GSoC 2014 - The end

Published on Monday, 18 August 2014 in Gsoc 2014, Python ; tagged with gsoc, 2014, project, owasp, owtf, security, pentest, python ; text version

Every story has an end. The GSoC 2014 is now over, I sent my final report a couple of hours ago and now I wait for their verdict.

If you haven't read my previous posts of GSoC, I spent the last couple of months working for OWASP, on their OWTF project. It aims to provide an efficient approach to combine the power of automation with the out-of-the-box thinking that only a human being can provide.

My job? Implement an automated ranking system that will help the user to focus her/his attention on the most likely weak areas of a web application or network first.

I said that every story has an end but this one hasn't reached it yet! Though the GSoC has come to its end, I am staying around for a while and that is for sure.

I realize that a long post is too often boring. I even find difficult to read some of the previous posts relating to the development of my project. Therefore I will try to keep this one short and concise.

What a trip

First of all, I want to say that the past week was crazy! I have spent too many hours cleaning my code, writing the documentation and finding a nice way to glue it to OWTF. But I feel lucky to have been able to detach my project into its own repository and develop it as a standalone library (that I baptized ptp due to a lack of imagination).

This GSoC was my first and it was awesome!

I worked with great people and I am looking forward to continue to work together. I had never put so much heart into a project and I am glad that it happened with this one! Sure ptp is still at its early development stage and doesn't do much but it is my baby, let him some time to grow older :)

Finally that was the first time I felt like doing something useful. Yes I worked on other projects before, some given by my school, some from my friends' school, some personal and some with the HackGyver hackerspace. But OWTF is used in the real world, by real users! Not just myself or some academic teachers and that is a disturbing truth for me!

The project

So what's up since a month and half? Quite a lot in fact but I will focus on the most important parts.

Get rid of useless code

When writing the user documentation, I realized how cumbersome and useless was the Report layer between the PTP public API and the Parsers. In the early development stage, I thought it was needed and really useful but I have to say that right now, I can't remember why.

So I spent a couple of hours removing this unneeded layer. I ended up with a code 600-lines lighter, 247 additions and 869 deletions to be precise, without breaking a thing! I think these stats illustrate how badly this factorization was needed. Otherwise how could it be still working?

Online user documentation

Also, I wrote the user documentation using sphinx. I now realize that markdown vs. rest is a no match (spoiler alert: reST wins) but let's keep that debate for another time.

Sphinx is really neat and generates some nice readable html static pages. Except for the fact that it is really painful to write a user documentation, I finally managed to have something that would do the job.

Then I wanted to share it online, you know, to have something to show to my mentors. I knew about but I had never used it until now. It is amazing how easy it has been made for people like you and I to upload such things online.

See by yourself:

PyPI is handy

Finally, I wanted to have something as simple as possible to integrate ptp in OWTF.

Until a couple of days ago, I would have run a really-ugly-homemade python script that would copy ptp's .py files into owtf/framework/lib directory and which would also fix the imports on the fly (e.g from libptp import parser would become from framework.lib.libptp import parser).

The first step was to configure a nice and clean script. I learned more about setuptools and how to use it. I then learned how easy it was to have my tiny library uploaded on PyPI (and that was quite a shock). How awesome is that? I went from a homemade script copying ptp's files into OWTF in a stupid way to only add a simple extra dependency in the owtf.pip dependencies file!

Right now, I really feel like I have done my best to have the cleanest GSoC project that I was capable of doing (unlike some others but let's stay professional) but I have to wait until the verdict.

What's next?

Now it might seem like the story has ended. Well no because I want to do so much more both for OWTF, my lover, and ptp, my baby.

For the next week I will not code on ptp. I want to take a couple of days far from it and recover some out-of-the-box thoughts. Of course if a bug is reported/found I will fix it but right now I want to work on something else. Maybe focus more on OWTF's code base or improve my C skills by contributing to radare2 (if I can but I definitely want for sure).

Also I have a lot of ideas for ptp, so many things I want to improve, change, add, etc.!

Some links

That is long enough, I already feel you are bored. Just a couple of links I want to share:

Also, for fun: License WTFPL2