Code Project||Apache 2.0 License||Akhil V Lemail@example.com||sdsd||sds||sds||sdsd|
|2/27/2012 9:11:26||OWASP BSI IT-Grundschutz Baustein Webanwendungen Review||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License||Ralf Reinhardtfirstname.lastname@example.org||Technical review of the module web application|
("Baustein Webanwendungen") of the IT-baseline protection catalog ("IT
Grundschutz Katalog") of the German Federal Office for Information
Security ("BSI") from the OWASP's point of view.
|- Building a core review team|
- Review of the BSI documents
- Review of OWASP's review itself
- Releasing the results
|The German "Federal Office for Information Security" (BSI), which is|
comparable to departments focused on security in organizations like NIST
or CCTA, offers the IT Baseline Protection ("IT-Grundschutz") for public
usage, which is based on ISO/IEC 27001. The IT Baseline Protection
include a catalog of approx. 80 "Bausteine" (building blocks). Those
blocks are dealing with one particular subject of IT security. They are
usually written in the German language and later translated to English.
They become the de facto standard for IT security and related
certifications in Germany after they are finally released.
In January 2012 the draft of the block "Webanwendungen" (web
applications) was released with a request for comments. Since this is
the core expertise of OWASP we invited a delegate of the BSI to attend
the last chapter meeting of the German Chapter which took place in
Frankfurt / Main on the 3rd of February. The meeting's outcome was the
strong wish to perform a review of that very web application block as an
OWASP project. This project will help to expand the visibility of OWASP
in the German IT security landscape broadly.
Project links to external sites:
About "IT-Grundschutz Katalog":
BSI main documents (German language):
BSI "Entwurf Baustein Webanwendungen" (German language):
|Ralf Reinhardt||Project seems to already be set up. Contacted Ralf so he can confirm this to me, and asked if he needed further assistance from us. Waiting to hear back. (Sept 5 2012: I have gotten a response from Ralf. The project is currently completed and in the process of being reviewed by the BSI)|
|3/7/2012 23:45:45||wap2go||Tool Project||Creative Commons Attribution ShareAlike 3.0 Licenseemail@example.com||http://jamal880.peperonity.com||community||welcome||none||none||Contacted Ibrahim to ask if he was still interested in pursuing this project.|
|3/9/2012 13:05:35||OWTF||Tool Project||BSD License||Abraham Arangurenfirstname.lastname@example.org||A downloadable tool (mostly python)||The Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.|
|The roadmap is to improve security testing efficiency by gradually integrate the best tools to unite them and make them work together with the security tester instead of having the security tester babysit them.|
OWTF also aims to be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.
|3/20/2012 10:26:53||tsony||Code Project||GNU GPL email@example.com||huuthecusc||sa dfad||ad ad as||a dad||a dad||Huuthe|
|3/31/2012 11:06:41||test||Code Project||GNU GPL v2||test||test||test||test||test||test||test||test|
|4/5/2012 6:20:28||ddd||Code Project||GNU GPL firstname.lastname@example.org||skdslk||kdjfkdfk||dkfjkdfjk||kjkdj||jdkjd||kdsjkd.cklxklk|
|4/6/2012 10:29:24||ShoppingOnline||Code Project||GNU GPL v2||Quocemail@example.com||I would like web security better||My project would like to build the website to support user can buy some items in the internet.||At first, i want to build the simple website. After that, I try to improve security about this web site.||Contacted Quoc and asked him for more information on his project. I suspect he has trouble with English and that is why his submission is less robust.|
|4/17/2012 13:45:19||OWASP Java Uncertain Form Submit Prevention||Code Project||GNU GPL v3||Pravin Kaushikfirstname.lastname@example.org||JAR||Java Uncertain Form Submit Prevention will be useful to develop web application that avoid duplicate and unauthorized post.|
There are already token is present in servlet but it has limitation.
Like -Not able to handle multiple request from a client.
|From Start |
Analysis - 10 days
Code Implementation -15 days
Testing (Manual and Atomization) -10 days
Time to Time enhancement (if require)
|4/27/2012 6:34:40||Sarvatra||Code Project||Apache 2.0 Licenseemail@example.com||jar||abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc||abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc|
|5/3/2012 7:59:18||ECUADOR||Code Project||GNU GPL v3||Diego Balsecafirstname.lastname@example.org||Participant IPCop||OWAS Community for Latin people (Ecuador)||- 2 Month enrrollement of participants|
- 6 month Ecuador OWAS Community
|5/11/2012 20:59:32||Odz MultiCMSScanner||Tool Project||GNU GPL v3||Mennouchi Islam Azeddineemail@example.com||miahack||a multi languages (php,python)||Odz MulticmsScanner is a vulns. scanner for Joomla , WP , Xoops , Nuke that can scan the hole server of any sites with the previous scripts installed in and then detect their vulns.||Our project start with a PHP version and then we wiil start working on a python version and a GUI version in the futur||Project Contributor : Khaled ===> firstname.lastname@example.org||Mennouchi IIslam Azeddine||Project Seems to be set up. Contacted Azeddine to make sure. Waiting for his reply. Fixed the structure of their wiki page. (9 Aug 2012: The project has already been set up. I have received confirmation from Azeddine Islam) This project set up is now confirmed.|
|5/19/2012 12:50:39||shopingcart||Code Project||BSD License||Manishemail@example.com||.net||.net project||.net project||Incomplete. Waiting for Manish to give me more information. I will wait five days until I mark this an incomplete Project. (10 Aug 2012: I have not received word from the project lead. This project is now marked as incomplete application.)|
|5/22/2012 15:03:49||Soka||Code Project||GNU GPL v2||Abefirstname.lastname@example.org||5214||yes||This description will be used to summarize your project on the OWASP Projects Portal. This description is meant to be a very quick overview (250 character limit) of your project that let's a consumer walk||The purpose of the roadmap is to help others understand what your vision for the project is and where the project is going. It gives the community a chance to understand the context and the goal of the||sss||5214|
|6/1/2012 3:49:27||Forensic Guide||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License||Carlos Solis Salazaremail@example.com||carlossolis||PDF document, Video||A massive document covering all aspects of forensic analysis applications, which includes items such as how to conduct a forensic analysis and application to be considered at the time of development to make the subsequent forensic analysis||Develop a document that specifies the aspects to consider in the forensic process, such as Indentification, presevación, analysis and presentation. which will deepen the tools and techniques to execute each of the stages.|
Also, will touch all aspects of the considerations to make when developing an application to facilitate forensic analysis applications.
It is estimated that the first version of the document is available in 6-8 months.
|Carlos Solís||Project seems to already be set up. I contacted Carlos to confirm this. Their wiki page was not set up the right way either, so I fixed it for them. Waiting to hear back from Carlos now. (Aug 14 2012: contacted him one last time for confirmation)|
|6/2/2012 9:03:59||Bellona||Tool Project||GNU GPL v3||R3boot3r@Xfirstname.lastname@example.org||Ddos pentest engine||idk|
|6/9/2012 2:05:05||PRACTICE||Tool Project||GNU GPL v3||HIemail@example.com||Hacking||It is going to be awesome||IDK|
|5/4/2012 15:42:05||global-virtual||Code Project||Creative Commons Attribution ShareAlike 3.0 Licensefirstname.lastname@example.org||loander||ddsfoi dofsij pasok ejw ijwo po||sdf k dsofk pok efjk oepkf we|
|6/21/2012 18:15:06||Xelenium||Tool Project||GNU GPL v3||Vasanthkumar Velayudhamemail@example.com||http://sourceforge.net/projects/xeleniumsecurit/||Security Testing Tool||Hi,|
I propose the Xelenium project under OWASP initiative. Here the objective is to use the powerful features of open source functional test automation tool - Selenium in identifying the security threats. I would like to develop a flexible automated solution, which would identify various security threats present in the application.
|Please find below the current roadmap for Xelenium project:|
Xelenium solution is available which can be used to identify the reflected cross site scripting threats. Please refer the sourceforge link mentioned above.
Addressing the current limitations of Xelenium
- Support for textboxes present in multiple iframes of a window.
- Support for predefined values of the field.
Including the feature to identify DOM based XSS in web application.
Sep - Oct'12:
Including the feature to identify HTTP Splitting bugs in web application.
Nov - Dec'12:
Including the feature to identify SQL injection bugs in web application.
|I would request the coordinators to try the current Xelenium solution, which is avilable in the below mentioned link.|
I would be grateful if you provide me with your feedback, which would help me in enhancing this solution.
Thanks, looking forward for your support for my humble effort.
|(Aug 8 2012) I believe this project has already been set up. I emailed the project lead to confirm this. (Aug 15 2012: I have e-mailed the project lead again today. I have not had a reply at all. If I do not hear from him by the end of the week, I will mark his project active as this is the status it seems to be under)|
|6/23/2012 20:31:05||Intelligent Security||Code Project||GNU GPL v3||Arvind Iyerfirstname.lastname@example.org||A packaged VM||This project will create a code library that implements machine learning concepts for use in security applications/tools/modules. The project leader invites programmers, researchers and other subject-matter-experts to contribute to this effort. We will be joined by a shared belief that the future of application security is AI/machine learning.||I believe that the future of application security is in AI/machine learning. To make meaningful use of machine learning concepts in app security requires teamwork and collaborating between open source contributors (the drivers of innovation in software) and researchers. This project aims to facilitate that. A detailed roadmap will be posted over the next few weeks as the project gains traction.||(Aug 8 2012) I believe this project has already been set up. I emailed the project lead to confirm this. (Aug 15 2012: I have e-mailed the project lead again today. I have not had a reply at all. If I do not hear from him by the end of the week, I will mark his project active as this is the status it seems to be under)|
The repo contains several other libraries which are all free software but under a variety of licenses. See the readme file for an overview.
|email@example.com||www.owasp.org/index.php/owasp_1_Liner||(Aug 8 2012) I believe this project has already been set up. I emailed the project lead to confirm this. Have updated the project wiki page to reflect standard project wiki page set up. (9 August 2012: John has confirmed the project set up.) Set up Completed|
|6/25/2012 16:30:12||proyecto||Code Project||Apache 2.0 License||proyecto||raulito_mat_hotmail.com||Aso||Aso||localhost/proyecto/proyecto|
|6/27/2012 13:54:16||Path Traverser||Tool Project||Attribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0||Tal Melamedfirstname.lastname@example.org||executable||Path Traverser is a tool for security testing of web applications.|
It simulates a real Path Traversal attack, only with actual existing files.
It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.
After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files.
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.
If your application could be found at: http://mysrvr:777/home
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc...
After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.
A configuration for excluding/including specific file types is available.
|alpha: (Win 32/64) - released|
beta: (Win 32/64, MacOS) - Aug 31
*minor bugs fixe, *MacOS compatibility
GA: (Win 32,64, MacOS, Linux) - Dec 31
*optimization, *Linux compatibility, *minor bugs fix
|alpha version is available for free @ http://appsec.it/pt|
There are still undiscovered bugs which causes it to crash.
|7/1/2012 7:11:21||watiqay||Tool Project||GNU GPL v2||Carlos Ganoza Plasenciaemail@example.com||source code||prevents attacks of layer 7 to various websites where client service is running, will have capacity to restore the vulnerable websites and will have a continuous warning system in a personalized way.||Base structure (70%)|
Basic documentation (10%)
GUI integration (50%)
Monitor function with crontab (100%)
alert system (90%)
change detection (100%)
django support (0%)
Stage two (additional features)
Blocking IP's (0%)
Remote restore (0%)
Site Blocked (0%)
John Vargas Pérez (OWASP Perú Chapter Lider, Security Consultant en Open-Sec): Asesoría Técnica
Nicolás Valcárcel (Ubuntu Perú Member ): python module
David Salcedo (web developer en SirDev): GUI desing
|Carlos Ganoza Plasencia||Completed|
|7/2/2012 22:46:28||OWASP Mantra OS||Tool Project||Creative Commons Attribution ShareAlike 3.0 License||Gregory Disneyfirstname.lastname@example.org||BackSploit||ISO for USB & ARM||Chromium OS is a safe, fast and secure sand-boxed OS. This makes it ideal to continue on the OWASP Mantra security toolkit project by completing it as an operating system.||Roadmap:|
1. Get UI and tools working on Chromium OS
2. Brand Chromium OS as OWASP Mantra OS
3. Add additional tools such as CISCO toolkit and others used by testers.
4. Add Backtrack toolkit to Mantra OS
Goal to have project in beta by August
A. Possibly have a marketable tool built on the raspberry pi to help further the OWASP project
|Gregory Disney||Does not have a contact e-mail. I took a shot and sent out an e-mail to a Gmail account using his name. I'll see if this works. He has e-mailed me back and confirmed his application. This project set up is now complete. (8 Aug 2012)|
|7/24/2012 11:47:02||Mark Denihan||Tool Project||GNU GPL v3||Mark Denihanemail@example.com||markdenihan||A security awareness web application including a portable cross platform compatible server package||Security Shepherd is a security aware in depth project. Designed with the aim of fostering security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills.||The current objectives of the Security Shepherd project are;|
To create more levels to provide a wider coverage of vulnerabilities
Extend admin UI configuration options
Create a cloud like synchronizing mechanism to enable automatic updating.
Create a framework for creating levels so that users with no programming experience can contribute.
|This Project was used for the CTF at the OWASP Google Hackathon in July|
Security Shepherd is made up of two parts:
A secure dashboard application that serves up the levels for the user and an exposed server that hosts the sub applications with vulnerabilities. The vulnerabilities are real and are hardened or disarmed so that they cannot be used to compromise or destroy the application server or it's environment.
|7/24/2012 18:56:41||Xenotix XSS Tester||Tool Project||Creative Commons Attribution ShareAlike 3.0 License||Ajin Abrahamfirstname.lastname@example.org||Downloadable tool||Xenotix XSS Tester is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease.||Version 1|
• Built in XSS Payloads
• XSS Key logger
• XSS Executable Drive-by downloader
• Automatic XSS Testing
• XSS Encoder
|Completed(10 Aug 2012: Project Lead removed application)|
|7/25/2012 23:12:58||study loak moscow||Code Project||GNU GPL v3||SLMToolsemail@example.com||for testing only||For testing||for testing!|
|7/29/2012 20:08:58||pol||Code Project||GNU GPL v2||geno||plamour010101||bb||b||b||b|
|8/1/2012 19:43:38||Xenotix XSS Exploit Framework||Tool Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Ajin Abrahamfirstname.lastname@example.org||A download able executable binary||Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.||current features|
Built in XSS Payloads
XSS Key logger
XSS Executable Drive-by downloader
Automatic XSS Testing
To be implemented in future
support for geeko and webkit rendering engines
XSS Proxy to tunnel victim-server communication
|https://www.owasp.org/index.php/Xenotix_XSS_Exploit_Framework||This project might be a duplicate of one I already set up but I am not certain. I have e-mailed the project leader to make sure. I am waiting to hear back from him. (9 Aug 2012) (10 Aug 2012: Project leader has gotten back to me. He says that the original project application is incorrect and that this is the right one. I have deleted the first application/project pages and I have updated his information with this project. The project set up is now complete.)|
|8/3/2012 14:51:56||hutrap||Code Project||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||email@example.com||test||test||test|
|8/6/2012 16:59:56||set||Documentation Project||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||firstname.lastname@example.org||test||test||test|
|8/21/2012 9:24:31||Tmt||Code Project||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||email@example.com||downloaded||academic management program||confirm security level|
|8/21/2012 21:12:53||Onyx||Code Project||GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)||Abhishek Yadavfirstname.lastname@example.org||An ASP.NET secure application infrastructure.||Our team envisions designing and developing a Secure and Optimized web application framework that could be implemented in any production grade web application built on ASP.NET framework.|
The practices adopted would be implemented on an in-house application to benchmark and leverage performance and security of the application.
|22/8/2012 : Finalizing Project Synopsis.|
23/8/2012 : Communicating Design & Development Objectives.
24/8/2012 : Commencement of development of primary deliverables.
24/9/2012 : Submission of primary deliverables.
|(Aug 28 2012: This project set up is now complete.|
|8/28/2012 17:25:32||OWASP Crossword of the Month||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Reef D'Souzaemail@example.com||PDF, Flash file hosted online||We at MyAppSecurity plan on releasing fun application security related quizzes and crosswords which would help educate application developers and security professionals alike in a fun way. |
I believe that this project will reach out to a bigger audience if it involved the OWASP community. I would like to lead an OWASP Crossword of the Month project which can be promoted via the OWASP Newsletter and other outlets.
|Releasing a crossword once a month on secure development, application security, top breaches etc. which will help educate builders, breakers and defenders on application security in a fun interactive way. |
Currently there is one such crossword hosted by MyAppSecurity which I have developed and I look forward to collaborating with the OWASP community on building more.
|(Sept 5 2012: This project set up is now complete.|
|8/31/2012 5:27:44||unxzoo||Tool Projectfirstname.lastname@example.org||The knowledge by understand owasp functionallity||The first instance, I need to know what is the OWASP Project for this, the download is for this purpose.||The next step in the test probably are contribute for the owasp project.||(Sept 5 2012: I have contacted him regarding his application. He seems to only want information on OWASP and did not know who to ask) ( We have responded to his query. This project is now closed)|
|9/10/2012 15:03:30||TestingTheWeb||Code Project||GNU LGPL v3 License (similar to GPL but modified for use with libraries that may be called by other proprietary programs)||TestingTheWebemail@example.com||security test||Trying to check security||Trying to check security||( Sept 20, 2012: I have asked Alexandra to provide more information on her project as she provided no roadmap and a very small description)|
|9/25/2012 6:58:10||jj||Tool Projectfirstname.lastname@example.org||no||very good||i dnt knw||haha||( Oct 04, 2012: Not a real application)|
|10/31/2012 23:15:01||Periodic Table of Vulnerabilities||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||James Landisemail@example.com||There are many anthologies of vulnerabilities and weaknesses (including CWE-25, TCv2, and OWASP top 10), but there is no attempt to classify these issues based on how they should best be solved. In the past, we have tried to teach developers how to avoid introducing these problems, but it appears via the lesson of Buffer Overflow that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code at all. The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible.||There is really only one clear milestone, which is to ensure that the community agrees about how each vulnerability is most efficiently solved. The Periodic Table captures that agreement in an easily referenceable form. Ideally, the document will influence the direction of many other OWASP projects. For example, the Top 10 Defenses project might eventually choose to focus only on the issues that will require developer attention, or there may be different Top 10s for WAF vendors, framework developers, and browser vendors. A new project, similar to WAFEC, could also be started based on the Table which measures how well frameworks are actually meeting the requirements to address certain vulnerabilities. But once there is agreement, the Table will remain generally static, while accommodating new vulnerability research or lessons learned from trying to apply the table to real world situations.||just requested "James Landis"||Project Successfully Set up. November 09, 2012|
|11/2/2012 8:13:26||PSAI||Tool Project||no license||S firstname.lastname@example.org||web security test||web security test||web security test||(Nov 02, 2012: Not a real application)|
|11/6/2012 20:19:35||Application Security Awareness Top 10 E-Learning Project||Documentation Project||AppSec Labs license||Erez Metula||Erez@appsec-labs.com||downloaded and online view||The Application Security E-Learning project has set itself the goal of delivering intuitive, concise and precise content in the fundementals of application secure coding.|
Main target audience: programmers who wish to learn/ review application security fundementals.
|raise programmer awareness to awareness by delivering quality content open to all||They did not pick an open source license so I asked them to choose one as I cannot set up a project that has not chosen a license. They chose: GNU Lesser General Public License. They want to make sure that no-one edits their work. Anyone can use it, but no one should edit their platform. I suggested they use another license as GNU might not cover this, and I let them know that we would not be able to police their work in this way. They would have to manage/communicate their desires to the community. Project Successfully Set up. November 15, 2012|
|11/8/2012 19:56:20||JSON Sanitizer||Code Library Project||Mike Samuelemail@example.com||A JAR library||As described at http://code.google.com/p/json-sanitizer/|
Given JSON-like content, converts it to valid JSON.
This can be attached at either end of a data-pipeline to help satisfy Postel's principle:
be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.
Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.
|The project has been implemented and is usable in its current form. I expect to respond to feature requests on an interrupt basis. Over the next year, I hope to identify 2 or more co-maintainers for the project and bring them up to speed at which point the project should be self-sustaining in my absence.||Mike_Samuel||Project Successfully Set up. November 14, 2012|
|11/20/2012 13:14:54||WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)||Documentation Project||Creative Commons Attribution License 2.5||Ofer Shezaffirstname.lastname@example.org||A document is several formats including PDF and HTML versions||WAFEC provides interested partied, including users, vendors and 3rd party evaluators with a tool to definel, learn about and evaluate the suitability of different WAFs for their needs.||This is an established and highly used project which issues its first release in 2006. We are currently working on version 2, and still have not set a delivery date.||This entry is intended to make WAFEC a joined WASC/OWASP project as dissussed previously. Please do not prepend OWASP to the name. I already put it the name as to be "WASC/OWASP...." to reflect our understanding.|
More information on the project can be found here: http://projects.webappsec.org/w/page/13246985/Web%20Application%20Firewall%20Evaluation%20Criteria
|Oshezaf||(Having trouble setting up the mailing list. Have to ask IT for help. Nov 22 2012) (Project Successfully set up. November 26, 2012)|
|11/25/2012 23:31:01||SamuraiWTF||Tool Project||GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)||Kevin Johnson and Justin Searleemail@example.com||m33as||Live Linux DVD for Web Pentesting||The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.||We've been a project since July 2008 and have had around 12 releases. We try to release every 3-4 months. Our current stable branch is 2.x. You can download the latest release at http://www.samurai-wtf.org .||meeas||(Having trouble setting up the mailing list. Have to ask IT for help. I am in the process of getting a new admin password. Dec 04 2012) (Project Successfully set up. Dec 04, 2012)|
|11/27/2012 18:22:53||DTV||Tool Project||Prasannafirstname.lastname@example.org||web application||web application||web application|
|12/1/2012 22:55:33||Security Research and Development Framework||Code Library Project||GNU GPL v2||Amr Thabetemail@example.com||source code, executable dll, pdf decumentation for it||This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.|
This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.
In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.
The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.
The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF
The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework
SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.
The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.
Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.
In User-Mode part, SRDF gives you many helpful tools … and they are:
• Assembler and Disassembler
• x86 Emulator
• PE Analyzer
• Process Analyzer (Loaded DLLs, Memory Maps … etc)
• MD5, SSDeep and Wildlist Scanner (YARA)
• API Hooker and Process Injection
• Backend Database, XML Serializer
• And many more
In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:
• Object-oriented and easy to use development framework
• Easy IRP dispatching mechanism
• SSDT Hooker
• Layered Devices Filtering
• TDI Firewall
• File and Registry Manager
• Kernel Mode easy to use internet sockets
• Filesystem Filter
Still the Kernel-Mode in progress and many features will be added in the near future.
Do you get benefit from this framework and you need to give something back?
Do you want to add something to your CV?
Do you want to meet smart developers and join a big community?
Do you want to learn new things?
Here is place … join the development community, meet new smart people and have fun.
To do list:
Here ... what we wish to finish in the next 12 months ... still the 6 months plan didn't finished (will be cut from the 12 months plan).
a. XRAY Tool
b. Heuristics Analysis
c. Behavior-based Detection Tools.
d. More File Formats (PDF, apk, …)
e. OpenSBI and other Virus Classification File Formats
f. Sandboxing Mechanism.
i. Using API/ SSDT Hooking
ii. Emulation Based on Pokas Emulator.
g. Update System with Flexible Mechanism
2. Malware Analysis:
a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls)
b. API Hooking (for the same as above)
c. Improvement in Pokas Emulator, Assembler and Disassembler
d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)
e. Recursive Disassembler
f. More APIs Emulation in Pokas x86 Emulator
g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)
h. Support idb (IDA Pro Database) to read it and use its analysis
I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community
a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)
b. OllyDbg Plugin Interface
c. Ollyscript Executer on cDebugger
d. Metasploit Integeration (in Meterpreter Post Exploitation
e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll
a. Support NDIS, kernel sockets and more new libraries
b. Process Analyzer in Kernel-Mode
c. Packet Capturing Library
d. More Debugging and Bug fixing
a. We need to build website.
b. We need activities for learning.
c. We need more documentations and tutorials
d. We need more helpful tools and applications based on SRDF
|The source code and the documentations is at : http://code.google.com/p/srdf||Project Successfully Set up. December 10, 2012|
|12/3/2012 15:23:05||OWASP Press||Documentation Project||CC-BY-SA||dennis firstname.lastname@example.org||Creation of the OWASP Press publication system||The OWASP press is a pattern for massive community collaboration on OWASP documentation projects with just-in-time publication.||The project is largely a publication framework and methodology at this juncture. In the future, I should like to have all OWASP documentation projects successfully open to massive community participation, authoring and just-in-time publication.||User:Dennis_Groves||Project Successfully Set up. December 10, 2012|
|12/11/2012 7:11:54||Merlin||Code Library Projectemail@example.com||n/a||n/a||n/a|
|12/12/2012 13:03:10||CISO Survey||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Tobias Gondromfirstname.lastname@example.org||NA||The CISO Report||CISO Survey and later the CISO Report on Application and Information Security trends. |
Also providing input and data for the CISO guide.
|Dec 2012: Send out Survey|
Feb-15, 2013: Close Survey
Mar 2013: analyze data and write report
Apr 2013: finalize CISO report
|tgondrom||Project Successfully Set up. December 19, 2012|
|12/13/2012 21:35:56||Application Security Guide For CISOs||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Marco Morana||Marco.email@example.com||Yes, the deliverable will be a guide on wiki as well as PDF||The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs||This project initiated as unofficial project in 2011. In Q4 2012 the project has been rebooted as it was selected among the project reboot in 2012 https://www.owasp.org/index.php/Projects_Reboot_2012|
As for 12/12/2012 the roadmap for completing this project is the following:
1) beta status, that is all chapters of the guide completed by end of Q4 2012
2) revision to include feedback from CISO's survey by the end of Q2 2013
3) final revision to reach release ready status in Q3 2013
|This project is developed in parallel with the CISO 2013 survey https://www.owasp.org/index.php/Industry:GIC_CISO_Survey_2013||Marco-cincy||Project Successfully Set up. December 19, 2012|
|12/14/2012 6:15:45||Medical warehouse||Documentation Project||Dhanashri Joshifirstname.lastname@example.org||Publicity of the project||A warehouse is a commercial building for storage of goods. Warehouses are used by manufacturers, importers, exporters, wholesalers, transport businesses, customs, etc. They are usually large plain buildings in industrial areas of cities and towns and villages. They usually have loading docks to load and unload goods from trucks. Sometimes warehouses are designed for the loading and unloading of goods directly from railways, airports, or seaports.||Planning|
Research And Analysis
|This is not a real application. December 19, 2012|
|12/17/2012 23:00:41||O-Saft||Tool Project||GPL v2||Achimemail@example.com||.tar .tgz .zip||This tools lists information about remote target's SSL certificate and tests the remote target's SSL connection according given list of ciphers and various SSL configurations.|
----- Not part of the brief description, but to get the idea:
The tool currently combines the functionality of some existing tools (sslscan, ssltest.pl sslaudit.pl, ssllyze, ...). It's prepared to make more intensive tests, that's where I expect
help from the community.
|* review the code (technically, note that it is a testing and not a security tool)|
* add proper metric for risks rating
* add missing functionality
* encourage other admins and developers to fix their SSL issues ;-)
|I'd like to omit the OWASP in the project name for following reason:|
I was trying over a period of time to find a proper name for the tool. As we all know
the name should best match properly the tool's purpose and most people like sexy
Having this in mind, my first approach was: OWASP yeast - yet another ssl tool -
but I discarded it 'cause yeast may have cultural impacts and the acronym sounds a
bit negative (yet another ...).
Finally I found: O-Saft - OWASP SSL audit for testers
Auditing is what the tools does, and it will be used by pen-testers.
O-Saft is the common German term for orange juice. It has (hopefully) no cultural
impact (like yeast, or alcoholic drinks;-) and already contains OWASP.
So please omit the OWASP prefix to avoid tautology ;-)
I'm used to OWASP's project pages and will update the projekt template myself adding
proper informations about downloads, docs, descriptions, roadmap, etc., etc. ...
|firstname.lastname@example.org||Project Successfully Set up. December 27, 2012|
|12/21/2012 10:55:15||demo||Code Library Project||abhishek email@example.com||a PDF document, an executable binary, a printable worksheet, a DLL or JAR library, a packaged VM, an ISO file, etc.||This description will be used to summarize your project on the OWASP Projects Portal. This description is meant to be a very quick overview (250 character limit) of your project that let's a consumer walk away with a "sense" of your project. Short concise descriptions are easily processed and skimmed by OWASP consumers and help generate genuine interest in a project. A more thorough explanation of your project can be provided in the Additional Comments field below.||The purpose of the roadmap is to help others understand what your vision for the project is and where the project is going. It gives the community a chance to understand the context and the goal of the project. Additionally, if a project becomes inactive or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership. Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Therefore, the GPC encourages projects to take the project roadmap seriously. Some details that leaders may consider placing in the roadmap include envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc.|
|1/3/2013 13:27:04||Crowdtesting||Tool Project||GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)||Thomas Kalamarisfirstname.lastname@example.org||A list of participants for project allocation||The project will try to promote the idea of crowd-testing combined with crowd-sourcing capabilities. We suggest the creation of a dynamic team of security testers specialized in application security testing that can test online web applications upon request. The web applications will be defined as projects and the team of testers will start the security testing. The team will use the tools that have been developed by the OWASP community but using custom-made tools is highly encouraged. As a result the consumer will have either a proof of concept that his application complies with the OWASP principles of secure coding or a list of potential threats due to discovered security flaws. Currently the application owners have access to this kind of security services via companies like Passbrains, utest etc.||The milestones of the project could be as follows:|
1. Deliverable definition by the end of February
2. First deliverable for test by the end of June
3. Project demonstration by the end of September 2013
4. Project end at the end of 2013.
|Project Successfully Set up. January 11, 2013|
|1/9/2013 13:17:35||OWASP Security Tools||Code Library Project||Aleksemail@example.com||OWASP Security Tools||OWASP Security Tools||OWASP Security Tools|
|1/15/2013 20:34:09||Embedded Application Security||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Aaron Weaverfirstname.lastname@example.org||Top 10 List of Embedded Risks||Each year more consumer devices are wifi capable with many devices containing an embedded web server. The Internet of "Things" will push the number of internet capable devices into the billions. Research has shown most devices have little to none in the way of secure programming. |
There are many challenges in the embedded field including limited memory, a small stack and the challenge of pushing firmware updates.
The goal of this project is to identify the risks in embedded hardware applications, create a list of best practices and draw on the resources OWASP already has and bring that to the embedded world.
|1. Reach out to embedded developers and build a community to start talking about security challenges in embedded development.|
2. Create a list of the top risks in embedded hardware. (Similar to the mobile risks lists.)
3. Create cheat sheets or best practice guides.
4. Guide for testing embedded applications.
|aaron.weaver2||Project Successfully Set up. January 26, 2013|
|1/17/2013 16:22:37||OpenStack Security Project||Tool Project||Matt Tesauroemail@example.com||mtesauro||Testing methods and tools for assessming OpenStack source and installations||The OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base. Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack. This project provides a bridge between the OpenStack community and the OWASP community of security professionals. The project leader is also a member of OpenStack and is a member of the OpenStack Security Group. OpenStack has the desire to be the Linux of Cloud infrastructure and OWASP can be the community that ensures the security of that Cloud||* Gather interested community members|
* Determine best approach to testing OpenStack
* Determine best environment to test OpenStack
* Develope tools/techniques to test OpenStack and document them
* Start testing and reporting any issues to OpenStack
|This is an multifaceted project - I expect its a combination of documentation, tools, possibly security libraries for OpenStack testing as its a completely green field. There's very little or not community members in OpenStack that have a security background and it occurs to me that joining OWASP & OpenStack is a no brainer.|
Feel free to ping me if you have questions.
|mtesauro||Project Successfully Set up. January 24, 2013|
|1/23/2013 6:48:29||Leave Manager||Tool Projectfirstname.lastname@example.org||web appication||This applications helps employees of an organisation to apply for future leaves.|
Admin can add or delete accounts using the application.
super User can allow for disallow requested leaves.
|milestones: developing demo UI layout , developing database schema, implementing project,testing|
duration : 6 months
|Project Successfully Set up. February 05, 2013|
|1/24/2013 19:11:41||Desktop Goat and OWASP Top 5||Tool Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||DigitalBodyGuardemail@example.com||Mantra OS||OWASP Top 5 Desktop and Desktop Goat||OWASP Top 5: Desktop Vulnerabilities; a list of the top 5 vulnerabilities that are faced by desktop applications. |
Desktop Goat; a vulnerable desktop application to demonstrate vulnerabilities for a learning environment.
|1. A synchornist development of OWASP Top 5 list and Desktop Goat.|
2. Create a bi-annual life cycle of version control.
3. Use OWASP leaders and OWASP community to perpetuate goals.
4. Used both for education and training to further propagate OWASP and OWASP projects. Develop training materials to associate the OWASP Top 5 with Desktop Goat.
5. Create a product that is marketable to enterprise security and security enthusiasts.
6. Presenting at conferences and release to the community.
|The SourceForge ID is just for filing, there will be different ones for the project.|
This will have a heavy focus towards .NET, but will not be limited to .NET.
|Mantra OS||Project Successfully Set up. February 05, 2013|
|1/27/2013 16:38:46||Bricks||Tool Project||Abhi M Balakrishnanfirstname.lastname@example.org||abhi1299||PHP webpages||Bricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to 'break the bricks'.||1. Demonstrate maximum variations of most common vulnerabilities|
2. Help people to learn the need of secure codding practices and SSDLC
3. Attract people to design more bricks
4. Become a test bed for analyzing the performance of web application security scanners.
5. Help people learn the manual method of testing the applications
6. Demonstrate the possibilities of various security tools and techniques
7. Become a platform to teach web application security in a class room/lab environment.
|Bricks will have CTF-like levels (but not enforced) and each level adds complexity by applying new filter mechanisms. The mission is to break each bricks.||Abhi_M_Balakrishnan||Project Successfully Set up. February 05, 2013|
|2/7/2013 5:23:09||MyTest||Code Library Project||Danishemail@example.com||DLL||This is my first test owasp project.||This is my first test owasp project.|
|2/12/2013 21:14:53||DependencyCheck||Tool Project||Jeremy Longfirstname.lastname@example.org||JAR file, Maven Plugin, etc.||DependencyCheck is a utility that attempts to detect publicly disclosed|
vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
|Improve identification of Common Platform Enumeration (CPE) entries to JAR files. The creation of additional Analyzers to scan .NET DLLs and possibly Ruby gemspec files.|
Create a Maven 3 reporting plugin and a Jenkins CI plugin.
|The application is currently out on Github: https://github.com/jeremylong/DependencyCheck|
I'd like to move this to an OWASP project to 1) increase awareness of the tool and 2) hopefully find others to contribute new analyzers to the project.
|jeremy.long||Project Successfully Set up. February 27, 2013|
|2/21/2013 15:35:58||SCADA Security Project||Documentation Project||Andrey Komarovemail@example.com||PDF, tar.gz, rar||The primary aim of OWASP SCADA Security project is to gather information about different ICS/SCADA security threats related to WEB-applications and it’s environments., starting from econnaissance (“foorprinting”) stage to vulnerabilities exploitation. |
- to aware ICS/SCADA developers about security vulnerabilities by providing information about found WEB-application viulnerabilities in software and firmware on famous vendors;
- to create and publish freeware and open-source tools for ICS/SCADA security assessment written on scripting languages.
03.2013 – to create a “SCADA footprinting” cheetsheat;
05.2013 – to create a “RTU & ICS telemetry devices footprinting” cheetsheat;
07.2013 – to create open-source footprinting library or tool;
09.2013 – to create a prototype of IDS/IPS system on WEB-application threats related to ICS/SCADA, to formalize attack patterns;
10.2013 – to create a library of IDS/IPS or honeypot system for WEB-environments acting as honeypot on standart WEB-servers for malicious activities detection and prevention.
12.2013 – to create Hardering Guide for the most popular WEB-applications front-ends and server-side applications written on scripting languages used in ICS/SCADA of famous technological vendors.
01.2014 – to create cyber intelligence module for ICS/SCADA/RTUs WEB-applications detection, to improve “SCADA footprinting” and “RTU & ICS telemetry devices footprinting” cheetsheats.
|12837||Project Successfully Set up. March 01, 2013|
|2/23/2013 17:51:08||PHPRBAC||Code Library Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Abbas Naderifirstname.lastname@example.org||abiusx||A PHP library||check phprbac.net||check phprbac.net||Abbas Naderi||Not a complete application. (March 01, 2013), Abbas has given me the infromation I need to proceed with his application. Project Successfully Set up. March 06, 2013.|
|2/25/2013 11:36:28||Cornucopia||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Colin Watsonemail@example.com||Tomorrow||Cornucopia is a card game used to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. An edition for ecommerce websites exists and alternative versions are planned.||1. Issue v1.0 (ASAP because the document is referenced by the PCI SSC)|
2. Create a document with numbering for SCP
3. Create framework-specific card deck guidance
4. Apply for design/printing support
5. Create non e-commerce versions (e.g. mobile, SCADA)
|The current version of the ecommerce website edition is a file here:|
This is just one flavour of Cornucopia - there will be others.
|clerkendweller||Project Successfully Set up. March 05, 2013|
|2/26/2013 14:37:48||Development of security framework based on Owasp Esapi for JSF2.0||Code Library Project||Rakeshkumarfirstname.lastname@example.orgemail@example.com||.jar file||Modern web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge |
of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation.
There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the
presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception.
The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP.
[JSF-ESAPI Complete Architecture]This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output
validation with escaped “true” or without this parameter, authorization. All the features are included in one framework.
(1) It requires minimal configuration to use the framework.
(2) It ensures retrofit security in the existing application.
(3) It provides the same performance as JSF framework.
(4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”.
(5) The input validation is easy and no additional coding is required.
(6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment.
(7) One framework includes the most secure features.
I have already presented this work in OWASP Appsec 2012 in Athens,Greece. I would like to continue work in this area. Actually, this topic had really inspired to many security expert.
Thank you so much and looking forward to get response.
|firstname.lastname@example.org||Need more information. Waiting on Rakesh to reply (March 7, 2013), Successfully set up (March 11, 2013)|
|2/28/2013 17:53:51||Secure Application Design||Documentation Project||Ashish Raoemail@example.com||Presentations, Videos, Checklist and Insecure Demo Application||Design level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually. |
Design level security is crucial and must be adopted at an early stage of application development to build a robust system. Thus the aim of this project is to impart secure design guidelines to application developers. The project will highlight vulnerable areas in application designs through real world examples and scenarios and touch up on different aspects of design level security. The focus will also be to explain measures to be taken to prevent such flaws while designing applications.
The guidelines will cover core design concepts which can applicable to any application independent of the platform.
Most of the design flaws will be discussed using sample code incorporated in an insecure design application. The project will also focus on releasing a secure design checklist for reviewing application designs or threat modelling them.
|1. To discuss and uncover different aspects of design level security and release a comprehensive guide on secure design (independent of the platform)|
2. Incorporate all the flaws in the existing insecure design application
3. Gradually discover and build secure design guidelines for different known design frameworks like Spring etc.
4. Build a secure design guideline for different types of applications like thick clients, mobile applications.
|This project will release a sample web application code along with the documents. So it is a mix of documentation and code library project. |
We can also look at releasing the Insecure design application as a model to learn secure design concepts.
|Project Successfully Set up. March 07, 2013|
|3/1/2013 17:24:13||Owasp Hive||Tool Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Jason Johnsonfirstname.lastname@example.org||cptplastic||2mo||OWASP HIVE |
We have a hive network that hosts a dashboard with the attitude of the hive and the Internet by using data mined from twitter and others. maybe we can incorporate tools like ZAP or any of the others into this. The thing is we sell this not to make money but to establish a statistics and data rich network. The fact that it cost 35$ with a case that has a WASP on it maybe a bit more. With the push of global security of our assets there is not a better time. I would not ask any other group but owasp this foundation is the smarts of the net. We can make something that is both supportive of our cause and a huge data rich Internet HIVE that if its kicked we know why.
|Test PI with different config (auto)|
Test Twitter API
Test other applications
|Jason Johnson||Project Successfully Set up. March 07, 2013|
|3/2/2013 11:02:42||Barbarus||Code Library Project||Nebrass Lamouchiemail@example.com||An Enterprise Java Applicarion (EAR)||My project offers a new mechanism of authentication in web applications. This mechanism will be very easy and comfortable to use for the application's users and it will be very easy to integrate for the application developers.||Phase 1: Modelling and specification - 2 Weeks|
Phase 2: Java Implementation : JPA/EJB/REST/JSF - 1 Month
Phase 3: RealWorld Test - 1 Week
Phase 4: Validation - 1 Week
|Project Successfully Set up. March 12, 2013|
|3/5/2013 16:23:59||Droid fusion||Tool Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Nikhalesh singh firstname.lastname@example.org||nikhaleshsingh||ISO||droidfusion is a platform for android mobile or any other mobile for doing , Malware Analysis,Development,Application Pentesting,forensics,you can use it in any mobile security research, and . if you have droidfusion you don't need to worry about finding tools ,there are more then 60 tools and script and its free||my plan about this project is to increased make forum for supporting user to help and also provide documents andnscreencast video so they learn more and more even one noob can do mobile security research. many more plan will inhance in it .||Project Successfully Set up. March 19, 2013|
|3/8/2013 21:46:11||iSABEL Proxy Server||Tool Project||Eurojee Jarinaemail@example.com||executable JAR file||Recent research taken from leading network security solution providers shows that traditional firewalls focus their security mainly around the ports and protocols which is the packet headers and not the actual data content known as the packet payload. Packet headers only contains basic information like source and destination address which is very unreliable when it comes to identifying potential threats, attack, and malicious.|
The idea of the project is to gain a deeper knowledge about securing web applications from different threats and attacks coming from external sources; this can be achieved by developing intermediary software that runs between the client and the server. This intermediary software will be based on a proxy server that will be implemented on layer 7 (Application) of the OSI model (Open Systems Interconnection), and it’s function is to accept network traffic from different client’s trying to access resources from the web server, once the client successfully established a connection, the proxy will inspect all incoming network packets coming from the clients for malicious parameter and files such as viruses, worms, trojans.
> The proposed project should be able to work under the Seventh layer of the OSI model (Open System Interconnection).
> The proposed project should be able to function with the application protocol such as HTTP, SMTP and SOCKS.
> The proposed project should be able to establish secure connection between the client and the server.
> The proposed project should be able to analyse inbound and outbound traffic once successfully connected.
> The proposed project should be able to allow and block request sent to the web application which involves thorough HTTP requests inspection.
> The proposed project should be able to filter URL such as the parameters detecting any malicious parameters that a user entered for instance a cross-site scripting xss attack is implemented by changing parameters in the URL.
> The proposed project should have the ability to log, monitor, report suspicious and malicious requests.
> The proposed project should be able to integrate Deep Packet Inspection (DPI) for a deeper inspection of the packets payload.
> The proposed project should be easy to use and user friendly in which it will include a robust and stable on-box visualization.
|Eurojee Jarina||Project Successfully Set up. March 19, 2013|
|3/15/2013 16:57:19||Top 10 fuer Entwickler||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Torsten Giglerfirstname.lastname@example.org||Wiki|| ==Top 10 fuer Entwickler (Top 10 Developer Edition in German)==|
The objectives of the '''project''' is to add ''' ''Good Practices'' (like the Cheat Sheets)''' to the '''OWASP Top 10'''. Its aim is to bridge the gap between awareness, theoretical knowledge to effective know-how to build good propgrams. It is written in German to make it easier for German developers to use it. We will take care to make a migration to other languages easy.
|In process: Start with the wiki on base of OWASP Top 10 - 2010 and existing Cheat Sheets.|
2013-Aug-20: To have at least a beta version ready.
When there will ba a German translation of the OWASP Top 10 - 2013, it will be integrated.
|We already started the Wiki.|
- You find the Project Details here (most of it in German language):
- The Wiki starts here:
|T.Gigler||Project Successfully Set up. March 25, 2013|
|3/26/2013 12:12:58||RailsGoat||Tool Project||Ken Johnsonemail@example.com||Don't use SourceForge. GitHub is: cktricky||GitHub Repo - Master Branch||This is a Rails application which is vulnerable to the OWASP Top 10. It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each.||Initial Release - April 8th|
Documentation - April 8th
Call for review - April 9th
Open to improvements from that point forward
|None||Project Successfully Set up. April 01, 2013|
|4/3/2013 0:55:32||Projeto Emerson||Code Library Project||Emerson Shigueo Sugimotofirstname.lastname@example.org||surfx||surfx||surfx surfx surfx||surfx surfx surfx surfx||surfx surfx surfx||surfx||(April 05, 2012: Not a real application)|
|4/4/2013 22:23:31||Good Component Practices||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Mark Miller, @email@example.com||Documentation for a series of best practices when creating and using open source components||Good Component Practice is one of the most over looked silver bullets in the Open Source arsenal. Because of business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development.|
This project will use community input to document an industry acceptable process for the creation, maintenance and use of open source components.
|I am still working on the roadmap, but will include it as part of the documentation.||Project Successfully Set up. April 17, 2013|
|4/10/2013 17:26:41||Bywaf||Tool Project||Rafael Gil Lariosfirstname.lastname@example.org||https://sourceforge.net/p/bywaf||executable binary||Desarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.||Beta version October 2013|
|4/10/2013 17:26:41||Bywaf||Tool Project||Rafael Gil Lariosemail@example.com||https://sourceforge.net/p/bywaf||executable binary||Desarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.||Beta version October 2013||Project Successfully Set up. April 17, 2013|
|4/11/2013 13:42:29||=S.T.I.N.G= Project||Tool Project||MIT License||Lutz Wischmannfirstname.lastname@example.org||lwischmann||WAR (Web Application Archive)||The OWASP =S.T.I.N.G= is a tool used for creating project specific security/privacy requirement catalogues by selecting from a huge set of potential requirements, policies or best practices. It acts as a kind of questionnaire and will generate a list of requirements and/or policies which are relevant for the project's context.|
Security Requirements Management Questionaire Repository
Filter Set & Rules for Policies, Standards, Guidelines, Procedures
Context : Tool within an Information Security Policy Framework
M1 : Light-weight web application for creation, managing and filtering within a security requirement database. Includes Questionnaire and Rule-Engine.
M2 : Import/Export modules for standard or commonly used security requirement catalogues as PCI/DSS, NIST, BSI Grundschutz, BDSG etc.
V1 : Central repository of security requirements managed by an open source community.
|Each (web-)application operates within its specific security context. Normally, there are dozens or hundreds of potential requirements, policies, guidelines or best practices available - e.g. classified within a policy framework. As the number of potential requirements grows, it will be a complex task for a specific project to identify only the relevant requirements.|
=S.T.I.N.G.= acts upon a configurable policy and requirement database of all potential requirements. It allows the configuration of questionaires or templates and uses a rule engine to identify only the relevant requirements to generate a project specific checklist.
|Lutz Wischmann||Project Successfully Set up. April 17, 2013|
|4/15/2013 20:15:51||Web Application Security Quick Reference Guide||Documentation Project||GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)||Marek Zmysłowskiemail@example.com||This will be simple checklist for Web Application. The unique feature of this project is that all check will be simple and can be check by particular testcase. It is simple but from my experience can be very informative and useful for testers and coders||Provide ASAP first version of the checklist. I've already have a draft version. Then it will be modified by users (I hope)||Project Successfully Set up. April 22, 2013|
|4/15/2013 20:35:40||Application Fuzzing Framework||Tool Project||Marek Zmysłowskifirstname.lastname@example.org||Python Scripts||The framework will be used to fuzz applications in the Windows environment. It will have couple of modules. Two main modules will be for file fuzzing and dll fuzzing. Very wide configuration to allow lots of fuzzing possibilities.||First release will be dll fuzzing module.|
Another module will be file module that will run simple test
Another release will be with more advanced file module.
|There are no good fuzzing, free framework for dll files.|
The fuzzing framework for file doesn't have appropriate options to suite all needs.
|Project Successfully Set up. April 22, 2013|
|4/16/2013 16:10:36||Security JDIs||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||Edwin Aldridgeemail@example.com||Worksheets||A project to build a library of concise, actionable, technology specific instructions detailing good practice on avoiding or closing specific vulnerabilities.|
Security HOWTOs for people who may not have time to study a problem in depth but need to secure their application.
|Setup (April 2013)|
Establish a wiki (April 2013)
Define a format for JDIs
Define editorial and review process
Start a technology and vulnerability tags list
Draft JDIs in three or more fields and solicit review
Feedback pages for requests, comments
OWASP engagement (May 2013 onwards)
Outreach to other OWASP projects, especially AntiSamy, ESAPI, CSRFGuard, HOWTOs
solicit collaboration: contributions and review
External engagement (May 2013 onwards)
Outreach to industry contacts for requests and feedback
solicit requests and collaboration/feedback in testing
Stock Take Review (August 2013)
Assess take up - way forwards
|Experience shows that, although there is much, high quality advice available on the subject of secure development, development teams often need much more specific help, partly because of time and resource pressure, and partly because security is an area characterised by pitfalls for the unwary where hasty fixes can be ill advised.|
Producing standardised, actionable and testable documentation would provide 'customer focus' for Defender projects and help their promulgation.
|Edwin Aldridge||Project Successfully Set up. April 22, 2013|
|4/16/2013 16:40:34||Scytale||Tool Project||Modified BSD, 3-clause License (we recommend you consider Apache 2.0 instead of this licnese. It is more up-to-date and provides a little more protection from software patent lawsuits)||Maxime Labellefirstname.lastname@example.org||it is already released||NoSQL crypto proxy for modern DBMS and web applications.|
Supports multi-recipient and group encryption. Loaded
with a strong RSA/AES cryptosystem.
Scytale sits between your web application and your
favorite DBMS and performs encryption and decryption
of your web application data. Scytale stores the
encrypted data inside your prefered DBMS for storage.
It's design is secure, well planned and made to provide
developers with a solid method for integrating strong
cryptography inside web applications using NoSQL-like
|Roadmap includes; new DBMS support, performance, fine tuning||It takles real-world encryption and web application|
security problems such as :
1) Admin accounts that need to have access to another
encrypted user's data without both user's knowing
each other's passwords (multi-recipient encryption)
2) Changing a user's password without having to
re-encrypt all the data.
3) Not using a global key that could be compromised
4) No need to store any passwords or any encryption
key that could compromise the encrypted data in
plain-text inside the web application's code or
anywhere in the database, not even hashes.
5) Provide a method to reset a user's private
key password without having to re-encrypt or loose
the data, in case of a lost password, and without
keeping any copy of that user's password anywhere inside
6) Provide a secure database even if the DBMS login
is compromised (ie; PHP script client password). If
the database connection password, which is in the web
application source code, is compromised, it does not
compromise the encrypted data because that password
is not used for data encryption.
7) Provide a method to safely authenticate web
application users without having to store the
user password or password hash in a cookie and
still be able to maintain an authenticated session.
8) Provide built-in easy PKI management for your
|Project Successfully Set up. April 30, 2013|
|4/19/2013 15:43:15||iMAS - iOS Mobile Application Security||Code Library Project||Gregg Ganleyemail@example.com||dowloadable security controls from Github||iMAS – iOS secure application framework to reduce iOS application vulnerabilities and information loss|
iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!
iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.
|We plan to continue researching iOS application level security controls until a considerable amount of the OWASP mobile top 10, OWASP top 10 criteria/risks along with other known iOS application vulnerabilities are mitigated.||Project Successfully Set up. April 30, 2013|
|4/25/2013 10:23:10||Testdemo||Tool Project||Nehafirstname.lastname@example.org||its a web site that I am testing for my learning||learning||Neha Gupta||(April 30, 2012: Not a real application)|
|4/30/2013 20:24:02||WS-Amplification DoS||Tool Project||Thomas Vissersemail@example.com||thomfish||Executable binary; PDF document||The project aims to explore the threat of an Amplification DoS attack that utilises webservices.|
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. Read more about it in this article: http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack.
It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse. (http://www.fim.uni-passau.de/fileadmin/files/lehrstuhl/meer/publications/pdf/Jensen2009a.pdf)
The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale.
If necessary, a publication involving awareness and countermeasures will follow.
A - Setting up a tool that can detect this vulnerabilty
- Finding a way to crawl the net looking for open webservices and test them with the above tool
B - Looking into the different WS implementations and finding out their default WS-Addressing behaviour
* .NET, Axis, Axis2, CXF,...
A - Analyse the results and determine the global threat magnitude
* Average amplification factor, number of vulnerable open webservices,...
B - Determine what adjustments and countermeasures must be taken in order to mitigate the threat
* In the frameworks, external tool?,...
- Bundle all the results and possible countermeasures into a document/article to create awareness
|Thomas Vissers||Project Successfully Set up. May 21, 2013|
|5/1/2013 18:01:36||Mutillidae 2 (Codename: NOWASP)||Tool Project||Jeremy Druinfirstname.lastname@example.org||jdruin||PHP web application||NOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a webserver. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on pre-installed platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.||Mutillidae 2 is currently having enhanced, dynamic user hint systems installed and upgraded. The vision for the hint system is to automatically provide hints on each page based on the vulnerabilities in the page. As browser support for HTML 5 and other features increases, new vulnerabilities will be added.||The current version of Mutillidae, code named "NOWASP Mutillidae 2.x", was developed by Jeremy Druin aka webpwnized. Mutillidae 2.x is based on Adrian "Irongeek" Crenshaw's Mutillidae project which is now refered to as Mutillidae 1.x or Mutillidae classic. Mutillidae 1.x is still available on Sourceforge along side the current project. Thanks to Adrian for introducing the original Mutillidae.||Project Successfully Set up. May 21, 2013|