Google Summer of Code 2013

[psiinon]

GSoC 2012 was a great success for ZAP - old Spider completely replaced, new Ajax Spider, Web Sockets, HTTP session support.
And just as importantly 3 new members of the core ZAP team who are all still contributing :D

So we'll definitely be applying for GSoC 2013!
The question is ... what projects should we put forward?
Please reply with your suggestions, justifications etc etc.

They can already be on the projects list: http://code.google.com/p/zaproxy/wiki/Projects
and/or have issues raised: http://code.google.com/p/zaproxy/issues/list?can=2&q=type=Enhancement
There are a few issues tagged as GSoC=Candidate from last year: http://code.google.com/p/zaproxy/issues/list?cursor=zaproxy%3A271&q=GSoC%3DCandidate

And if you feel up to mentoring a candidate then let me know - based on my experiences so far it doesnt take as much time as you might think and its very rewarding.

Cheers,

Simon

[psiinon]

Typical - just hit Post and remembered what else I was going to add...

Which is that if you are student and would like to work on ZAP as par of GSoC 2013 then please also get in touch!

[psiinon]

I think that GSoC projects can be a great way to play around with some more imaginative ideas.

To get you thinking I've just added one for an add-on generating add-on :D

[Guifre Ruiz Utges]

Hello,

I had a bit of a discussion with Simon about the possibility of adding a new project to the GSOC proposals about improving the session handling mechanism in zap. This could help a lot to detect session management issues, authorisation issues such as A3 and A8 in the OWASP top 10 among others.

I think Cosmin is doing some work in this field, any thoughts? I added it to the project wiki page.

Best Regards,

Guifré. 

[Prasad Shenoy]

Might not be directly related to this discussion but I am finding it increasingly difficult to get ZAP setup in an operational environment with NTLM/Negotiate authentication. It simply does not work. I know Simon had acknowledged this and it probably is a carry over from Paros days but are there any plans to give this issue the attention it deserves? This will largely faciliate adaption in Enterprise/Intranet pen testing environment.

Prasad

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Amr Thabet]

A question:

I have a project in OWASP Projects ... can I put it as a project in gsoc? Or only for updating Owasp main project?

That's the link:
https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework

Thanks,

On Thursday, 14 February 2013 09:32:02 UTC, psiinon wrote:

[thc202]

Hi.

Consider to create an issue and provide details about the problem.
Issue 275 [1] might be related, but there's not much evidence of what could be.

[1] https://code.google.com/p/zaproxy/issues/detail?id=275

Thanks.
Best regards.

[psiinon]

Hi Prasda,

It would be great for us to get NTLM working properly in ZAP.
Unfortunately (well, this is a matter of perspective;) I dont have access to any systems that use NTLM, so I wouldnt be anle to either work on it or realistically mentor anyone who worked on it.
But if anyone wants to look at this... :)

Cheers,

Simon

On Thursday, 14 February 2013 20:06:39 UTC, prasad wrote:

[psiinon]

Hi Amr,

This group is just for discussing ZAP development.
But any OWASP project can take part in GSoC - Fabio is probably the best person to talk.

Cheers,

Simon

[Prasad Shenoy]

In will create a new issue for this. The issue below deals with upstream proxy for ZAP not for the browser. My issue with NTLM types authentication is that ZAP would/could not properly respond to 401 or 200 responses with WWW Authenticate headers where types are NTLM and or Negotiate.

I will chalk in more details in the issue itself. 

Thank you,

Prasad N. Shenoy

[Bhargava Shastry]

Hello,

I am new to the ZAP project in particular and OWASP in general. I saw a list of open issues on the project page and would like to start small by contributing towards issue 383 (Show HTTPS info for a site). I did have a look at a comment under the issue about borrowing available code and extending it. Do you have anyone already assigned to do this?

--

Bhargava

[psiinon]

Hi Bhargava,

I'm not aware of anyone working on this, so be delighted for you to have a look at it :)

Let us know if you have any questions about any aspect of this enhancement or working on ZAP in general.

Many thanks,

Simon

[Popovciuc Pavel]

Hi psiinon,
I am interested ZAP Proxy - Dynamically configurable actions project :)
How does it rank on the stack of priorities for you? Anyone picked it yet?

With respect,
Pavel

[psiinon]

Hi Pavel,

Thats a project I'd really like to work on myself :D
But I know theres no way it will come high enough up the list of things I really need to do, which is why I've but it down as a GSoC project.
I think it has great potential, so I'd love someone to work on it :)

The way it works it that we will submit a set of OWASP project proposals to Google.
That one will definitely be on the list of ZAP ones ;)
Google then decides which organisations get approved - hopefully that will include OWASP!
If we are accepted then students will be able to apply to work on the projects.
I'd expect more students to apply than we can accept, so our decisions will be based on the quality of the proposals from the students and the interactions we've had with them.

So right now all of the projects are up for grabs, and we cant say for certain that we will actually get accepted.
However I'm very hopeful as last year was so successful.

Please feel free to ask any questions you have :)

Many thanks,

Simon

[Popovciuc Pavel]

Hi Simon,
This sounds great - thanks!

I know the organizations have not yet been approved, however I want to start working on requirements analysis & technical design for the project - if you don't mind.

Best regards,
Pavel

[psiinon]

Hi Pavel,

I'd be delighted for you to start looking at it :)

Happy to discuss it on this group, via emails etc or video if you like.

Cheers,

Simon

[Popovciuc Pavel]

Simon,
I've took a good look through the sources and application itself and have a few questions.
What would be the best way to contact you?

With respect,
Pavel

[psiinon]

Hi Pavel,

If you've got a set of questions for me then you can put them in an email (psiinon-at-gmail-dot-com)
Or you can contact me via Gtalk -  thats sometimes easier for follow up questions :)
And we can always have a chat via Skype or similar if that would help.

Cheers,

Simon

[johanna...@owasp.org]

Hi Simon

I'm interested to work on issue 117.

Right now I'm busy gathering students from the University however this is still in process.

I'm also open to mentor candidates :).
Is anyone working at this issue?

Also I would like to know where can I get the latest source code of the project,
and which is the recommended development environment you are using for ZAP.

regards

Johanna

[Guifre]

Hello Johanna,

The sourcecode is available in our codebase
http://zaproxy.googlecode.com/svn/trunk/

The development environment needed is documented here
http://www.taddong.com/docs/Building_ZAP_with_Eclipse_v3.0.pdf

I think Cosmin might have done some work regarding this.

Best Regards,
Guifre.

[psiinon]

Hi Johanna,

As Guifre has said, there has been some work done towards this, but I think theres still plenty of things to do :)
As of 2.0.0 ZAP can recognise and manage different sessions.
However I'd like to see it also understand different users and roles.
Once ZAP can do that there are a whole range of features we can build on top of it, starting with the session comparison covered in issue 117.
I think this has great potential and I'd really like to see this as one of the GSoC projects.

Cheers,

Simon

[psiinon]

Note that submissions for GSoC 2013 open on March 18th, so we need to finalise which projects will be submitting asap.
I've made a start on http://code.google.com/p/zaproxy/wiki/GSoC2013

Please post to this discussion if you would like to suggest (or even mentor:) any other projects that you think should be included.

Cheers,

Simon

I've put a couple of projects on

On Thursday, 14 February 2013 09:32:02 UTC, psiinon wrote:

[Björn Kimminich]

From a quality perspective and in order to finally ramp up ZAP's code coverage >1% ^_^ it'd be awesome to have a "No contributions without unit tests!" and a "Clean code only!" quality rule in place. It might reduce the amount of features coming out of GSoC but would greatly improve overall code quality and maintainability of the whole project.

If that would be of help I'd offer to give a lecture in both Testing (TDD, Behavior Driven Testing, Mocking, Matchers, ...) and Clean Code (Naming, Functions, Comments, Formatting, ...) via Skype for all GSoC participants. (Of course I'd do the same for the ZAP core team if you'd like me to... ^_^)

Just my 2ct... Cheers, Björn

[Prasad Shenoy]

I sign up! Count me in and thanks you in advance for a great offer :)

Thank you,

Prasad N. Shenoy

--

[johanna curiel curiel]

Hi Simon
I'm going to familiarize with the actual session handling of ZAP, but I need more details on what would you like to get done.

How can we create better requirements for the functionalities regarding this part? How can we approach this efficiently?

[psiinon]

Great suggestions, and we should definitely add them to all project requirements - we want quality not quantity!

And a lecture on testing and clean code would be awesome :D
Would you be ok to record it so we can put it on youtube as one of the ZAP tutorials?

Many thanks

[Guifre]

Great idea. I look forward to watch it.

Best Regards,
Guifre.

[bjoern.k...@gmx.de]

Good idea. I could do an introduction to unit testing and show where to put them in zaproxy-test. Essentially a video version of what's on the Wiki page but with examples. What program do you use for recording? I've got FRAPS installed but didn't try it for recording yet.

I'll try to come up with a proposal for the tutorial content in the next week or so, ok?

Regards, Björn

----- Ursprüngliche Nachricht -----
Von:psiinon
An:zaproxy...@googlegroups.com
Betreff:[zaproxy-develop] Re: Google Summer of Code 2013

Many thanks

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/MrOLhUpOHe8/unsubscribe?hl=en-GB.
To unsubscribe from this group and all of its topics, send an email to zaproxy-devel...@googlegroups.com.

[johanna curiel curiel]

Hi Simon

This sounds awesome.
 I have connected with 4 students of the University of the Netherlands Antilles (all are from Aruba actually, studying in Curacao) and right now they will be developing the proposal under my supervision, however I have mentioned that I just act as a connector/support mentor but with your main guidance and support as project leader of ZAP.

I would like to clarify the following. This is the plan for this week so we can submit a proposal.

-Each one must select a specific subject , functionality to fix/develop.Mos tof them prefer to work on fixing bugs that working on new enhancements and functionalities
-based on the actual bug list, each student will choose a set of bugs to work on
- The proposal would contain a specific plan/approach methodology on how they will be working and what would be fix during the period.This is were I would guide them.
Once we have the proposals, these must be review by you before submission?

How can we make sure that the amount of work is in balance with their expertise and level of programming?
All students belong to the second/third semester in Information technology (1) and Electrical engineering(3)programs
1 student have experience with Java , the othes with C programming, all at a Junior level.

Let me know the best approach on this.

On Friday, March 15, 2013 5:43:12 AM UTC-4, Björn Kimminich wrote:

Good idea. I could do an introduction to unit testing and show where to put them in zaproxy-test. Essentially a video version of what's on the Wiki page but with examples. What program do you use for recording? I've got FRAPS installed but didn't try it for recording yet.

I'll try to come up with a proposal for the tutorial content in the next week or so, ok?

Regards, Björn

----- Ursprüngliche Nachricht -----
Von:psiinon

An:zaprox...@googlegroups.com

[johanna curiel curiel]

Hi Guifre

I'm having issues running ZAP

I get the following :
Warning: failed to load language files from D:\workspace-eclipse\zaproxy\lang
log4j:WARN No appenders could be found for logger (org.zaproxy.zap.utils.ClassLoaderUtil).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Unable to initialize home directory! xml\log4j.properties (The system cannot find the path specified)
java.io.FileNotFoundException: xml\log4j.properties (The system cannot find the path specified)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.<init>(Unknown Source)
    at org.parosproxy.paros.model.FileCopier.copyLegacy(FileCopier.java:50)
    at org.parosproxy.paros.model.FileCopier.copy(FileCopier.java:44)
    at org.parosproxy.paros.Constant.initializeFilesAndDirectories(Constant.java:277)
    at org.parosproxy.paros.Constant.<init>(Constant.java:211)
    at org.parosproxy.paros.Constant.createInstance(Constant.java:636)
    at org.parosproxy.paros.Constant.getInstance(Constant.java:628)
    at org.zaproxy.zap.ZAP.main(ZAP.java:94)

Also the head version I'm seeing is 2975... is that the last one? (from your link appear to be 2977 but I'mgetting as last 2975

regards

Johanna

[Prasad Shenoy]

Make sure you update the code base to the latest version. Can you check into the Eclipse config to see if you have added log4j jar to the library? If not, include the jar into the library so the compiler can see it...

Hope this helps! 

Thank you,

Prasad N. Shenoy

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

[Guifre]

Hello Johanna,


The current last revision is r2982 as shown at
https://code.google.com/p/zaproxy/source/list Although, It might not
be when reading this.

As Prased pointed out, did you properly added the lib/*jar in the
classpath? Did you follow all the steps explained at
http://www.taddong.com/docs/Building_ZAP_with_Eclipse_v3.0.pdf ?

Best Regards,
Guifre.

[psiinon]

That looks like you havnt set the working directory :)
By default it gets set to the base directory of your project, but you need to set it to point to the "src" directory, eg using ${workspace_loc:zaproxy/src} in the run configurations.

Cheers,

Simon

[psiinon]

Hi Johanna,

Just to confirm, is this as part of the Google Summer of Code?
If it is then we'll have to wait until OWASP is (hopefully) accepted as a GSoC mentoring organization before you can actually submit any proposals. However theres no problem working on the proposals and discussing them before this happens.
Its its not then we can be much less formal :)

The GSoC project submissions are made directly to Google, but I'm very happy to give feedback to proposals before (and even after) they are made.
And I'm also very happy to discuss proposals with students (and yourself) so that we can make sure that the projects match the students expertise.
Its in everyones interest for proposals to be realistic and well matched to the students skills and knowledge.

As ZAP is written in Java some Java experience is desirable. Knowledge of a similar language (like C#) would be a reasonable alternative, but no knowledge of an object orientated language might be tricky.
A student with no experience with ZAP, no knowledge of an OO language and no security knowledge could well struggle.

Note that thats with regards to GSoC - Google need to be able to see that a student is making good progress and giving 'value for money'.
Theres a lower bar for anyone working on ZAP outside of GSoC as they will be volunteering their time :)

Cheers,

Simon

[johanna curiel curiel]

Hi Guifre

Yes I did. I followed the instructions very careful and for sure added the jar's.

I'll revise the settings and run configurations once more.But I for sure went over these steps many times.

 Again what I found strange was to that the head revision in the trunk version is on 2975 and it seems a higher revision is been used.



Best regards

Johanna

[johanna curiel curiel]

Hi Simon

Sure, however me working on ZAP, its just me ;-) , I want to work as a volunteer.

Indeed today Google will let know which organizations are participating.

Students have some level of experience with OO but again at a junior level.

We need to evaluate what is realistic in this scenario, otherwise we need to see which projects can we submit based on their level

best regards

Johanna

[johanna curiel curiel]

Yes indeed, I forgot the workspace_loc:zaproxy/bin now its works ;-)

[johanna curiel curiel]

Must say forgot the "/bin" after not the entire setup :)

[Guifre]

FYI, OWASP is accepting project proposals for gsoc13 at
https://www.owasp.org/index.php/GSoC2013_Ideas

How should we proceed?

Best Regards,
Guifre.

[Prasad Shenoy]

Simon had sent out a different link the other day. As per the instructions, I had submitted a proposal for SAML 2.0 support as a candidate. Does this mean we got to resubmit our proposals?

PS

> --
> You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

[psiinon]

The page on the ZAP wiki was for our own benefit - to submit projects via OWASP we need to follow the instructions that Fabio posted to owasp...@googlegroups.com (which you should also join if you'd like to be a mentor):

hi there,

To all those mentors who are planning to participate in GSOC this year, please submit your ideas here:

https://www.owasp.org/index.php/GSoC2013_Ideas

Thanks

You can just copy and paste your text from the ZAP wiki - thats what I'm going to do ;)
You can easily get an OWASP wiki account if you havnt already got one, or just ping me and I can update that page for you.

Cheers,

Simon

[Prasad Shenoy]

Got it! I will do the same…

PS

[psiinon]

I'm editing that page now, so I'll copy all of the ZAP projects across from our wiki.

Cheers,

Simon

[Guifre]

Sounds good, thanks!
Guifre.

[Prasad Shenoy]

+1

[psiinon]

OK done.
I've included some generic text about code quality, unit tests and documentation in all of our proposals based on Bjoern's suggestions.

Feel free to tweak them now if there are any changes you'd like to make.

Simon

[psiinon]

I'm delighted to say that both OWASP and Mozilla have been accepted as GSoC 2013 Mentoring organisations :D
For those who dont know, last year both OWASP and Mozilla mentored ZAP projects.

For information about the timeline please see: http://www.google-melange.com/gsoc/events/google/gsoc2013

Mentors can register right now, so if you'd like to mentor a ZAP project please register via http://www.google-melange.com/gsoc/homepage/google/gsoc2013

If you're a student and interested in working on ZAP for GSoC then now is the time to make yourself know on this group and to start a dialog with potential mentors :)

Cheers,

Simon

On Thursday, 14 February 2013 09:32:02 UTC, psiinon wrote:

[Prasad Shenoy]

Great news!! Very excited for 2013 projects and I see we got a great list of entires :)

Cheers

Prasad

[psiinon]

And I'm also delighted to announce we have another ZAP Mentor: Johanna Curiel
She will be mentoring the Advanced reporting project: https://www.owasp.org/index.php/GSoC2013_Ideas#OWASP_ZAP:_Exploring_Advanced_reporting_using_BIRT

I have also added a new project for which I'm the mentor - SOCKS support: https://www.owasp.org/index.php/GSoC2013_Ideas#OWASP_ZAP:_SOCKS_support

And I'd like to give a quick explanation of how this will all work:

* We (the ZAP GSoC mentors) encourage all students to get in touch with us, either directly or via this dev group
* We will answer any questions and give as much help and guidance as possible - and anyone else is also very welcome to help too ;)
* We will review proposals as they are submitted to Melange and provide any feedback that we think could help improve them
* Once we find out how many slots are available we we jointly review all of the proposals and select the ones we think are most suitable

Note that this review is not just restricted to ZAP mentors - if anyone else who contributes to ZAP would like to help with reviewing the proposals then please let me know.

Cheers,

Simon

[Vishesh Singhal]

Hi,I am a final year student from Bits-Pilani,India and I want to work on a zap project in GSoc 2013.I have already checked out the zap code,but to start with I would like to fix the issue #119 - adding a todo list to zap.For this I would be making an extension that will add a todo tab,where tasks from owasp testing guide will be shown by default. users can then add their own tasks and delete any task.The automatically generated tasks can later be linked with zap tests,so that their status is updated automatically.

Please tell me can I work on this and also please help me for getting started on developing extensions.In the sample extensions all I see are java class files(from example templates),but how do I pack them in .zap packages ?

Regards,

VIshesh

[psiinon]

Hi VIshesh,

Sorry for the 2 emails - it looks like I clicked the wrong button and replied to you directly rather than posting to the whole group (which is what I meant to do).

Thats great - I'll assign this task to you.

I must admit that I usually start new add-ons in the zaproxy project locally, and then move them to zap-extensions when they are working ok (and before committing them).
That means you dont have to worry about building and deploying them.
However generating .zap files is pretty easy as long as the add-ons are self contained - the 'build-addon' task in build.xml does most of the work.

As per my other email, have a look at https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet as it links to an XML definition of the testing guide tasks which will save you having to come up with a new format.

Let us know if you need any more advice & guidance, and also how you get on.
I think this will be a really useful add-on that many people will use.

Cheers,

Simon

[psiinon]

In case you werent aware - students can now submit proposals for GSoC!

So if you'd like to get paid to work on ZAP them please start submitting your proposals via http://www.google-melange.com/

We (the ZAP mentors) will be happy to give you feedback prior to the application deadline, so the sooner you get your proposals in the better :)

Cheers,

Simon

[Ryan Tan]

Hi,

I am Lan Guan( but you can call me Ryan [= ), currently a Year 3 student
pursuing a Bachelor in Computing(Information Systems) at National University of Singapore.

I have just submitted a proposal to OWASP through the GSoC page, hope to get your comments soon!

Btw, a part of your application template told me to report success of cloning the current state of the project.
I have used subClipse to do a SVN copy on my machine(see attached screenshot).

Cheers,

Ryan Tan.

[psiinon]

Hi Ryan,

Many thanks - I'll have a look at it and give you some feedback soon.

Simon

[Mahmoud Nawar]

hello i'm last year computer engineering student 

i hope to work for owasp zap project in gsoc 2013 in the idea of adding support for socks

unfortunaltely i didn;t write the proposal yet 

any help with an example of proposal

[psiinon]

Hi Mahmoud,

You still have time to submit a proposal :)
It would be worth having a look at Guif're's successful proposal from last year: http://www.google-melange.com/gsoc/proposal/review/google/gsoc2012/guifre/3006
Let me know if you have any questions about the SOCKS project.

Cheers,

Simon

[Mahmoud Nawar]

Hi simon 

i know it's too late but i need more clarification about zap socks as i don't use socks before

is the required to forward the incoming requests to zap to socks proxy server like what burp do 

that's mean zap must be capable of creating socks requests and receive response from server 

which means it will act as wrapper .

 

Cheers,

[psiinon]

Hi Mahmoud,

As I understand it, Burp just supports upstream SOCKS proxies.
So it can forward any traffic it understands to a SOCKS proxy, but does not accept SOCKS connections.
If anyone else knows different then please say!

This development should allow ZAP to use upstream SOCKS connections, but also accept SOCKS connections in addition to HTTP(S) connections.

Does that help?

Cheers,

Simon

[Mahmoud Nawar]

Hi Simon 

thanks for your help

it's clear now that zap would be able to intercept socks connection not only forwarding connections using socks 

Cheers,

[Mahmoud Nawar]

Hi Simon 

i submitted the proposal ,could you review it for me

cheers

mahmoud 

[psiinon]

Hi Mahmoud,

I've given some feedback on Melange - let me know if you have problems seeing it.

Cheers,

Simon

[Mahmoud Nawar]

Hi Simon 

thanks for review and i'm sorry for Inconvenience.

i made  small update, could you give it a a look