OWASP - User contributions [en]

OWASP Insecure Web Components Project

2014-09-12T18:00:17Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

Helping to build and secure better web applications through the identification of insecure web components.

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Component Categories==

[https://www.owasp.org/index.php/OWASP_Insecure_Web_Components_Project/Struts2 Struts2]

==Licensing==
OWASP Insecure Web Components Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Leader ==

Benjamin Watson

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =

As of 2014 our current priorities are identifying insecure components in J2EE applications and Java Web Application Frameworks. This includes Struts, Spring, Wicket, Grails, and so forth. We are looking at everything from API related components to configuration and environment.

Involvement in the development and promotion of the OWASP Insecure Web Components Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

* Contact Tony UV
* Contact Benjamin Watson

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Insecure Web Components Project/Struts2

2014-09-09T19:24:09Z

Benjamin Watson: /* CookieInterceptor (S2-022) */

== CookieInterceptor (S2-022) ==

=== Overview ===

The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() did not cover other cases, allowing the state manipulation of session, request, when " * " is used to configure cookiesName param.

The CookieInterceptor is used to set values in the OGNL stack and action based on the cookie name and value. If an asterisk is present in cookiesName parameter, it will be assumed that all cookie name are to be injected into the OGNL stack and corresponding action. This applies to 'cookiesValue' as well.

Example:

<nowiki>

<action>
<interceptor-ref name="cookie">
<param name="cookiesName">cookie1, cookie2</param>
<param name="cookiesValue">*</param>
<interceptor-ref>
</action>
</nowiki>

=== Tampering with Struts2 Session Data ===

This was reported here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 - and has been fixed since Struts 2.3.4. Yet conceptually this plays into understanding
the full issue at hand.

If an action implements the interfaces Action or SessionAware it allows the auto-binding of data to the current session or request using the common implementation:

Based on this post: http://codesecure.blogspot.ca/2011/12/struts-2-session-tampering-via.html - This allows manipulation such as: ?session.key=value. If an object has a setValue(String) method and is stored within the session using the key "data"; if one passed the following query string parameter "?session.data.value=authorized"; this would lead to the setting of that value.

=== CVE-2014-0116 ===

What was done to fix CVE-2014-0094 was not fully implemented for values such as session or request. Please reference: http://securityintelligence.com/struts-vulnerabilities-analysis-parameters-cookie-interceptors-impact-exploitation/ - for the original analysis.

With building an example vulnerable application, it is possible to modify session values in the same way above, i.e. "session.user.role=admin", which when implementing SessionAware, sets the new value on the OGNL stack, and in the action.

=== Remediation ===

In Struts 2.3.16.3 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe. (S2-022)

References:

* http://struts.apache.org/release/2.3.x/docs/s2-022.html
* http://securityintelligence.com/struts-vulnerabilities-analysis-parameters-cookie-interceptors-impact-exploitation/
* http://codesecure.blogspot.ca/2011/12/struts-2-session-tampering-via.html

OWASP Insecure Web Components Project/Struts2

2014-09-09T19:22:26Z

Benjamin Watson: /* CookieInterceptor (S2-022) */

== CookieInterceptor (S2-022) ==

=== Overview ===

The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() did not cover other cases, allowing the state manipulation of session, request, when " * " is used to configure cookiesName param.

The CookieInterceptor is used to set values in the OGNL stack and action based on the cookie name and value. If an asterisk is present in cookiesName parameter, it will be assumed that all cookie name are to be injected into the OGNL stack and corresponding action. This applies to 'cookiesValue' as well.

Example:

<nowiki>

<action>
<interceptor-ref name="cookie">
<param name="cookiesName">cookie1, cookie2</param>
<param name="cookiesValue">*</param>
<interceptor-ref>
</action>
</nowiki>

=== Tampering with Struts2 Session Data ===

This was reported here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 - and has been fixed since Struts 2.3.4. Yet conceptually this plays into understanding
the full issue at hand.

If an action implements the interfaces Action or SessionAware it allows the auto-binding of data to the current session or request using the common implementation:

Based on this post: http://codesecure.blogspot.ca/2011/12/struts-2-session-tampering-via.html - This allows manipulation such as: ?session.key=value. If an object has a setValue(String) method and is stored within the session using the key "data"; if one passed the following query string parameter "?session.data.value=authorized"; this would lead to the setting of that value.

=== CVE-2014-0116 ===

What was done to fix CVE02014-0094 was not fully implemented for values such as session or request. Please reference: http://securityintelligence.com/struts-vulnerabilities-analysis-parameters-cookie-interceptors-impact-exploitation/ - for the original analysis.

With building an example vulnerable application, it is possible to modify session values in the same way above, i.e. "session.user.role=admin", which when implementing SessionAware, sets the new value on the OGNL stack, and in the action.

=== Remediation ===

In Struts 2.3.16.3 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe. (S2-022)

References:

* http://struts.apache.org/release/2.3.x/docs/s2-022.html
* http://securityintelligence.com/struts-vulnerabilities-analysis-parameters-cookie-interceptors-impact-exploitation/
* http://codesecure.blogspot.ca/2011/12/struts-2-session-tampering-via.html

OWASP Insecure Web Components Project/Struts2

2014-09-09T19:06:19Z

Benjamin Watson: Created page with "== CookieInterceptor (S2-022) == === Overview === The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() did not cover other cases, allo..."

OWASP Insecure Web Components Project

2014-01-06T16:09:48Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

Helping to build and secure better web applications through the identification of insecure web components.

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Licensing==
OWASP Insecure Web Components Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Leader ==

Benjamin Watson

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =

As of 2014 our current priorities are identifying insecure components in J2EE applications and Java Web Application Frameworks. This includes Struts, Spring, Wicket, Grails, and so forth. We are looking at everything from API related components to configuration and environment.

Involvement in the development and promotion of the OWASP Insecure Web Components Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

* Contact Tony UV
* Contact Benjamin Watson

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Insecure Web Components Project

2014-01-03T17:02:55Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

Helping to build and secure better web applications through the identification of insecure web components.

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Licensing==
OWASP Insecure Web Components Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Leader ==

Tony UV

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =

As of 2014 our current priorities are identifying insecure components in J2EE applications and Java Web Application Frameworks. This includes Struts, Spring, Wicket, Grails, and so forth. We are looking at everything from API related components to configuration and environment.

Involvement in the development and promotion of the OWASP Insecure Web Components Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

* Contact Tony UV
* Contact Benjamin Watson

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Insecure Web Components Project

2014-01-03T17:02:04Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

Helping to build and secure better web applications through the identification of insecure web components.

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Licensing==
OWASP Insecure Web Components Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Leader ==

Tony UV

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =

As of 2014 our current priorities are identifying insecure components in J2EE applications and Java Web Application Frameworks. This includes Struts, Spring, Wicket, Grails, and so forth. We are looking at everything from API related components to configuration and environment.

Involvement in the development and promotion of the OWASP Insecure Web Components Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
Contact Tony UV
Contact Benjamin Watson

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Insecure Web Components Project

2014-01-03T17:00:45Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

Helping to build and secure better web applications through the identification of insecure web components.

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Licensing==
OWASP Insecure Web Components Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Leader ==

Tony UV

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =

As of 2014 our current priorities are identifying insecure components in J2EE applications and Java Web Application Frameworks. This includes Struts, Spring, Wicket, Grails, and so forth. We are looking at everything from API related components to configuration and environment.

Involvement in the development and promotion of XXX is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* xxx
* xxx

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Insecure Web Components Project

2014-01-03T16:56:31Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

The OWASP Insecure Web Components Project

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Licensing==
OWASP Insecure Web Components Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Leader ==

Project leader's name

== Related Projects ==

* [[OWASP_CISO_Survey]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Link to page/download

== News and Events ==
* [20 Nov 2013] News 2
* [30 Sep 2013] News 1

== In Print ==
This project can be purchased as a print on demand book from Lulu.com

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =

As of 2014 our current priorities are identifying insecure components in J2EE applications and Java Web Application Frameworks. This includes Struts, Spring, Wicket, Grails, and so forth. We are looking at everything from API related components to configuration and environment.

Involvement in the development and promotion of XXX is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* xxx
* xxx

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Insecure Web Components Project

2014-01-03T16:55:27Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

The OWASP Insecure Web Components Project

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Licensing==
OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is XXX? ==

OWASP XXX provides:

* xxx
* xxx

== Presentation ==

Link to presentation

== Project Leader ==

Project leader's name

== Related Projects ==

* [[OWASP_CISO_Survey]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Link to page/download

== News and Events ==
* [20 Nov 2013] News 2
* [30 Sep 2013] News 1

== In Print ==
This project can be purchased as a print on demand book from Lulu.com

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =

As of 2014 our current priorities are identifying insecure components in J2EE applications and Java Web Application Frameworks. This includes Struts, Spring, Wicket, Grails, and so forth. We are looking at everything from API related components to configuration and environment.

Involvement in the development and promotion of XXX is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* xxx
* xxx

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP Insecure Web Components Project

2014-01-03T16:48:33Z

Benjamin Watson:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Insecure Web Components Project==

The OWASP Insecure Web Components Project

==Introduction==

The OWASP Insecure Web Components Project is a repository of identified vulnerable components in popular web application frameworks and languages. The goal is to give developers and security professionals alike a centralized location where they can identify these vulnerable components when building and securing web applications.

==Description==

The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.

==Licensing==
OWASP XXX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is XXX? ==

OWASP XXX provides:

* xxx
* xxx

== Presentation ==

Link to presentation

== Project Leader ==

Project leader's name

== Related Projects ==

* [[OWASP_CISO_Survey]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Link to page/download

== News and Events ==
* [20 Nov 2013] News 2
* [30 Sep 2013] News 1

== In Print ==
This project can be purchased as a print on demand book from Lulu.com

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

=FAQs=

; Q1
: A1

; Q2
: A2

= Acknowledgements =
==Volunteers==
XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

* xxx
* xxx

==Others==
* xxx
* xxx

= Road Map and Getting Involved =
As of XXX, the priorities are:
* xxx
* xxx
* xxx

Involvement in the development and promotion of XXX is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* xxx
* xxx

=Project About=
{{:Projects/OWASP_Insecure_Web_Components_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Projects/OWASP Insecure Web Components Project

2014-01-03T16:40:24Z

Benjamin Watson:

{{Template:Project About
| project_name =OWASP Insecure Web Components Project
| project_description =The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.
| project_license =Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
| leader_name1 =Tony UV
| leader_email1 =tonyuv@owasp.org
| leader_name2 =Benjamin Watson
| leader_email2 =rotlogix@gmail.com
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_insecure_web_components_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Insecure_Web_Components_Project/Roadmap
}}

Projects/OWASP Insecure Web Components Project

2014-01-03T16:39:24Z

Benjamin Watson:

{{Template:Project About
| project_name =OWASP Insecure Web Components Project
| project_description =The focus of this project are the insecure components that make up popular web applications, and frameworks. These can be everything from Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive list that can be used to help uncover issues in current implementations of web applications and aid in the secure architecture of them as well.
| project_license =Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
| leader_name1 =Tony UV
| leader_email1 =tonyuv@owasp.org
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_insecure_web_components_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Insecure_Web_Components_Project/Roadmap
}}

Projects/OWASP Insecure Web Components Project

2014-01-03T16:37:34Z

Benjamin Watson:

{{Template:Project About
| project_name =OWASP Insecure Web Components Project
| project_description =The focus of this project are the insecure components that make up
popular web applications, and frameworks. These can be everything from
Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive
list that can be used to help uncover issues in current implementations
of web applications and aid in the secure architecture of them as well.
| project_license =Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
| leader_name1 =Tony UV
| leader_email1 =tonyuv@owasp.org
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_insecure_web_components_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Insecure_Web_Components_Project/Roadmap
}}

Projects/OWASP Insecure Web Components Project

2014-01-03T16:36:22Z

Benjamin Watson:

{{Template:Project About
| project_name =OWASP Insecure Web Components Project
| project_description =The focus of this project are the insecure components that make up
popular web applications, and frameworks. These can be everything from
Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive
list that can be used to help uncover issues in current implementations
of web applications and aid in the secure architecture of them as well.
| project_license =Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
| leader_name1 =Tony UV
| leader_email1 =tonyuv@owasp.org
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_insecure_web_components_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Insecure_Web_Components_Project/Roadmap
}}

Projects/OWASP Insecure Web Components Project

2014-01-03T16:35:57Z

Benjamin Watson:

{{Template:Project About
| project_name =OWASP Insecure Web Components Project
| project_description ="The focus of this project are the insecure components that make up
popular web applications, and frameworks. These can be everything from
Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive
list that can be used to help uncover issues in current implementations
of web applications and aid in the secure architecture of them as well.
| project_license =Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
| leader_name1 =Tony UV
| leader_email1 =tonyuv@owasp.org
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_insecure_web_components_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Insecure_Web_Components_Project/Roadmap
}}

Projects/OWASP Insecure Web Components Project

2014-01-03T16:35:20Z

Benjamin Watson:

{{Template:Project About
| project_name =OWASP Insecure Web Components Project
| project_description =The focus of this project are the insecure components that make up
popular web applications, and frameworks. These can be everything from
Struts 2 tags, to ASP.NET MVC Models. We want to build a comprehensive
list that can be used to help uncover issues in current implementations
of web applications and aid in the secure architecture of them as well.
| project_license =Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)
| leader_name1 =Tony UV
| leader_email1 =tonyuv@owasp.org
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_insecure_web_components_project
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Insecure_Web_Components_Project/Roadmap
}}