Confirm
133
edits
Changes
→Project Ideas (non-definitive): Added ZAP suggestions
=== A Firefox addon for TLS observations ===
Proposed by: ulfr
Monitoring TLS certificates and ciphersuites requires deploying scanners in various locations. Would it be possible to write an addon that lets users subscribe to a scanning queue and participate in the scanning effort?
=== A web interface for Mozilla Investigator ===
Proposed by: ulfr
MIG is primarily a command line tool, but a web interface would be a nice addition for people who just want to visualize results. This project would require changes to the backend API of MIG to handle various permissions levels, as well as a good knowledge of javascript to write the frontend.
=== A CI platform for security testing ===
Proposed by: ulfr
Developers write their code in GitHub and use CI tools like CircleCI, Travis-CI or Taskcluster to run test and tasks when code is submitted. The goal of this project is to write a webhook-driven CI tool that runs security tests on github projects. Tests include dependency checking (nps, pip --outdated, ...), zap baseline scanning, git commit integrity, ...
=== ZAP: Field Enumeration ===
Proposed by: psiinon
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.
=== ZAP: Form Handling ===
Proposed by: psiinon
The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.
The enhancement would allow the user to define default values based on pattern matching against the field names and/or ids.
It would also be very useful if it could show the user all forms and their associated fields for an application, and then allow the user to update the default values.
=== ZAP: Automated authentication detection and configuration ===
Proposed by: psiinon
ZAP has extensive support for supporting application authentication, but configuring this is a manual process which can be tricky to get right.
The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality.
=== New Idea Template ===
