Google Summer of Code — Final Submission

For the past few months, I’ve been working with OWASP, one of my favorite open source organization. I was selected for the Google Summer of Code program as well as I became project collaborator for the same project. It has been an amazing experience and wonderful time as I’ve learnt a lot over the summer under the mentorship of Ali Razmjoo.

This post is about all the work and contributions I’ve done during this program. There have been a total of 25 PRs,around 127 commits, 72000+ additions. This summer has helped me to develop my skills and being more innovative and think out of the box to solve various problems. The project is really interesting and have lots of new challenges.

About the project

OWASP Nettacker project is created to automate information gathering, vulnerability scanning and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information.

OWASP Nettacker

My work was to add many new features and to fix the existing bugs and enhance the overall performance of the project. I have added some amazing features like CMS scanner, Python Based Service Scanner, Honeypot Detection tools, etc. Detailed list of my work and contribution is listed below:

1. Added SSL Protocol and Cipher scanner for Python 2/3
2. Added kippo honeypot Detection tool
3. Updated nettacker update mechanism to daily basis instead of doing it on every scan by saving and fetching previous scan data in Database.
4. Added Header Based XSS Injection Payload
5. Added Service scanner signatures
6. Added UDP port Scanner
7. Implemented Service scanning in UDP Port scanner
8. Completed CMS Scanner (Wordpress, Joomla, Drupal modules added including Content Management system Detection script, CMS Version Scan, CMS Theme Scan, Username Enumeration, Wordpress XMLRPC Bruteforce, Wordpress XMLRPC Pingback Vulnerability)
9. Added xdebug_vulnerability module + Added Service Scanner Signatures
10. Continuos updating and Testing python libraries (Project Dependencies)
11. Added Multiple new signatures like XMPP, POP3P
12. Added Service scanner (Signature based Service scanning for ports)
13. Added Service names in port scan using Socket library
14. Header based blind sql injection payload added
15. Added Password list Generator
16. Added Sender Policy Framework Record Test Module
17. Added multiple HTTP Vulnerabilities related to headers (X-Powered by Disclosure, Server Version Disclosure, Cross Origin Resource Sharing, Options method Enabled, Content Security Policy, X-Content-Type Header, X-XSS protection Vulnerability, ClickJacking Vulnerability, Apache Struts exec arbitrary vuln CVE-2017–5638)
18. PEP8 fixes for entire project
19. Language Fix (naming conventions added to messages in the entire project instead of numbers)
20. Added Multiple FTP vulnerabilities (ProFTPd Memory Leak vulnerability, ProFTPd Integer Overflow, ProFTPd restriction bypass, ProFTPd Heap Overlow, Bftpd double free , Bftpd Memory Leak, Bftpd_parsecmd_overflow, Bftpd Remote Dos, ProFTPd_bypass_sqli_protection, ProFTPd_cpu_consumption, ProFTPd_directory_traversal, ProFTPd_exec_arbitary vulnerabilities)
21. Added Multiple SSL vulnerability scanning modules like (Weak Encryption algo, self signed certificate, ccs injection and ssl certificate expired vulnerability)

Additionally, I have conducted a webinar Python for Cyber Security which had 70+ students and I demonstrated OWASP-Nettacker and it’s usage for information gathering and vulnerability assessment to the students.

Rest of My work can be checked here:

Status of the project:

I have completed all the tasks assigned to me successfully.

I’d like to thank all my mentors and community members for the constant support and motivation. Special thanks to Ali Razmjoo for all the guidance and for motivating me. Without him, the project wouldn’t be this great.

It has been an awesome summer over all full of learning and a great experience. I will continue to contribute to the project to make it better day by day. Open source is love ❤️ and I will keep contributing to make it more better.

At last, thanks to Google for organizing such an awesome program for students where we can easily develop our skills and learn from the best in the community.

Please provide your valuable feedback.