-
Notifications
You must be signed in to change notification settings - Fork 2
GSoC2014
This page is for ZAP related Google Summer of Code Project proposals.
Feel free to add new proposals at the end (based on the template in comments) or post them to this thread on the ZAP Dev Group.
Access control testing is typically difficult for security tools to automate. However previous Google Summer of Code projects have added session, authentication, user and role handling to ZAP, which provide an ideal basis for advanced access control testing. This development would allow (semi) automated access control testing by:
- Maintaining and displaying different site trees (application maps) for different users/roles
- Providing tools which access all of the content accessible via one user/role which should not be accessible via another user/role
- Ideally allow resources to be tied to users/roles to allow enable horizontal privilege testing
ZAP supports all JSR 223 scripting languages, but only for a limited number of purposes. This development would allow 'full' add-ons to be written in any JSR 223 language. Such add-on should be able to do anything that java add-ons can do, including adding new tabs and other graphical components. Example add-ons demonstrating as much functionality as possible should be developed in at least Java Script, Jython and Jruby.
- De-serialise and display AMF messages in ZAP graphically (based on existing POC code)
- Expose the AMF data as parameters so that ZAP can scan them
- Add new AMF specific scan rules as required
- Implement in a way that makes it easier for ZAP to support other technologies (such as Java applets, Silverlight)
The development will allow ZAP to parse WSDL and populate the Sites tree with all of the end points defined. It should also enhance the ZAP scanning capabilities to specifically attack the end points for as wide a range of vulnerabilities. Test cases should be written in wavsep format and contributed back to that project.
For previous proposals see: