Google Summer of Code Wrap up: OWASP

Friday, January 9, 2015

This week’s Google Summer of Code (GSoC) wrap up comes from Fabio Cerullo at The Open Web Application Security Project (OWASP), a charitable organization improving software security across the web.

At OWASP, we were thrilled to be part of GSoC for our third consecutive year. Our interaction with students and universities across the world has skyrocketed since we began participating in the program. In 2014, we received more than 90 proposals. We were able to accept 16 students who worked on a diverse range of application security projects. Below, we highlight a few of these.

Seraphimdroid: Before GSoC, SeraphimDroid was a research project aimed at educating end users about risks and threats coming from other Android applications and we had not given much thought to its interface. Furquan Ahmed implemented a modern user interface which is nicely integrated with existing features. Also, Furquan proposed and implemented several new features like alarming, an application locker, and geo-fencing. His work is now part of the latest release.

OWTF: The OWASP OWTF (Offensive Web Testing Framework) project began by applying chess-playing techniques to penetration testing (“pentesting”). We hoped this would help address the problem of pentesters rarely having adequate time to test systems. Several GSoC students this summer wrote code for new features included in our 1.0 Lionheart release. Tao Sauvage implemented Automated Rankings which helps users identify more serious vulnerabilities. Anirudh Anand developed a passive online scanner with flexible mapping and a templating engine. Deep Shah integrated OWTF with Mozilla Zest support and OWASP ZAP. Marios Kourtesis developed a Web Application Firewall (WAF) bypasser. Finally, Viyat Bhalodia improved the stateful browsing and session management of the tool.
There’s more information (including videos) about all the new features on the official release page.

Hackademics: The OWASP Hackademic Challenges project allows users to learn more about pentesting through simulated attacks in a safe and controllable environment.  One of the students, Bhanudev Chaluvadi, wrote 20 new challenges covering a range of topics such as buffer overflows, injection attacks, regex bypasses, brute forcing, and some cryptography breaking. He also improved almost all the existing challenges. Another student, Paul Chaignon, wrote 17 new challenges covering the OWASP Top Ten vulnerabilities and created a score calculator. Last but not least, Subhayan RoyMoulick created 9 intermediate-level cryptography challenges which include common attacks on RSA implementation vulnerabilities, frequency analysis, man in the middle, and one time pad attacks. All the students were actively participating in the community proposing solutions to known problems or finding bugs we missed (and often fixing them).

CSRF Protector: This year, GSoC allowed OWASP to create a new project to address Cross-Site Request Forgery attacks: CSRF Protector. Minhaz A V proposed the project and implemented it as a PHP library and an Apache HTTPD module. CSRF Protector complements OWASP’s preexisting CSRFGuard for Java web applications and greatly expands the types of projects OWASP can help protect from CSRF vulnerabilities.

GSoC is a great program that benefits students, open source projects, and mentors. It also helps the industry by giving students the opportunity to work on real world problems with highly experienced professionals. For many students, this will be the starting point for successful careers in the computer industry. I would like to invite all students interested in open source and application security to get involved with OWASP projects and subscribe to our OWASP GSOC mailing list.

By Fabio Cerullo, OWASP Organization Administrator