Free and Open Source Security Research (FOSRES)
Hi. I am Tanveer Salim. And usually I let Claude do the talking.
For the first time I am actually writing this from scratch.
I would like to introduce you to the FOSRES project. A project meant to train future Security Engineers in Web/Cloud/AI Security. In this project you will be challenged to audit and fix others' code for security bugs, deploy applications in secure cloud environments (here I use AWS only for now), and be asked to apply your skills with using AI to reduce project timelines (a necessary skill you need to build now). Just to let you know I have chosen Claude Code as my official AI agent. Other AI Agents I would recommend are Mistral (most privacy friendly although worse at software engineering than Claude), or GLM-5 (not privacy-friendly at all).
Below I will explain the required tech skills you want to have:
Topics for FOSRES Challenges
A. Web Security
You want to be able to audit and fix code containing any of these vulnerabilities:
-
Broken Authentication / Authorization
a. Session Cookie Authentication + CSRF b. Password Authentication c. JWT Token Authentication Broken SQL Injection
Broken XSS
Server Side Request Forgery
IDOR (Insecure Direct Object Reference)
Missing Rate Limiting
OS Path Traversal
OS Command Injection
Malicious File Uploads
Security Misconfigurations (see Week 14 from 48-week Plan)
API Key Management & Authentication
Security Logging and Monitoring Failures
XXE Entity Bugs
B. Cloud Security
The only real way to learn Cloud Security is to do it: hence why I am making this project. It is meant to teach you Cloud Security as much as it is meant to teach me.
(To Be Determined)
C. AI Security
(To Be Determined)
Part 1: Authentication System
I will first work with Claude to generate the authentication system. It is my responsibility to audit it. I will be presenting the code as an audit challenge so you are more than welcome to audit it and report bugs if necessary. Find my email in my Dev.to profile to contact me if you find any.
Below is a system diagram of the final version of the authentication system:
Compliance
I intend the web application to be GDPR compliant (Claude help me with meeting GDPR compliance with AWS).
How Authentication Will Work
Client-Side Hashing for Registration
Authentication and Encryption inspired by Bitwarden Whitepaper's system diagram for user.
The following is ASCII-based art:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLIENT β
β ββββββββββββββββββββββββββββββββββββ β
β User Asymmetric Key βββββΆβ ML-KEM-1024 + X25519 Key Pair β β
β β β βββββββββββββββ¬βββββββββββββββ β β
β βββββββββββββββββββββββββββββ β β β Private Key β Public Key β β β
β β Argon2ID (KDF) β β β βββββββββββββββ΄βββββββββββββββ β β
β β Salt : email address βββββββββ Master Keyβ€ ββββββββββββββββββββββββββββββββββββ β
β β Payload: master password β β β
β βββββββββββββββββββββββββββββ β ββββββββββββββββββββββββββββββββββββ β
β βββββΆβ HKDF-SHA-256 βββΆ Stretched β β
β β Master Key β β
β βββββββββββββββββββ¬βββββββββββββββββ β
β β β
β βββββββββββββββββββββββββββββ βΌ β
β β Argon2ID (KDF) ββββ Master Key βββββββββββββββββββββββββββββββββββββββββ β
β β Payload: master key β β Generated Symmetric Key β β
β β Salt : master password β β Encryption Key : 256 bits β β
β βββββββββββββββ¬ββββββββββββββ β MAC Key : 256 bits β β
β β βββββββββββββββ¬ββββββββββββββββββββββββββ β
β β β Symmetric Key β
β βΌ β β
β ββββββββββββββββββββββββ βββββββββββββββββββββββββββ β ββββββββββββββββββββββββββ β
β β Master Password β β 192-bit Nonce (CSPRNG) βββββββββΌββΆβ XChaCha20-Poly1305 β β
β β Hash (SHA-256) β βββββββββββββββββββββββββββ β β Nonce : 192-bit β β
β ββββββββββββββββββββββββ β² β β Payload: sym key β β
β β β Nonce βββΆβ Key: stretched mkey β β
β β CSPRNGβ ββββββββββββ¬ββββββββββββββ β
β β β β
β β βΌ β
β β βββββββββββββββββββββββββββββββββ β
β β β Protected Symmetric Key β β
β β βββββββββββββββββββββββββββββββββ β
ββββββββββββββββββͺβββββββββββββββββββββββββββββββββββββββββββββββββββββͺβββββββββββββββββββββββ
β π https:// β
βΌ βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLOUD β
β β
β KMS β Data Protection Key β XChaCha20-Poly1305 Encryption β
β ββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ β
β β SHA-256(Master Password Hash) β Protected Symmetric Key β β
β ββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ€ β
β β Database with Transparent Data Encryption (TDE) β β
β ββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ€ β
β β SHA-256(Master Password Hash) β Protected Symmetric Key β β
β ββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Key Derivation Function: Argon2ID
Generated RSA Key Pair --> Replaced with:
ML-KEM-1024-X25519 Hybrid for Public Key Encapsulation
HKDF: HKDF-SHA-256 which offers 128 bits of quantum security
Symmetric Key Algorithm: XChaCha20-Poly1305
Support for Cryptography:
| Need | Python | JavaScript |
|---|---|---|
| ML-KEM-1024 + X25519 (your design) | Manual combiner: liboqs-python + cryptography + HKDF |
Manual combiner: mlkem + Web Crypto + @hpke/core |
Manual support for the Hybrid Public Key Encryption will be done based on Request for Comments 9180.
Python Libraries liboqs-python and cryptography will be used in the backend.
Javascript libraries:
Full Stack
All possible backend and frontend frameworks will be visitable, auditable, and therefore hackable by visitors.
Backends:
- Flask
- Django
- FastAPI
Frontends Featured in the Exercises
| Exercise | Backend | Frontend |
|---|---|---|
| 1 | FastAPI | React |
| 2 | Flask | React |
| 3 | FastAPI | React |
| 4 | Django | Alpine.js |
| 5 | Django | Next.js (TypeScript) |
| 6 | FastAPI | Nuxt.js (Vue) |
| 7 | Django | Angular |
Distinct frontends: React (Γ3), Alpine.js, Next.js, Nuxt.js, Angular
Testing
All AI agents must first generate a beta version of the full-stack page of code requested complete with a full test-case suite. The developer must then manually check if the test cases work as well as test with additionl test cases. As a Security Engineer one must check for security bug test cases--and the AI agent must include that in the test case suite where applicable. After the developer has tested through all test cases the developer is strongly encouraed to allow a second, independent AI agent to first verify all test cases as well as additional tests. The developer can then verify the test cases made by the second independent AI.
Claude will be responsible for generating code and the first test case suite for each page of full-stack code made. Mistral will be the secondary testing agent. Mistral, unlike Claude, is capable of executing code in a sandbox so Mistral is valuable as a testing agent. Claude is frequently used by developers and Security Engineers for software engineering planning.
See the Ongoing Claude Conversation
I decided to publish the entire conversation I had with Claude to help me write this blog. This is actually the first time I wrote a blog post here from scratch but nonetheless since AI-assisted programming in Security is a very new field I am publishing my entire conversation to help others learn from my good and bad habits as I experiment with it: https://claude.ai/share/71a81505-a49f-4fee-b2cd-d3ff09009af9
Top comments (0)