Google Summer of Code 2016

[psiinon]

Both OWASP and Mozilla will be applying to take part in Google Summer of Code 2016.
If (and its by no means certain) either organisation is accepted, what ZAP projects would you like to see take part?
We've had some really great functionality implemented by students in previous years, so I think this is another great opportunity.
Oh, and anyone interested in being a ZAP GSoc Mentor?

Cheers,

Simon

[johanna curiel]

Hi Simon

Count on me as Mentor for ZAP ;-).

I think there are so many potential projects that we can take from last years list.

Remember, Google wants at least 2 unique mentors per project

Cheers

Johanna

[kingthorin+owaspzap]

I'd be up for co-mentoring, I'm hesitant to fly solo on it but any advice or ideas I could share I'm happy to...esp w/ backup :)

I'm more familiar w/ the code base etc now...

[Johanna Curiel]

Just to clarify , Google requires 2 unique mentors per Google project whether they fall under the same 'project'
Let's say Kingthorin and I can be mentors of one speciifc ZAP project Idea==>
https://www.owasp.org/index.php/GSoC2015_Ideas#Advanced_Plug-able_Report_Module
Simon + John Doe of another, etc

You need to provide names of mentors in order to be eligible to participate

Cheers

[Kevin W. Wall]

Hi Simon,

If the right opportunity comes along, I'd be interesting in
co-mentoring students for
ZAP, but it would have to be something that I think I could actually
make a difference
at. Honestly, I don't feel I know the ZAP code base nearly well enough to mentor
a student from that perspective, but I could add specific subject
matter expertise.

I have been mulling over an idea for a ZAP plug-in that would test
for, find, and
attempt to exploit padding oracle attacks in encrypted parameters, encrypted
cookies, etc.

I have some ideas of how to approach this and would be willing to
co-mentor on the
crypto advisory side (e.g., act as a padding oracle SME) , but I would
LOTS of need
help on the ZAP internals side.

I know of no other FOSS or commercially available DAST product that currently
attempts padding oracle attacks, so it would be a feather in ZAP's cap
if it would
be the first to do so in the general sense. (Duong & Rizzo and a few others have
done this sit for special cases, such as custom scenarios for ASP.NET
& JSF, but
not for any general case.)

Anyway, I'd like to discuss it with you at some point to see what you
think. It might be too ambitious for a 3 month student project, but
perhaps we could figure a way to allow
intervention of human expertise (e.g., identify the parameters or
cookies, etc.) to
try to attack rather than attempting to figure that out automatically.

Anyhow, would like to discuss it with you and the ZAP community. If there is no
interest, then maybe I'll see if I can come up with something
interesting for students
to do for ESAPI.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

[johanna curiel curiel]

Some Reading regarding what is expected from an ideal gsoc project

http://en.flossmanuals.net/GSoCMentoring/defining-a-project/

Keep in mind the goal is About mentoring students 

http://en.flossmanuals.net/GSoCMentoring/what-makes-a-good-mentor/

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[psiinon]

Thanks to everyone who's volunteered so far!
Please note that you dont have to be an expert on the ZAP code base - those of us who know it better can and will help with that.

Johanna - I'll definitely look at the option of ZAP applying on its own as well as or instead of with OWASP.

Kevin - have you looked at the Padding Oracle beta scan rule? PaddingOraclePlugin.java I didnt write it so have no idea if its anything like your suggestion ;)

Thanks everyone!

Simon

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

[Kevin W. Wall]

Simon,

First, sorry for the top post, but only have my phone to reply on at the moment.

Okay. Well, this is something like what I was thinking of. To be honest, I wasn't even aware of this, so kudos there.

I did just now look through the code though. All this does is *spot* potential padding oracle vulnerabilities, not actually attempt to *exploit* them, which I was also thinking of. Exploiting them could lead to a whole lot of other interesting discoveries.  Still, it is a *very* good start.

This also only looks at encrypted parameters. I suggest extending to look for encrypted cookies as well. And maybe, XML or JSON used with AJAX & web services although that is much less common.

Lastly, the part about looking for an actual usable oracle (the check at line 210 & loop at line 233) is a bit naive and could be embellished a lot, especially to consider timing side-channel attacks.

But yeah, this is a great start and as such is does make it within the realm of possibility for GSoC I think.

-kevin
Sent from my Droid; please excuse typos.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

[psiinon]

I've added a set of ZAP projects directly to the OWASP wiki: https://www.owasp.org/index.php/GSOC2016_Ideas#OWASP_ZAP

Any feedback?

Cheers,

Simon

[psiinon]

And also duplicated some of them on the Mozilla wiki: https://wiki.mozilla.org/Community:SummerOfCode16:Brainstorming#Security_Assurance

[johanna curiel]

I would like to participate as mentor through Mozilla,  if selected ;-). Feel free to place my name.

I like the project bug tracker support as I feel more familiar with the Add-on code

[Jay Gupta]

I want to participate as student  . i know C++ , PHP and learning QT . Can i join ?

[johanna curiel curiel]

Hi Jay,

How is your Java Skills? any experience programming with it?

cheers

Johanna

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Johanna Curiel 

OWASP Volunteer

[Jay Gupta]

No sir , unfortunately i have no experience with Java . Is there anything that i can still do if not then sir please refer me to an project /person where i can work .

Thank you so much  .

P.S. i can learn Java but i suppose i won't be that good with it .

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/4Pro0YpO7B8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.

[kingthorin+owaspzap]

Is there a GSoC site on which I'm supposed to apply as a mentor? Does open up after the organizations are chosen?

I guess the organization list is announced at 7PM UTC today...https://developers.google.com/open-source/gsoc/timeline

[Jay Gupta]

mentor applying time is over now i guess  . and no list is not announced yet . it's UTC time  .  add or subtract the time from your UTC time  . like i have UTC +5:30 

On Mon, Feb 29, 2016 at 9:46 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:

Is there a GSoC site on which I'm supposed to apply as a mentor? Does open up after the organizations are chosen?

I guess the organization list is announced at 7PM UTC today...https://developers.google.com/open-source/gsoc/timeline

--

[kingthorin+owaspzap]

Sorry I should have been more clear. I know the deadline for mentoring organizations is over. However, in past years individual mentors have been a separate registration (which could also be over).

[johanna curiel curiel]

Indeed, today they will announce which organisations are accepted at 19:00 UTC, and after , mentors can submit their participation through the Google melange

 for that specific organisation and project they wish to mentor

On Mon, Feb 29, 2016 at 12:48 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:

Sorry I should have been more clear. I know the deadline for mentoring organizations is over. However, in past years individual mentors have been a separate registration (which could also be over).

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[kingthorin+owaspzap]

Ok, thanks, that's the info I was after :)

[thc...@gmail.com]

Hi.

It seems both organizations were accepted.

Mozilla:
https://summerofcode.withgoogle.com/organizations/5256839985889280/

OWASP Foundation:
https://summerofcode.withgoogle.com/organizations/6286870317105152/


Best regards.

On 02/02/16 17:58, psiinon wrote:
> Both OWASP and Mozilla will be applying to take part in Google Summer of

> Code 2016 <https://developers.google.com/open-source/gsoc/>.

> If (and its by no means certain) either organisation is accepted, what
> ZAP projects would you like to see take part?
> We've had some really great functionality implemented by students in
> previous years, so I think this is another great opportunity.
> Oh, and anyone interested in being a ZAP GSoc Mentor?
>
> Cheers,
>
> Simon
>

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com

> <mailto:zaproxy-devel...@googlegroups.com>.

[johanna curiel curiel]

Nice 

It will all depend now on:

How many students submit proposals

How many mentors are registered through Mozilla or OWASP

How many slots each organisation will receive

cheers

Johanna

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jay Gupta]

Can anyone give me contact information of hackadmic challenge mentors  . there are 2 mentors for new CMS prokect namely :

1. Konstantinos Papapanagiotou
2. Spyros Gasteratos

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/4Pro0YpO7B8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.

[kingthorin+owaspzap]

Check the Hackademic project page it has a mailing list as well as email addresses for the project leaders.

> <mailto:zaproxy-develop+unsub...@googlegroups.com>.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Johanna Curiel 

OWASP Volunteer