Tools

Tools: Ultimate Guide: Introducing FOSRES: A Free and Open Source Security Research Project

2026-04-08 0 views admin
Tools: Ultimate Guide: Introducing FOSRES: A Free and Open Source Security Research Project

Free and Open Source Security Research (FOSRES)

Topics for FOSRES Challenges

Part 1: Authentication System

Compliance

How Authentication Will Work

Client-Side Hashing for Registration

Full Stack

Frontends Featured in the Exercises

Testing

See the Ongoing Claude Conversation Hi. I am Tanveer Salim. And usually I let Claude do the talking. For the first time I am actually writing this from scratch. I would like to introduce you to the FOSRES project. A project meant to train future Security Engineers in Web/Cloud/AI Security. In this project you will be challenged to audit and fix others' code for security bugs, deploy applications in secure cloud environments (here I use AWS only for now), and be asked to apply your skills with using AI to reduce project timelines (a necessary skill you need to build now). Just to let you know I have chosen Claude Code as my official AI agent. Other AI Agents I would recommend are Mistral (most privacy friendly although worse at software engineering than Claude), or GLM-5 (not privacy-friendly at all). Below I will explain the required tech skills you want to have: You want to be able to audit and fix code containing any of these vulnerabilities: Broken Authentication / Authorization Server Side Request Forgery IDOR (Insecure Direct Object Reference) Missing Rate Limiting Malicious File Uploads Security Misconfigurations (see Week 14 from 48-week Plan) API Key Management & Authentication Security Logging and Monitoring Failures The only real way to learn Cloud Security is to do it: hence why I am making this project. It is meant to teach you Cloud Security as much as it is meant to teach me. I will first work with Claude to generate the authentication system. It is my responsibility to audit it. I will be presenting the code as an audit challenge so you are more than welcome to audit it and report bugs if necessary. Find my email in my Dev.to profile to contact me if you find any. Below is a system diagram of the final version of the authentication system: I intend the web application to be GDPR compliant (Claude help me with meeting GDPR compliance with AWS). Authentication and Encryption inspired by Bitwarden Whitepaper's system diagram for user. The following is ASCII-based art: Key Derivation Function: Argon2ID Generated RSA Key Pair --> Replaced with: ML-KEM-1024-X25519 Hybrid for Public Key Encapsulation HKDF: HKDF-SHA-256 which offers 128 bits of quantum security Symmetric Key Algorithm: XChaCha20-Poly1305 Support for Cryptography: Manual support for the Hybrid Public Key Encryption will be done based on Request for Comments 9180. Python Libraries liboqs-python and cryptography will be used in the backend. Javascript libraries: All possible backend and frontend frameworks will be visitable, auditable, and therefore hackable by visitors. Distinct frontends: React (×3), Alpine.js, Next.js, Nuxt.js, Angular All AI agents must first generate a beta version of the full-stack page of code requested complete with a full test-case suite. The developer must then manually check if the test cases work as well as test with additionl test cases. As a Security Engineer one must check for security bug test cases--and the AI agent must include that in the test case suite where applicable. After the developer has tested through all test cases the developer is strongly encouraed to allow a second, independent AI agent to first verify all test cases as well as additional tests. The developer can then verify the test cases made by the second independent AI. Claude will be responsible for generating code and the first test case suite for each page of full-stack code made. Mistral will be the secondary testing agent. Mistral, unlike Claude, is capable of executing code in a sandbox so Mistral is valuable as a testing agent. Claude is frequently used by developers and Security Engineers for software engineering planning. I decided to publish the entire conversation I had with Claude to help me write this blog. This is actually the first time I wrote a blog post here from scratch but nonetheless since AI-assisted programming in Security is a very new field I am publishing my entire conversation to help others learn from my good and bad habits as I experiment with it: https://claude.ai/share/71a81505-a49f-4fee-b2cd-d3ff09009af9 Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. as well , this person and/or

Code Block

Copy

a. Session Cookie Authentication + CSRF b. Password Authentication c. JWT Token Authentication CODE_BLOCK: a. Session Cookie Authentication + CSRF b. Password Authentication c. JWT Token Authentication CODE_BLOCK: ╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLIENT ║ ║ ┌──────────────────────────────────┐ ║ ║ User Asymmetric Key ┌───▶│ ML-KEM-1024 + X25519 Key Pair │ ║ ║ │ │ ┌─────────────┬──────────────┐ │ ║ ║ ┌───────────────────────────┐ │ │ │ Private Key │ Public Key │ │ ║ ║ │ Argon2ID (KDF) │ │ │ └─────────────┴──────────────┘ │ ║ ║ │ Salt : email address │──────── Master Key┤ └──────────────────────────────────┘ ║ ║ │ Payload: master password │ │ ║ ║ └───────────────────────────┘ │ ┌──────────────────────────────────┐ ║ ║ └───▶│ HKDF-SHA-256 ──▶ Stretched │ ║ ║ │ Master Key │ ║ ║ └─────────────────┬────────────────┘ ║ ║ │ ║ ║ ┌───────────────────────────┐ ▼ ║ ║ │ Argon2ID (KDF) │◀── Master Key ┌───────────────────────────────────────┐ ║ ║ │ Payload: master key │ │ Generated Symmetric Key │ ║ ║ │ Salt : master password │ │ Encryption Key : 256 bits │ ║ ║ └─────────────┬─────────────┘ │ MAC Key : 256 bits │ ║ ║ │ └─────────────┬─────────────────────────┘ ║ ║ │ │ Symmetric Key ║ ║ ▼ │ ║ ║ ┌──────────────────────┐ ┌─────────────────────────┐ │ ┌────────────────────────┐ ║ ║ │ Master Password │ │ 192-bit Nonce (CSPRNG) │───────┼─▶│ XChaCha20-Poly1305 │ ║ ║ │ Hash (SHA-256) │ └─────────────────────────┘ │ │ Nonce : 192-bit │ ║ ║ └──────────────────────┘ ▲ │ │ Payload: sym key │ ║ ║ │ │ Nonce └─▶│ Key: stretched mkey │ ║ ║ │ CSPRNG┘ └──────────┬─────────────┘ ║ ║ │ │ ║ ║ │ ▼ ║ ║ │ ┌───────────────────────────────┐ ║ ║ │ │ Protected Symmetric Key │ ║ ║ │ └───────────────────────────────┘ ║ ╚════════════════╪════════════════════════════════════════════════════╪══════════════════════╝ │ 🔒 https:// │ ▼ ▼ ╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLOUD ║ ║ ║ ║ KMS – Data Protection Key – XChaCha20-Poly1305 Encryption ║ ║ ┌────────────────────────────────┬───────────────────────────────────────┐ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ ├────────────────────────────────┴───────────────────────────────────────┤ ║ ║ │ Database with Transparent Data Encryption (TDE) │ ║ ║ ├────────────────────────────────┬───────────────────────────────────────┤ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ └────────────────────────────────┴───────────────────────────────────────┘ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════════╝ CODE_BLOCK: ╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLIENT ║ ║ ┌──────────────────────────────────┐ ║ ║ User Asymmetric Key ┌───▶│ ML-KEM-1024 + X25519 Key Pair │ ║ ║ │ │ ┌─────────────┬──────────────┐ │ ║ ║ ┌───────────────────────────┐ │ │ │ Private Key │ Public Key │ │ ║ ║ │ Argon2ID (KDF) │ │ │ └─────────────┴──────────────┘ │ ║ ║ │ Salt : email address │──────── Master Key┤ └──────────────────────────────────┘ ║ ║ │ Payload: master password │ │ ║ ║ └───────────────────────────┘ │ ┌──────────────────────────────────┐ ║ ║ └───▶│ HKDF-SHA-256 ──▶ Stretched │ ║ ║ │ Master Key │ ║ ║ └─────────────────┬────────────────┘ ║ ║ │ ║ ║ ┌───────────────────────────┐ ▼ ║ ║ │ Argon2ID (KDF) │◀── Master Key ┌───────────────────────────────────────┐ ║ ║ │ Payload: master key │ │ Generated Symmetric Key │ ║ ║ │ Salt : master password │ │ Encryption Key : 256 bits │ ║ ║ └─────────────┬─────────────┘ │ MAC Key : 256 bits │ ║ ║ │ └─────────────┬─────────────────────────┘ ║ ║ │ │ Symmetric Key ║ ║ ▼ │ ║ ║ ┌──────────────────────┐ ┌─────────────────────────┐ │ ┌────────────────────────┐ ║ ║ │ Master Password │ │ 192-bit Nonce (CSPRNG) │───────┼─▶│ XChaCha20-Poly1305 │ ║ ║ │ Hash (SHA-256) │ └─────────────────────────┘ │ │ Nonce : 192-bit │ ║ ║ └──────────────────────┘ ▲ │ │ Payload: sym key │ ║ ║ │ │ Nonce └─▶│ Key: stretched mkey │ ║ ║ │ CSPRNG┘ └──────────┬─────────────┘ ║ ║ │ │ ║ ║ │ ▼ ║ ║ │ ┌───────────────────────────────┐ ║ ║ │ │ Protected Symmetric Key │ ║ ║ │ └───────────────────────────────┘ ║ ╚════════════════╪════════════════════════════════════════════════════╪══════════════════════╝ │ 🔒 https:// │ ▼ ▼ ╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLOUD ║ ║ ║ ║ KMS – Data Protection Key – XChaCha20-Poly1305 Encryption ║ ║ ┌────────────────────────────────┬───────────────────────────────────────┐ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ ├────────────────────────────────┴───────────────────────────────────────┤ ║ ║ │ Database with Transparent Data Encryption (TDE) │ ║ ║ ├────────────────────────────────┬───────────────────────────────────────┤ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ └────────────────────────────────┴───────────────────────────────────────┘ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════════╝ CODE_BLOCK: ╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLIENT ║ ║ ┌──────────────────────────────────┐ ║ ║ User Asymmetric Key ┌───▶│ ML-KEM-1024 + X25519 Key Pair │ ║ ║ │ │ ┌─────────────┬──────────────┐ │ ║ ║ ┌───────────────────────────┐ │ │ │ Private Key │ Public Key │ │ ║ ║ │ Argon2ID (KDF) │ │ │ └─────────────┴──────────────┘ │ ║ ║ │ Salt : email address │──────── Master Key┤ └──────────────────────────────────┘ ║ ║ │ Payload: master password │ │ ║ ║ └───────────────────────────┘ │ ┌──────────────────────────────────┐ ║ ║ └───▶│ HKDF-SHA-256 ──▶ Stretched │ ║ ║ │ Master Key │ ║ ║ └─────────────────┬────────────────┘ ║ ║ │ ║ ║ ┌───────────────────────────┐ ▼ ║ ║ │ Argon2ID (KDF) │◀── Master Key ┌───────────────────────────────────────┐ ║ ║ │ Payload: master key │ │ Generated Symmetric Key │ ║ ║ │ Salt : master password │ │ Encryption Key : 256 bits │ ║ ║ └─────────────┬─────────────┘ │ MAC Key : 256 bits │ ║ ║ │ └─────────────┬─────────────────────────┘ ║ ║ │ │ Symmetric Key ║ ║ ▼ │ ║ ║ ┌──────────────────────┐ ┌─────────────────────────┐ │ ┌────────────────────────┐ ║ ║ │ Master Password │ │ 192-bit Nonce (CSPRNG) │───────┼─▶│ XChaCha20-Poly1305 │ ║ ║ │ Hash (SHA-256) │ └─────────────────────────┘ │ │ Nonce : 192-bit │ ║ ║ └──────────────────────┘ ▲ │ │ Payload: sym key │ ║ ║ │ │ Nonce └─▶│ Key: stretched mkey │ ║ ║ │ CSPRNG┘ └──────────┬─────────────┘ ║ ║ │ │ ║ ║ │ ▼ ║ ║ │ ┌───────────────────────────────┐ ║ ║ │ │ Protected Symmetric Key │ ║ ║ │ └───────────────────────────────┘ ║ ╚════════════════╪════════════════════════════════════════════════════╪══════════════════════╝ │ 🔒 https:// │ ▼ ▼ ╔════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ CLOUD ║ ║ ║ ║ KMS – Data Protection Key – XChaCha20-Poly1305 Encryption ║ ║ ┌────────────────────────────────┬───────────────────────────────────────┐ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ ├────────────────────────────────┴───────────────────────────────────────┤ ║ ║ │ Database with Transparent Data Encryption (TDE) │ ║ ║ ├────────────────────────────────┬───────────────────────────────────────┤ ║ ║ │ SHA-256(Master Password Hash) │ Protected Symmetric Key │ ║ ║ └────────────────────────────────┴───────────────────────────────────────┘ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════════╝ - Broken Authentication / Authorization a. Session Cookie Authentication + CSRF b. Password Authentication c. JWT Token Authentication - Broken SQL Injection - Server Side Request Forgery - IDOR (Insecure Direct Object Reference) - Missing Rate Limiting - OS Path Traversal - OS Command Injection - Malicious File Uploads - Security Misconfigurations (see Week 14 from 48-week Plan) - API Key Management & Authentication - Security Logging and Monitoring Failures - XXE Entity Bugs

🏷️ Tags

toolsutilitiessecurity toolsultimateguideintroducingfosressourcesecurityresearch

More from Tools

Tools: Complete Guide to Fleet Management with Ansible — The AutoBot Approach

Tools: Complete Guide to Fleet Management with Ansible — The AutoBot Approach

2026-04-09 0
Tools: Complete Guide to Profiling Java apps: breaking things to prove it works

Tools: Complete Guide to Profiling Java apps: breaking things to prove it works

2026-04-09 0
Tools: Stop paying for early stage hosting: A guide to the 24GB free tier

Tools: Stop paying for early stage hosting: A guide to the 24GB free tier

2026-04-09 0
Tools: How to Block Internet Access for Any Linux App (While Keeping LAN) (2026)

Tools: How to Block Internet Access for Any Linux App (While Keeping LAN) (2026)

2026-04-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views