This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Projects Dashboard
From OWASP
<!DOCTYPE html>
<html><head><title>Active Projects</title><meta http-equiv="content-type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=8;IE=9;chrome=1;" /><meta name='lsq' content='1'/><meta name='trixrows' content='192'/><meta name='trixr1' content='0'/><meta name='trixr2' content='192'/><meta name='trixdiv' content='20'/><meta name='trixcnt' content='10'/><meta name='trixlast' content='12'/><link rel=stylesheet href="/static/spreadsheets/client/css/3971517159-tiler_view_ltr.css" type="text/css"><style>html {overflow:visible};</style></head><body style='border:0px;margin:0px'><style>.tblGenFixed td {padding:0 3px;overflow:hidden;white-space:normal;letter-spacing:0;word-spacing:0;background-color:#fff;z-index:1;border-top:0px none;border-left:0px none;border-bottom:1px solid #CCC;border-right:1px solid #CCC;} .dn {display:none} .tblGenFixed td.s29 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s27 {background-color:;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s28 {background-color:;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s9 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s25 {background-color:;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s26 {background-color:#c0c0c0;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;border-left:1px solid #CCC;} .tblGenFixed td.s7 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s23 {background-color:#ffff00;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s8 {background-color:#99cc00;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#FFFFFF;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s24 {background-color:#ffff00;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s5 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s21 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;border-left:1px solid #CCC;} .tblGenFixed td.s6 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s22 {background-color:;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s3 {background-color:#c0c0c0;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:right;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;border-left:1px solid #CCC;} .tblGenFixed td.s4 {background-color:#b4a7d6;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s20 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s0 {background-color:#c0c0c0;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-top:1px solid #CCC;border-right:;border-bottom:;border-left:1px solid #CCC;} .tblGenFixed td.s2 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:bold;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-top:1px solid #CCC;border-right:;border-bottom:;} .tblGenFixed td.s1 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-top:1px solid #CCC;border-right:;border-bottom:;} .tblGenFixed td.s16 {background-color:#99ccff;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#FFFFFF;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s17 {background-color:#fadcb3;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s18 {background-color:#ffff99;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;text-decoration:none;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s19 {background-color:#99ccff;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#FFFFFF;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s12 {background-color:#674ea7;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s13 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s14 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s15 {background-color:#fadcb3;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s10 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:right;vertical-align:bottom;direction:Context;white-space:normal;overflow:hidden;border-right:;border-bottom:;} .tblGenFixed td.s11 {background-color:white;font-family:arial,sans,sans-serif;font-size:100.0%;font-weight:normal;font-style:normal;color:#000000;text-decoration:none;text-align:left;vertical-align:bottom;direction:auto-ltr;white-space:normal;overflow:hidden;border-right:;border-bottom:;} </style>.</td> | st [1] | Builder, Breaker, Defender | OWASP SAMM | Proposed Project Status | Project Name | Project Type | Project License | OWASP Mailman Mailing List | Project Wiki Page | Project Leader(s) (if exists) | Project Leader Email(s) (if exists) | Project Description (if available) | Contains Quotes | Notes | Project Short Name | Project Short Name Length | Summary</tr> |
<p style='height:16px;'>.</td> | 1 | D | OWASP Excess XSS Project | Tool | Creative Commons Attribution ShareAlike 3.0 License | None Created | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Excess_XSS_Project&sa=D&usg=ALhdy29dIO51b-fNAPNsIpQhLeqM74w0dQ">https://www.owasp.org/index.php/OWASP_Excess_XSS_Project</a> | Donator: Jakob Kallin | [email protected] | A comprehensive tutorial on cross-site scripting. Propagating practices in XSS prevention that OWASP wants to promote, such as terminology, libraries, and best practices. Its goal is to serve as a comprehensive introduction for developers unfamiliar with XSS, rather than as reference material like the current cheat sheets. | Project Donation: Endowments | <a target="_blank" href="https://www.google.com/url?q=http://excess-xss.com/&sa=D&usg=ALhdy29etxMnFLxgB8QBsr142E12Vs5KNA">http://excess-xss.com/</a> | </tr> | ||||
<p style='height:16px;'>.</td> | 2 | Builder | Construction | F | OWASP AntiSamy Project | Code | BSD License | owasp-antisamy | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project&sa=D&usg=ALhdy2_89Y42FUzxo-3aHqW64kz2grwV1w">https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project</a> | Arshan Dabirsiaghi | [email protected] | This is an API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks | antisamy | 8 | An API for validating rich HTML/CSS to prevent XSS/phishing attacks</tr> | ||
<p style='height:16px;'>.</td> | 3 | Breaker | Verification | F | OWASP Application Security Verification Standard Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-application-security-verification-standard | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project&sa=D&usg=ALhdy2-mMyIqRvcniA3Y00cH95rfZI9OzA">https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project</a> | Sahba Kazerooni, Daniel Cuthbert | [email protected], [email protected] | The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard. | asvs | 4 | A standard for conducting application security assessments</tr> | ||
<p style='height:16px;'>.</td> | 4 | Breaker | Verification | F | OWASP Code Review Guide Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-codereview | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project&sa=D&usg=ALhdy29pWwWy_smKOdbWiQBpwz-7-92XXA">https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project</a> | Eoin Keary | [email protected] | The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. | codereview | 10 | A project to capture best practices for reviewing code</tr> | ||
<p style='height:16px;'>.</td> | 5 | Other | Governance | F | OWASP Codes of Conduct | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-codes-of-conduct | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Codes_of_Conduct&sa=D&usg=ALhdy2_PbSepEQZ-hb1xTgY2wPjNCl2S2A">https://www.owasp.org/index.php/OWASP_Codes_of_Conduct</a> | Colin Watson | [email protected] | This project envisages to create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations. We set out to define a set of minimal requirements for these organizations specifying what we believe to be the most effective ways to support our mission. We call these requirements a "code of conduct" to imply that these are normative standards, they represent a minimum baseline, and that they are not difficult to achieve | codesofconduct | 14 | A set of guidelines for organizations to support the OWASP mission.</tr> | ||
<p style='height:16px;'>.</td> | 6 | Builder | Construction | F | OWASP CSRFGuard Project | Code | BSD License | owasp-csrfguard | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project&sa=D&usg=ALhdy28uLIDuPrKGni1HXm3ymmrUrZJlRw">https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project</a> | Eric Sheridan | [email protected] | Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens. | csrfguard | 9 | A Java filter to add unique request tokens to mitigate CSRF attacks</tr> | ||
<p style='height:16px;'>.</td> | 7 | Builder | Construction | F | OWASP Development Guide Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-guide | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Guide_Project&sa=D&usg=ALhdy2_iNWx-CSPBNIImkQkB9B931twlIQ">https://www.owasp.org/index.php/Category:OWASP_Guide_Project</a> | Vishal Garg | [email protected] | The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues. | dev-guide | 9 | A developer's guide covering web application and web service security</tr> | ||
<p style='height:16px;'>.</td> | 8 | Builder | Construction | F | OWASP Enterprise Security API | Code | BSD License | esapi-users | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API&sa=D&usg=ALhdy2-JfNIS1l5pTonj7vo_rtHLob9bWg">https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API</a> | Jeff Williams | [email protected] | ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. | esapi | 5 | A collection of security methods needed to build secure applications.</tr> | ||
<p style='height:16px;'>.</td> | 9 | Builder | Construction | F | OWASP ModSecurity Core Rule Set Project | Code | Apache License V2.0 | owasp-modsecurity-core-rule-set | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Projects/OWASP_ModSecurity_Core_Rule_Set_Project&sa=D&usg=ALhdy28mrPlus6-LjVng2kAUrpGHv29LjA">https://www.owasp.org/index.php/Projects/OWASP_ModSecurity_Core_Rule_Set_Project</a> | Ryan Barnett | [email protected] | ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture. | modsec-crs | 10 | A project to document and develop the ModSecurity Core Rule Set</tr> | ||
<p style='height:16px;'>.</td> | 10 | Builder | Construction | F | OWASP Secure Coding Practices - Quick Reference Guide | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-secure-coding-practices | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide&sa=D&usg=ALhdy2-b2edJNxaq_4PdXkqqjY_MteAx9g">https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide</a> | Keith Turpin | [email protected] | The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest. | secure-coding | 13 | High level, technology agnostic reference for secure coding practices</tr> | ||
<p style='height:16px;'>.</td> | 11 | Other | Governance | F | OWASP Software Assurance Maturity Model (SAMM) | Documentation | Creative Commons Attribution ShareAlike License V3.0 | samm | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model&sa=D&usg=ALhdy284sOhf3p0jJzvUgvb0ooRqwRpY7A">https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model</a> | Seba, Kuai Hinojosa | [email protected]; [email protected] | This project is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. | opensamm | 8 | An open framework to help create a strategy for software security</tr> | ||
<p style='height:16px;'>.</td> | 12 | Breaker | Verification | F | OWASP Testing Guide Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-testing | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Testing_Project&sa=D&usg=ALhdy2-06cIlIQvnH6L1yHid4CGEZVLDxA">https://www.owasp.org/index.php/OWASP_Testing_Project</a> | Matteo Meucci | [email protected] | The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. | testing-guide | 13 | A collection of application security testing procedures and checklists</tr> | ||
<p style='height:16px;'>.</td> | 13 | Breaker | Verification | F | OWASP Top Ten Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-topten | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project&sa=D&usg=ALhdy2_3YH__nxU3n-xMuz5bDe9B-q4B2A">https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project</a> | Dave Wichers | [email protected] | The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. | top10 | 5 | Explanation of the top ten web application security vulnerabilities </tr> | ||
<p style='height:16px;'>.</td> | 14 | Breaker | Verification | F | OWASP Web Testing Environment Project | Tool | GNU General Public License version 3.0 (GPLv3) | web-testing-environment | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php?title%3DOWASP_Web_Testing_Environment_Project&sa=D&usg=ALhdy28VN44UQw1TNi6JiuMRCHOiLw4PTA">https://www.owasp.org/index.php?title=OWASP_Web_Testing_Environment_Project</a> | Matt Tesauro | [email protected] | This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite | Verify wiki page forwards correctly | wte | 3 | A collection of open source security projects in one environment</tr> | |
<p style='height:16px;'>.</td> | 15 | Breaker | Verification | F | OWASP WebGoat Project | Tool | GNU General Public License version 2.0 (GPLv2) | owasp-webgoat | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Webgoat&sa=D&usg=ALhdy2-qHMm4UtvXB3Icf_3-43AJ0A4_ww">https://www.owasp.org/index.php/Webgoat</a> | Bruce Mayhew | [email protected] | The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot. | webgoat | 7 | A Java training environment for learning about application security</tr> | ||
<p style='height:16px;'>.</td> | 16 | Breaker | Verification | F | OWASP Zed Attack Proxy | Tool | Apache License V2.0 | NONE [2] | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project&sa=D&usg=ALhdy2-Qvz7qMYwBQxJz50O4lte044gVlw">https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project</a> | Psiinon | [email protected] | This project provides an easy to use integrated penetration testing tool for testing web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing. | zap | 3 | An easy to use integrated proxy tool for testing web applications</tr> | ||
<p style='height:16px;'>.</td> | 17 | Builder | Construction | I | OWASP Application Security Requirements Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-appsec-requirements | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project&sa=D&usg=ALhdy28JFz7a3gk6k59GWKgXFZdoBeBE2w">https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project</a> | Luis Martinez Bacha | [email protected] | The intent of this project is to assemble a useful base of generic/common web application security requirements that could be used in most projects. | appsec-reqs | 11 | A set of generic web application security requirements</tr> | ||
<p style='height:16px;'>.</td> | 18 | Other | I | OWASP Common Numbering Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-common-numbering | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Common_Numbering_Project&sa=D&usg=ALhdy2-GKyd93uop2S6SLvb5gfGIFRdlJQ">https://www.owasp.org/index.php/OWASP_Common_Numbering_Project</a> | Dave Wichers | [email protected] | An exciting development, a new numbering scheme that will be common across OWASP Guides and References is being developed. The numbering is loosely based on the OWASP ASVS section and detailed requirement numbering. OWASP ASVS, Guide, and Reference project leads and contributors as well as the OWASP leadership plan to work together to develop numbering that would allow for easy mapping between OWASP Guides and References, and that would allow for a period of transition as Guides and References are updated to reflect the new numbering. This project will provide a centralized clearinghouse for mapping information. | commonnumbering | 15 | A common number scheme to refer to application security topics</tr> | |||
<p style='height:16px;'>.</td> | 19 | Builder | Construction | I | OPA | Code | Affero GNU Public License | owasp-opa-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Opa&sa=D&usg=ALhdy29munzjJQwcYten2y844_95e4u9ZA">https://www.owasp.org/index.php/Opa</a> | Henri Binsztok, Adam Koprowski | [email protected], [email protected] | Usher in a new generation of web development tools and methodologies. | opa | 3 | A language for writing distributed web applications</tr> | ||
<p style='height:16px;'>.</td> | 20 | Breaker | Verification | I | OWASP Academy Portal Project | Tool | Unknown | NONE | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Academy_Portal_Project&sa=D&usg=ALhdy2-ImhLqJER7kKIpxSWdS1rGrGjbKQ">https://www.owasp.org/index.php/OWASP_Academy_Portal_Project</a> | Danny Harris, Filipe Lacerda | - Danny ([email protected]) - Felipe ([email protected]) | Creation of a Portal to offer academic material in usable blocks, lab's, video's and forum. | academy-portal | 14 | A portal to offer academic material in usable blocks</tr> | ||
<p style='height:16px;'>.</td> | 21 | Other | Governance | I | OWASP Application Security Assessment Standards Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-appsec-standards | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project&sa=D&usg=ALhdy2_z4nbymphGWmVj8Aqu-vZUrXfxVQ">https://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project</a> | Matteo Michelini | [email protected] | The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. | appsec-stds | 11 | A process for consistent methods for application security assessments</tr> | ||
<p style='height:16px;'>.</td> | 22 | Builder | I | OWASP Application Security Skills Assessment | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-assa | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Application_Security_Skills_Assessment&sa=D&usg=ALhdy2_IW_S7AlrVsQtNAOO1lh4qBbGieg">https://www.owasp.org/index.php/OWASP_Application_Security_Skills_Assessment</a> | Neil Smithline | [email protected] | The OWASP Application Security Skills Assessment (OWASP ASSA) is an online multiple-choice quiz built to help individuals understand their strengths and weaknesses in specific application security skills with the aim of enabling them to focus their training in the most efficient and appropriate manner. | assa | 4 | A quiz to help develop application security skills</tr> | |||
<p style='height:16px;'>.</td> | 23 | Breaker | Verification | I | OWASP ASIDE Project | Tool | Unknown | owasp-aside-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_ASIDE_Project&sa=D&usg=ALhdy28adbKyDL4UyYt9jV67EjoARzf2sg">https://www.owasp.org/index.php/OWASP_ASIDE_Project</a> | Jing Xie, Bill Chu, John Melton | [email protected], [email protected], [email protected] | Assured Software Integrated Development Environment (ASIDE) is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs. ASIDE may be useful by professional developers as well. | aside | 5 | An Eclipse plugin designed to help students write more secure code</tr> | ||
<p style='height:16px;'>.</td> | 24 | Other | I | OWASP Computer Based Training Project (OWASP CBT Project) | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-cbt | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_CBT_Project&sa=D&usg=ALhdy2_wL3LcrKyTBNxZsYc8KVQqrcGPYA">https://www.owasp.org/index.php/Category:OWASP_CBT_Project</a> | Nishi Kumar | [email protected] | The goal of this project is to provide computer based training on OWASP security related initiatives. This project is intended to provide increased access of security training material, convenience and flexibility to learners. It will be self-paced and the learning sessions will be available 24x7. Learners will not be bound to a specific day/time to physically attend classes. They can also pause learning sessions at their convenience. | cbt | 3 | Computer-based training modules about OWASP and application security</tr> | |||
<p style='height:16px;'>.</td> | 25 | Builder | Construction | I | OWASP Enterprise Application Security Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-eas | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_Project&sa=D&usg=ALhdy2-0KL1Hc2POjxyfC0ItNRrUwsi2mA">https://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_Project</a> | Alexander Polyakov | [email protected] | Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment. | eas | 3 | Guidance about procurement and design of enterprise applications</tr> | ||
<p style='height:16px;'>.</td> | 26 | Other | I | OWASP Exams Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-exams | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Exams_Project&sa=D&usg=ALhdy29FJB-GBGHuvmClc-LNZr4rjffonQ">https://www.owasp.org/index.php/OWASP_Exams_Project</a> | Jason Taylor | [email protected] | The OWASP Exams project will establish the model by which the OWASP community can create and distribute CC-licensed exams for use by educators. The purpose of the exams is to improve the effectiveness of OWASP training through the use of exams as a means of measurement and student progress tracking. The project will include creation of a set of CC-licensed exams, a model for exam usage, and a roadmap for future exam creation | exams | 5 | A set of exams and study aids about application security</tr> | |||
<p style='height:16px;'>.</td> | 27 | Breaker | Verification | I | OWASP GoatDroid Project | Documentation | owasp-mobile-security-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project&sa=D&usg=ALhdy2_9K4YiW5hOoUQQBBQ10ObAJFtANg">https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project</a> | Jack Mannino | [email protected] | The OWASP GoatDroid Project is the Android equivalent to the iGoat Project. Inspired by WebGoat, this project will help educate Android developers on security issues they’ll encounter when writing applications. | goat-droid | 10 | An Android security training environment for developer education</tr> | |||
<p style='height:16px;'>.</td> | 28 | Breaker | Verification | I | OWASP iGoat Project | Tool | GNU General Public License version 3.0 (GPLv3) | owasp-igoat-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_iGoat_Project&sa=D&usg=ALhdy2-OSrBo1jV-YdJCzingguwwzNODJw">https://www.owasp.org/index.php/OWASP_iGoat_Project</a> | Kenneth R. van Wyk | [email protected] | iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson. | igoat-project | 13 | An iOS security training environment for developer education</tr> | ||
<p style='height:16px;'>.</td> | 29 | Builder | Construction | I | OWASP Java Encoder Project | Code | BSD License | owasp-java-encoder-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Java_Encoder_Project&sa=D&usg=ALhdy28w-BQIwhsZnMZxunpsXjS_dD_v6Q">https://www.owasp.org/index.php/OWASP_Java_Encoder_Project</a> | Jeff Ichnowski | [email protected] | This project is a simple-to-use drop-in encoder class with little baggage. | java-encoder | 12 | A drop-in high performance encoding library for Java</tr> | ||
<p style='height:16px;'>.</td> | 30 | Breaker | Verification | I | OWASP Proxy Project | Tool | Creative Commons Attribution ShareAlike License V3.0 | owasp-proxy-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Proxy&sa=D&usg=ALhdy28ngx_M3G2FDNPaiaLMAxjgis7Q8g">https://www.owasp.org/index.php/Category:OWASP_Proxy</a> | Rogan Dawes | [email protected] | The OWASP Proxy aims to provide a high quality intercepting proxy library which can be used by developers who require this functionality in their own programs, rather than having to develop it all from scratch. | proxy | 5 | A library providing intercepting proxy functionality</tr> | ||
<p style='height:16px;'>.</td> | 31 | Other | I | OWASP Request For Proposal | Documentation | Unknown | owasp-rfp-criteria | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_RFP-Criteria&sa=D&usg=ALhdy2_mqyHJqkUND3tJPtj2lDfF4V6oKQ">https://www.owasp.org/index.php/OWASP_RFP-Criteria</a> | Tom Brennan | [email protected] | Purpose of this project is to simply provide an objective list and a aggregate set of questions from companies to utilize when they issue a RFPs for web application security. | rfp-criteria | 12 | A guide for RFPs for security verification services</tr> | |||
<p style='height:16px;'>.</td> | 32 | Other | Governance | I | OWASP Security Baseline Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-security-baseline-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Security_Baseline_Project&sa=D&usg=ALhdy28VWrQgHGnC6Z5WJfFnnOeYyjKxrg">https://www.owasp.org/index.php/OWASP_Security_Baseline_Project</a> | Marian Ventuneac | [email protected] | This projects aims to benchmark the security of various enterprise security products/services against OWASP Top 10 risks. Comprehensive assessing security of enterprise products/services, the OWASP Security Baseline initiative will (eventually) lead to vendor-independent security certified solutions. | sec-baseline | 12 | A benchmark security analysis of enterprise products and services</tr> | ||
<p style='height:16px;'>.</td> | 33 | Builder | I | OWASP Software Security Assurance Process | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-software-security-assurance-process | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Software_Security_Assurance_Process&sa=D&usg=ALhdy29W-aYFBdf6XwCnD77ckA5j2hQkpQ">https://www.owasp.org/index.php/OWASP_Software_Security_Assurance_Process</a> | Mateo Martinez | [email protected] | To outlines mandatory and recommended processes and practices to manage risks associated with applications. Software Security is equally dependent on people, processes and technology. The effectiveness of the OWASP Software Security Process is continuously measured and is improved through feedback, threat landscape changes, availability of new concepts and tools. Should be the framework to map Requirements, Dev and Testing guidelines for example. | soft-sec | 8 | A set of recommended process and practices for software security</tr> | |||
<p style='height:16px;'>.</td> | 34 | Breaker | Verification | I | OWASP WhatTheFuzz Project | Tool | BSD License | /owasp-whatthefuzz-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_WhatTheFuzz_Project%23tab%3DProject_About&sa=D&usg=ALhdy28eaBSzjIeVxf_8cQ_egpTHzxKNrw">https://www.owasp.org/index.php/OWASP_WhatTheFuzz_Project#tab=Project_About</a> | Joe Basirico | [email protected] | An easy to use, easy to get started fuzzer for websites. | whatthefuzz | 11 | A fuzzer for websites</tr> | ||
<p style='height:16px;'>.</td> | 35 | Other | I | OWASP Web Application Security Accessibility Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-accessibility-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Web_Application_Security_Accessibility_Project%23tab%3DProject_About&sa=D&usg=ALhdy28zZVTeU5g69fqc_33YwbHwmRux3g">https://www.owasp.org/index.php/OWASP_Web_Application_Security_Accessibility_Project#tab=Project_About</a> | Petr Závodský | [email protected] | The practice points out to the fact that a seemingly secure web application does, in reality, protect interests of only a specific group of users. Interests of a great number of users are protected only partially or by no means. This project will focus extensively on the issue of web application security accessibility. | accessiblity | 12 | Guidelines to increase the accessibility of web application security</tr> | |||
<p style='height:16px;'>.</td> | 36 | Other | I | OWASP Java Project | java-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Java_Project&sa=D&usg=ALhdy2921z4NusCumlrTf2XAYn6-9gIBzg">https://www.owasp.org/index.php/Category:OWASP_Java_Project</a> | Matthias Rohr | [email protected] | The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently. | This is an ecosystem/community | 0 | </tr> | |||||
<p style='height:16px;'>.</td> | 37 | Other | I | OWASP Data Exchange Format Project | Document | Apache License V2.0 | owasp-data-exchange-format | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project&sa=D&usg=ALhdy2_voO5EubkQi6RO72i3S9dZ7kOQOQ">https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project</a> | Psiinon, Dinis Cruz | [email protected], [email protected] | To define an open format for exchanging data between pentest tools. | data-exchange | 13 | An open format for exchanging data between pentest tools</tr> | |||
<p style='height:16px;'>.</td> | 38 | Builder | Construction | I | OWASP Cheat Sheets Project | Document | Creative Commons Attribution ShareAlike License V3.0 | owasp-cheat-sheets | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Cheat_Sheets&sa=D&usg=ALhdy29BSDAUJ7GNs2Mi5T6rOfdPtKpk5Q">https://www.owasp.org/index.php/Cheat_Sheets</a> | Sherif Koussa, Jim Manico | [email protected], [email protected] | This project was created to provide a concise collection of high value information on specific security topics. | cheat-sheets | 12 | A collection of cheat sheets about web application security topics</tr> | ||
<p style='height:16px;'>.</td> | 39 | Breaker | Verification | I | OWASP Security Tools for Developers Project | Tool | Unknown | owasp-std | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Security_Tools_for_Developers_Project&sa=D&usg=ALhdy28WNATNTGUWeJiCoWcGH9n_LVDLgA">https://www.owasp.org/index.php/OWASP_Security_Tools_for_Developers_Project</a> | Mark Curphey | [email protected] | Develop a reference implementation of open source tools integrated in an end to end development process. This will likely include a reference architecture, guidance and a reference implementation using open source tools. | sec-dev-tools | 13 | A platform to integrate security tools into the development process</tr> | ||
<p style='height:16px;'>.</td> | 40 | Breaker | Verification | I | OWASP OVAL Content Project | Tool | Creative Commons Attribution ShareAlike License V3.0 | owasp-oval-content | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_OVAL_Content_Project&sa=D&usg=ALhdy2_R7bBJZWiKhRIk6S0dz30E_cqk7w">https://www.owasp.org/index.php/OWASP_OVAL_Content_Project</a> | Gaurav Kumar | [email protected] | The purpose of this project is to create OVAL content to enable any OVAL compatible tool find security issues which can be represented in a standard format. | oval-content | 12 | A set of standardized assessment documents in OVAL XML format</tr> | ||
<p style='height:16px;'>.</td> | 41 | Breaker | Verification | I | OWASP NAXSI Project | Tool | GNU General Public License version 2.0 (GPLv2) | owasp-naxsi-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_NAXSI_Project&sa=D&usg=ALhdy29WoZTc8TETtSksPUaQldaIbYmI3w">https://www.owasp.org/index.php/OWASP_NAXSI_Project</a> | Thibault "bui" Koechlin | [email protected] | this is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy. | naxsi | 5 | A web application firewall module for Nginx</tr> | ||
<p style='height:16px;'>.</td> | 42 | Breaker | Verification | I | OWASP Passw3rd Project | Tool | MIT License | owasp-passw3rd-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Passw3rd_Project&sa=D&usg=ALhdy2-YJ9QNJaThi1HTRaYinhatKGfMIg">https://www.owasp.org/index.php/OWASP_Passw3rd_Project</a> | Neil Matatall | [email protected] | Store passwords in encrypted files with an easy to use command line interface, and utilities to use the passwords in code. In its simplest form, the keys are generated per environment with OS access controls while the password files are stored in SCM. | passw3rd | 8 | A tool to store encrypted passwords for programmatic use in code</tr> | ||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | 44 | Breaker | Verification | I | OWASP WebGoat.NET | Tool | GNU General Public License version 3.0 (GPLv3) | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET&sa=D&usg=ALhdy2_qDVfQGB_9fJStyTKoe1J4tR9bMA">https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET</a> | Jerry Hoff | [email protected] | WebGoat.NET is a purposefully broken ASP.NET web application. It contains many common vulnerabilities, and is intended for use in classroom environments. | webgoat-dotnet | 14 | An ASP.NET training environment for learning application security</tr> | |||
<p style='height:16px;'>.</td> | 45 | Builder | Construction | I | OWASP Proactive Controls | Document | Creative Commons Attribution ShareAlike 3.0 License | [email protected] | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Proactive_Controls&sa=D&usg=ALhdy29xzvt-sH640UrK87880bDltFkWMQ">https://www.owasp.org/index.php/OWASP_Proactive_Controls</a> | Andrew van der Stock | [email protected] | A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project. | Formerly known as OWASP Top 10 Defenses</tr> | ||||
<p style='height:16px;'>.</td> | 46 | Builder | Construction | I | OWASP Passfault | Code Project | GNU LGPL v3 | owasp_passfault | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Passfault&sa=D&usg=ALhdy29TY1uqHNCPTF-Gf3jA3WAYbHUdtA">https://www.owasp.org/index.php/OWASP_Passfault</a> | Cam Morris | [email protected] | Passfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords. | </tr> | ||||
<p style='height:16px;'>.</td> | 47 | Builder | Construction | I | OWASP OctoMS | Code Project | Creative Commons Attribution ShareAlike 3.0 License | owasp_octoms | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_OctoMS&sa=D&usg=ALhdy28uX7MihIiUHi7RMRsCwPEtYl-oTA">https://www.owasp.org/index.php/OWASP_OctoMS</a> | Valentino Radosavlevici | [email protected] | OctoMS is a free open-source PHP Framework designed on the MVC pattern that focuses on delivering useful debugging information and both offline & online documentation inside the application that is being developed through an intuitive AJAX interface. | </tr> | ||||
<p style='height:16px;'>.</td> | 48 | Breaker | Verification | I | OWASP OWTF | Tool | BSD License | owasp_owtf | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_OWTF&sa=D&usg=ALhdy29PhBIBv_ZSJGQk-UAR7POCc4F_8A">https://www.owasp.org/index.php/OWASP_OWTF</a> | Abraham Aranguren | [email protected] | The Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient. Please see: http://owtf.org http://blog.7-a.org/search/label/OWTF%20Talks http://www.slideshare.net/abrahamaranguren | </tr> | ||||
<p style='height:16px;'>.</td> | 49 | Other | I | OWASP Java/J2EE Secure Development Curriculum | Document Project | CC-BY 3.0 | OWASP_Java_J2EE_Secure_Development_Curriculum | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Java_J2EE_Secure_Development_Curriculum&sa=D&usg=ALhdy2_QfvzCAFsHSDm_ZWZ-rC9drk0RkA">https://www.owasp.org/index.php/OWASP_Java_J2EE_Secure_Development_Curriculum</a> | Dr. A. L. Gottlieb | [email protected] | The OWASP Java/J2EE software security curriculum is offered as prescriptive guidance for those wishing to educate themselves or others on how to secure Java/J2EE software development. Included are core education tracks based on job description and specialization tracks based on specific areas of software security. Course descriptions are provided as a point of reference for those wishing to know what content OWASP recommends. | </tr> | |||||
<p style='height:16px;'>.</td> | 50 | Breaker | Verification | I | OWASP Path Traverser | Tool | Attribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0 | OWASP_Path_Traverser | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Path_Traverser&sa=D&usg=ALhdy28naa0I1fxPtq4jaPyrn1BnC41HlA">https://www.owasp.org/index.php/OWASP_Path_Traverser</a> | Tal Melamed | [email protected] | Path Traverser is a tool for security testing of web applications. It simulates a real Path Traversal attack, only with actual existing files. It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path. After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files. Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths. If your application could be found at: http://mysrvr:777/home and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc... After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected. A configuration for excluding/including specific file types is available. | </tr> | ||||
<p style='height:16px;'>.</td> | 51 | Breaker | Verification | I | OWASP Watiqay | Tool | GNU GPL v2 | OWASP_Watiqay | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_OWASP_Watiqay&sa=D&usg=ALhdy28oTpHsT7OFHujrLu1W2YexwC1v8g">https://www.owasp.org/index.php/OWASP_OWASP_Watiqay</a> | Carlos Ganoza Plasencia | [email protected] | prevents attacks of layer 7 to various websites where client service is running, will have capacity to restore the vulnerable websites and will have a continuous warning system in a personalized way. | </tr> | ||||
<p style='height:16px;'>.</td> | 52 | Breaker | Verification | I | OWASP Security Shepherd | Tool | GNU GPL v3 | OWASP_Security_Shepherd | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap&sa=D&usg=ALhdy29_pvzGuG07n5eALZQl0FEIC5Q_0g">https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap</a> | Mark Denihan | [email protected] | Security Shepherd is a security aware in depth project. Designed with the aim of fostering security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. | </tr> | ||||
<p style='height:16px;'>.</td> | 53 | Breaker | Verification | I | OWASP Xenotix XSS Exploit Framework | Tool | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Xenotix_XSS_Exploit_Framework | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework&sa=D&usg=ALhdy28Pli_e9M9R6OF0rf37qk-N211GRQ">https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework</a> | Ajin Abraham | [email protected] | Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader. | </tr> | ||||
<p style='height:16px;'>.</td> | 54 | Breaker | Verification | I | OWASP Mantra OS | Tool | Creative Commons Attribution ShareAlike 3.0 License | OWASP_Mantra_OS | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Mantra_OS&sa=D&usg=ALhdy2_ILPouAk8Rw1tfN2j2ttRwzi-plg">https://www.owasp.org/index.php/OWASP_Mantra_OS</a> | Gregory Disney | [email protected] | Chromium OS is a safe, fast and secure sand-boxed OS. This makes it ideal to continue on the OWASP Mantra security toolkit project by completing it as an operating system. | </tr> | ||||
<p style='height:16px;'>.</td> | 55 | Builder | Construction | I | OWASP AW00t | Code Project | GNU GPL v2 | OWASP_AW00t | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_AW00T&sa=D&usg=ALhdy2-LaxIu_12qvDuRFjkuuC-3boVbvg">https://www.owasp.org/index.php/OWASP_AW00T</a> | Nitin Arya | [email protected] | Its an implementation of binary stubs from basic to the polymorphic code that will show how viruses and malicious files get themselves undetected from the Antiviruses. The generated stubs can be appended to any program and also a new approach of AV avoidance will be shown also special programs for hunting down the signatures and extracting them, and editing them for better use will be incorporated. | </tr> | ||||
<p style='height:16px;'>.</td> | 56 | Breaker | Verification | I | OWASP XSSER | Tool | GNU GPL v3 | OWASP_XSSER | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_XSSER&sa=D&usg=ALhdy2_ugJ32BRxXoRM7hiQY97lU5XQKOA">https://www.owasp.org/index.php/OWASP_XSSER</a> | Roberto Mérida | [email protected] | Cross Site "Scripter" (XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. | </tr> | ||||
<p style='height:16px;'>.</td> | 57 | Breaker | Verification | I | OWASP University Challenge | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_University_Challenge | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_University_Challenge&sa=D&usg=ALhdy2__NgU53h7C2wEi1s_RZ6b-To-XkA">https://www.owasp.org/index.php/OWASP_University_Challenge</a> | Ivan Buetler, Mateo Martinez | - Ivan ([email protected]) - Mateo ([email protected]) | As first time organized at the OWASP AppSec-US 2011 in Minneapolis, this project is to enable "attack & defend" challenges. First, at OWASP AppSec conferences, later also to enable this outside AppSec conferences. | </tr> | ||||
<p style='height:16px;'>.</td> | 58 | Breaker | Verification | I | OWASP Hacking-Lab | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_Hacking_Lab | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Hacking_Lab&sa=D&usg=ALhdy2-GxGUwOmhi0v3rXJ92uy_EngopBg">https://www.owasp.org/index.php/OWASP_Hacking_Lab</a> | Ivan Buetler, Mateo Martinez | - Ivan ([email protected]) - Mateo ([email protected]) | The current OWASP Hacking-Lab challenge (https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html) is a great succes! Currently, there is one challenge, the OWASP TopTen with currently 1164 registered users and +500 solutions send in and verified by the OWASP teachers! Goal is to provide an open and transperent process about the challenges, the teachers and continiously working on extending the available challenges. | </tr> | ||||
<p style='height:1px;'>.</td> | 59 | Builder | Construction | I | OWASP JSON Sanitizer | Code Library Project | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_JSON_Sanitizer | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_JSON_Sanitizer&sa=D&usg=ALhdy28117EpfpkiIe2VIYcyXsqxBK6g0g">https://www.owasp.org/index.php/OWASP_JSON_Sanitizer</a> | Mike Samuel | [email protected] | "As described at http://code.google.com/p/json-sanitizer/ Given JSON-like content, converts it to valid JSON. This can be attached at either end of a data-pipeline to help satisfy Postel's principle: be conservative in what you do, be liberal in what you accept from others Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use. Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML." | </tr> | ||||
<p style='height:16px;'>.</td> | 60 | Builder | Construction | I | OWASP PHPRBAC Project | Code Library Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_PHPRBAC | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_PHPRBAC_Project&sa=D&usg=ALhdy2-xd8TXjxQ74wO3O63QXwAgJn-99g">https://www.owasp.org/index.php/OWASP_PHPRBAC_Project</a> | Abbas Naderi | [email protected] | PHPRBAC is a standard NIST Level 2 Hierarchical Role Based Access Control library implemented as a library for PHP. It allows perfectly maintainable function-level access control for enterprise and small applications or even frameworks alike. Since implementation of NIST Level 2 Hierarchical RBAC is quite complicated, there are very few similar libraries and most of them do not adhere to standards. PHP RBAC is one of the fastest implementations (relying on a SQLite or MySQL backend) and has been tested in industry for more than three years. | </tr> | ||||
<p style='height:16px;'>.</td> | 61 | Builder | Construction | I | OWASP EJSF Project | Code Library Project | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_EJSF_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_EJSF_Project&sa=D&usg=ALhdy2-V6PAt5qJZfrXmyaHZ-TkRjEdEQQ">https://www.owasp.org/index.php/OWASP_EJSF_Project</a> | Prof.Dr.Benoist | [email protected] | Modern web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation. There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception. The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP. [JSF-ESAPI Complete Architecture]This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output validation with escaped “true” or without this parameter, authorization. All the features are included in one framework. Advantages:- (1) It requires minimal configuration to use the framework. (2) It ensures retrofit security in the existing application. (3) It provides the same performance as JSF framework. (4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”. (5) The input validation is easy and no additional coding is required. (6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment. (7) One framework includes the most secure features. | </tr> | ||||
<p style='height:16px;'>.</td> | 62 | Builder | Construction | I | OWASP Barbarus | Code Library Project | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Barbarus | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Barbarus&sa=D&usg=ALhdy29OmwrdI1w8ERQxpyYjwqVrox3f0g">https://www.owasp.org/index.php/OWASP_Barbarus</a> | Nebrass Lamouchi | [email protected] | My project offers a new mechanism of authentication in web applications. This mechanism will be very easy and comfortable to use for the application's users and it will be very easy to integrate for the application developers. | </tr> | ||||
<p style='height:16px;'>.</td> | 63 | Builder | Construction | I | OWASP Security Research and Development Framework | Code Project | GNU GPL v2 | OWASP_Security_Research_and_Development_Framework | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework&sa=D&usg=ALhdy2_q2ub8grsOoH9ywA5xNqZnBu1O6Q">https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework</a> | Amr Thabet | [email protected] | This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation. This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF. | </tr> | ||||
<p style='height:16px;'>.</td> | 64 | Builder | Construction | I | OWASP Focus | Code Project | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Focus | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Focus&sa=D&usg=ALhdy2-_dcMPUW4T9ZtnNSlYKAWOo4ggKA">https://www.owasp.org/index.php/OWASP_Focus</a> | Jim Callson | [email protected] | Create a new intermediate language based off of Swing and .NET but written in javascript utilizing DOM and json. Allowing JAVA and .NET programmers to use their current programming methodologies via javascript .js files. | </tr> | ||||
<p style='height:16px;'>.</td> | 65 | Builder | Construction | I | OWASP 1-Liner | Code Project | Creative Commons Attribution ShareAlike 3.0 License | owasp_1_liner | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_1-Liner&sa=D&usg=ALhdy28U12j_lc9o1qRLttcgNu8AH9-euA">https://www.owasp.org/index.php/OWASP_1-Liner</a> | John Wilander | [email protected] | OWASP 1-Liner is a deliberately vulnerable Java- and JavaScript-based chat application intended for demos (talks, tutorials, proof-of-concepts) and possibly training in application security. The application has two parts – local.1-liner.org/vulnerable and local.1-liner.org/securish – to allow for demos of both attacks and countermeasures. | </tr> | ||||
<p style='height:16px;'>.</td> | 66 | I | OWASP Secure Application Design Project | Document Project | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Secure_Application_Design | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Secure_Application_Design_Project&sa=D&usg=ALhdy2_mWsMfdWh8VxRILmMn52kgO4TL6Q">https://www.owasp.org/index.php/OWASP_Secure_Application_Design_Project</a> | Ashish Rao | [email protected] | Design level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually. Design level security is crucial and must be adopted at an early stage of application development to build a robust system. Thus the aim of this project is to impart secure design guidelines to application developers. The project will highlight vulnerable areas in application designs through real world examples and scenarios and touch up on different aspects of design level security. The focus will also be to explain measures to be taken to prevent such flaws while designing applications. The guidelines will cover core design concepts which can applicable to any application independent of the platform. Most of the design flaws will be discussed using sample code incorporated in an insecure design application. The project will also focus on releasing a secure design checklist for reviewing application designs or threat modelling them. | </tr> | ||||||
<p style='height:16px;'>.</td> | 67 | Other | Governance | I | OWASP Periodic Table of Vulnerabilities | Documentation | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Periodic_Table_of_Vulnerabilities | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities&sa=D&usg=ALhdy28NDJGM5lNYIysUjXvYVAa1lSyI4w">https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities</a> | James Landis | [email protected] | There are many anthologies of vulnerabilities and weaknesses (including CWE-25, TCv2, and OWASP top 10), but there is no attempt to classify these issues based on how they should best be solved. In the past, we have tried to teach developers how to avoid introducing these problems, but it appears via the lesson of Buffer Overflow that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code at all. The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible. | </tr> | ||||
<p style='height:16px;'>.</td> | 68 | Other | I | OWASP Application Security Awareness Top 10 E-learning Project | Documentation Project | AGPL 3.0 (prevents GPL's SaaS loophole) | OWASP_Application_Security_Awareness_Top_10_E-learning_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Application_Security_Awareness_Top_10_E-learning_Project&sa=D&usg=ALhdy28DnDkpVul7SzYo2nh1rSw0gofpog">https://www.owasp.org/index.php/OWASP_Application_Security_Awareness_Top_10_E-learning_Project</a> | Erez Metula | [email protected] | The Application Security E-Learning project has set itself the goal of delivering intuitive, concise and precise content in the fundementals of application secure coding. Main target audience: programmers who wish to learn/ review application security fundementals. | </tr> | |||||
<p style='height:16px;'>.</td> | 69 | Defender | Verification | I | WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC) | Documentation Project | Creative Commons Attribution License 2.5 | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project&sa=D&usg=ALhdy29x2qKuNCkBP8E36P-QNJNhoHpqmA">https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project</a> | Ofer Shezaf | [email protected] | WAFEC provides interested partied, including users, vendors and 3rd party evaluators with a tool to definel, learn about and evaluate the suitability of different WAFs for their needs. | </tr> | |||||
<p style='height:16px;'>.</td> | 70 | Construction | I | OWASP ESAPI Swingset Project | Documentation Project | BSD license | owasp-esapi-swingset | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/ESAPI_Swingset&sa=D&usg=ALhdy29WLFf_teq4vTGym6aAfc2adqQ1vg">https://www.owasp.org/index.php/ESAPI_Swingset</a> | Fabio Cerullo | [email protected] | This a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. | </tr> | |||||
<p style='height:16px;'>.</td> | 71 | Other | Construction | I | OWASP Press | Documentation Project | CC-BY-SA | owasp_press | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Press&sa=D&usg=ALhdy2-0xdc41x5VKeJRKa8rlEKadCkVlA">https://www.owasp.org/index.php/OWASP_Press</a> | dennis groves | [email protected] | The OWASP press is a pattern for massive community collaboration on OWASP documentation projects with just-in-time publication. | </tr> | ||||
<p style='height:16px;'>.</td> | 72 | Other | Governance | I | OWASP CISO Survey | Documentation Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_CISO_Survey | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_CISO_Survey&sa=D&usg=ALhdy2_5RBOvrReClM5m1XW9olkZKuZPEg">https://www.owasp.org/index.php/OWASP_CISO_Survey</a> | Tobias Gondrom | [email protected] | CISO Survey and later the CISO Report on Application and Information Security trends. Also providing input and data for the CISO guide. | </tr> | ||||
<p style='height:16px;'>.</td> | 73 | Defender | Governance | I | OWASP Application Security Guide For CISOs | Documentation Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Application_Security_Guide_For_CISOs | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_Project&sa=D&usg=ALhdy2_6omi0MPosf6BXs4jlhePKCunuBg">https://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_Project</a> | Marco Morana | [email protected] | The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs | </tr> | ||||
<p style='height:16px;'>.</td> | 74 | Other | I | OWASP Scada Security Project | Documentation Project | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Scada_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Scada_Security_Project&sa=D&usg=ALhdy2_9QwrzfIWH7sg6ZWozyzN7Jdizkw">https://www.owasp.org/index.php/OWASP_Scada_Security_Project</a> | Andrey Komarov | [email protected] | "The primary aim of OWASP SCADA Security project is to gather information about different ICS/SCADA security threats related to WEB-applications and it’s environments., starting from econnaissance (“foorprinting”) stage to vulnerabilities exploitation. Primary goals: - to aware ICS/SCADA developers about security vulnerabilities by providing information about found WEB-application viulnerabilities in software and firmware on famous vendors; - to create and publish freeware and open-source tools for ICS/SCADA security assessment written on scripting languages. " | </tr> | |||||
<p style='height:16px;'>.</td> | 75 | Builder | Construction | I | OWASP Cornucopia | Documentation Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Cornucopia | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Cornucopia&sa=D&usg=ALhdy29SgZoPShaoarQrSG44zEwk5EXhCg">https://www.owasp.org/index.php/OWASP_Cornucopia</a> | Colin Watson | [email protected] | Cornucopia is a card game used to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. An edition for ecommerce websites exists and alternative versions are planned. | </tr> | ||||
<p style='height:16px;'>.</td> | 76 | Breaker | Verification | I | OWASP SamuraiWTF | Tool | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_SamuraiWTF_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_SamuraiWTF_Project&sa=D&usg=ALhdy29Bc2etoEaIMi_4t69tb1PDG4gWwg">https://www.owasp.org/index.php/OWASP_SamuraiWTF_Project</a> | Kevin Johnson and Justin Searle | [email protected], [email protected] | The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications. | </tr> | ||||
<p style='height:16px;'>.</td> | 77 | Other | Verification | I | O-Saft | Tool | GNU GPL v2 | O-Saft | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/O-Saft&sa=D&usg=ALhdy2_a12C5dyQVDzBvuxx_bYROvRo0aw">https://www.owasp.org/index.php/O-Saft</a> | Achim Hoffmann | [email protected] | This tools lists information about remote target's SSL certificate and tests the remote target's SSL connection according given list of ciphers and various SSL configurations. ----- Not part of the brief description, but to get the idea: The tool currently combines the functionality of some existing tools (sslscan, ssltest.pl sslaudit.pl, ssllyze, ...). It's prepared to make more intensive tests, that's where I expect help from the community. | Builder, Defender</tr> | ||||
<p style='height:16px;'>.</td> | 78 | Breaker | Verification | I | OWASP Crowdtesting | Tool | GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces) | OWASP_Crowdtesting | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Crowdtesting&sa=D&usg=ALhdy2-00YC-OIi764XYOQ3COQZJwMyf6g">https://www.owasp.org/index.php/OWASP_Crowdtesting</a> | Thomas Kalamaris | [email protected] | The project will try to promote the idea of crowd-testing combined with crowd-sourcing capabilities. We suggest the creation of a dynamic team of security testers specialized in application security testing that can test online web applications upon request. The web applications will be defined as projects and the team of testers will start the security testing. The team will use the tools that have been developed by the OWASP community but using custom-made tools is highly encouraged. As a result the consumer will have either a proof of concept that his application complies with the OWASP principles of secure coding or a list of potential threats due to discovered security flaws. Currently the application owners have access to this kind of security services via companies like Passbrains, utest etc. | </tr> | ||||
<p style='height:16px;'>.</td> | 79 | Breaker | Verification | I | OWASP OpenStack Security Project | Tool | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_OpenStack_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project&sa=D&usg=ALhdy28X-dn_QeLs-efnTu3ZmHezz0KuXg">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a> | Matt Tesauro | [email protected] | The OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base. Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack. This project provides a bridge between the OpenStack community and the OWASP community of security professionals. The project leader is also a member of OpenStack and is a member of the OpenStack Security Group. OpenStack has the desire to be the Linux of Cloud infrastructure and OWASP can be the community that ensures the security of that Cloud. | </tr> | ||||
<p style='height:16px;'>.</td> | 80 | Breaker | Verification | I | OWASP Desktop Goat and Top 5 Project | Tool | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Desktop_Goat_and_Top_5_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Desktop_Goat_and_Top_5_Project&sa=D&usg=ALhdy29tGjy0sw914s6Dxj2fHpODd8Klug">https://www.owasp.org/index.php/OWASP_Desktop_Goat_and_Top_5_Project</a> | Gregory Disney | [email protected] | OWASP Top 5: Desktop Vulnerabilities; a list of the top 5 vulnerabilities that are faced by desktop applications. Desktop Goat; a vulnerable desktop application to demonstrate vulnerabilities for a learning environment. | </tr> | ||||
<p style='height:16px;'>.</td> | 81 | Breaker | Verification | I | OWASP Bricks | Tool | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Bricks | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Bricks&sa=D&usg=ALhdy2-re-25BCJyrA0XLaT1rU2vyrd_yw">https://www.owasp.org/index.php/OWASP_Bricks</a> | Abhi M Balakrishnan | [email protected] | Bricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to 'break the bricks'. | </tr> | ||||
<p style='height:16px;'>.</td> | 82 | Builder/Defender | Verification | I | OWASP Dependency Check | Tool | APL 2.0 | OWASP_Dependency_Check | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Dependency_Check&sa=D&usg=ALhdy288hzweiPi2O253pS0kdwv7r3b-Ww">https://www.owasp.org/index.php/OWASP_Dependency_Check</a> | Jeremy Long | [email protected] | DependencyCheck is a utility that attempts to detect publicly disclosed vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. | </tr> | ||||
<p style='height:16px;'>.</td> | 83 | Breaker | Verification | I | OWASP Hive Project | Tool | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Hive_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Hive_Project&sa=D&usg=ALhdy2__jyrPY65jpi2ZspLnjTGSp_iB4A">https://www.owasp.org/index.php/OWASP_Hive_Project</a> | Jason Johnson | [email protected] | We have a hive network that hosts a dashboard with the attitude of the hive and the Internet by using data mined from twitter and others. maybe we can incorporate tools like ZAP or any of the others into this. The thing is we sell this not to make money but to establish a statistics and data rich network. The fact that it cost 35$ with a case that has a WASP on it maybe a bit more. With the push of global security of our assets there is not a better time. I would not ask any other group but owasp this foundation is the smarts of the net. We can make something that is both supportive of our cause and a huge data rich Internet HIVE that if its kicked we know why. | </tr> | ||||
<p style='height:16px;'>.</td> | 84 | Breaker | Verification | I | OWASP Droid Fusion | Tool | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Droid_Fusion | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Droid_Fusion&sa=D&usg=ALhdy293-hLTY3bpKJal9QsKfOjDtH47Hw">https://www.owasp.org/index.php/OWASP_Droid_Fusion</a> | Nikhalesh Singh Bhadoria | [email protected] | Droid Fusion is a platform for android mobile or any other mobile for doing Malware Analysis, Development, Application Pentesting,forensics. You can use it in any mobile security research, and if you have Droid Fusion, you don't need to worry about finding tools. There are more then 60 tools and scripts and it is free. | </tr> | ||||
<p style='height:16px;'>.</td> | 85 | Breaker | Verification | I | OWASP iSABEL Proxy Server | Tool | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_iSABEL_Proxy_Server | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_iSABEL_Proxy_Server&sa=D&usg=ALhdy2_1rKeaMmCLbJ8gtU5ZzxdCbvu46g">https://www.owasp.org/index.php/OWASP_iSABEL_Proxy_Server</a> | Eurojee Jarina | [email protected] | Recent research taken from leading network security solution providers shows that traditional firewalls focus their security mainly around the ports and protocols which is the packet headers and not the actual data content known as the packet payload. Packet headers only contains basic information like source and destination address which is very unreliable when it comes to identifying potential threats, attack, and malicious. The idea of the project is to gain a deeper knowledge about securing web applications from different threats and attacks coming from external sources; this can be achieved by developing intermediary software that runs between the client and the server. This intermediary software will be based on a proxy server that will be implemented on layer 7 (Application) of the OSI model (Open Systems Interconnection), and it’s function is to accept network traffic from different client’s trying to access resources from the web server, once the client successfully established a connection, the proxy will inspect all incoming network packets coming from the clients for malicious parameter and files such as viruses, worms, trojans. | </tr> | ||||
<p style='height:16px;'>.</td> | 86 | Builder | I | OWASP Top 10 Fuer Entwickler | Documentation Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Top_10_Fuer_Entwickler | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project&sa=D&usg=ALhdy2_1YrjmsD-gfxTI-RUeFAGZreSmDg">https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project</a> | Torsten Gigler | [email protected] | Top 10 fuer Entwickler (Top 10 Developer Edition in German) The objectives of the '''project''' is to add ''' ''Good Practices'' (like the Cheat Sheets)''' to the '''OWASP Top 10'''. Its aim is to bridge the gap between awareness, theoretical knowledge to effective know-how to build good propgrams. It is written in German to make it easier for German developers to use it. We will take care to make a migration to other languages easy. | </tr> | |||||
<p style='height:16px;'>.</td> | 87 | I | OWASP Rails Goat Project | Tool | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Rails_Goat | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Rails_Goat_Project&sa=D&usg=ALhdy2_2K88uFHtDMkPolPbA5eUmI7CSJA">https://www.owasp.org/index.php/OWASP_Rails_Goat_Project</a> | Ken Johnson | [email protected] | This is a Rails application which is vulnerable to the OWASP Top 10. It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each. | </tr> | ||||||
<p style='height:16px;'>.</td> | 88 | I | OWASP Good Component Practices Project | Documentation Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Good_Component_Practices_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Good_Component_Practices_Project&sa=D&usg=ALhdy2-kNq7FvSrOilS8vslXtvw7mz6b7A">https://www.owasp.org/index.php/OWASP_Good_Component_Practices_Project</a> | Mark Miller | [email protected]; [email protected] | Good Component Practice is one of the most over looked silver bullets in the Open Source arsenal. Because of business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development. This project will use community input to document an industry acceptable process for the creation, maintenance and use of open source components. | </tr> | ||||||
<p style='height:16px;'>.</td> | 89 | I | OWASP Bywaf Project | Tool | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Bywaf_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Bywaf_Project&sa=D&usg=ALhdy29DxmdOrfAqoq0h4AQZZA5jDCmLuA">https://www.owasp.org/index.php/OWASP_Bywaf_Project</a> | Rafael Gil Larios | [email protected] | Desarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional. | </tr> | ||||||
<p style='height:16px;'>.</td> | 90 | I | OWASP S.T.I.N.G Project | Tool | MIT License | OWASP_S.T.I.N.G_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_S.T.I.N.G_Project&sa=D&usg=ALhdy28L4Nw6JzRsbmba21u128izlNxU4g">https://www.owasp.org/index.php/OWASP_S.T.I.N.G_Project</a> | Lutz Wischmann | [email protected]; [email protected] | The OWASP =S.T.I.N.G= is a tool used for creating project specific security/privacy requirement catalogues by selecting from a huge set of potential requirements, policies or best practices. It acts as a kind of questionnaire and will generate a list of requirements and/or policies which are relevant for the project's context. Security Requirements Management Questionaire Repository Filter Set & Rules for Policies, Standards, Guidelines, Procedures Context : Tool within an Information Security Policy Framework | </tr> | ||||||
<p style='height:16px;'>.</td> | 91 | I | OWASP Web Application Security Quick Reference Guide Project | Documentation | GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces) | OWASP_Web_Application_Security_Quick_Reference_Guide_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Web_Application_Security_Quick_Reference_Guide_Project&sa=D&usg=ALhdy2_BXtJaicNztsRbfI3oK2d9Wk0iZQ">https://www.owasp.org/index.php/OWASP_Web_Application_Security_Quick_Reference_Guide_Project</a> | Marek Zmyslowski | [email protected] | This will be simple checklist for Web Application. The unique feature of this project is that all check will be simple and can be check by particular testcase. It is simple but from my experience can be very informative and useful for testers and coders | </tr> | ||||||
<p style='height:16px;'>.</td> | 92 | I | OWASP Application Fuzzing Framework Project | Tool | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Application_Fuzzing_Framework_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Application_Fuzzing_Framework_Project&sa=D&usg=ALhdy2_OvM0yJmUlgjlCqrlNL00xIzkf2Q">https://www.owasp.org/index.php/OWASP_Application_Fuzzing_Framework_Project</a> | Marek Zmyslowski | [email protected] | The framework will be used to fuzz applications in the Windows environment. It will have couple of modules. Two main modules will be for file fuzzing and dll fuzzing. Very wide configuration to allow lots of fuzzing possibilities. | </tr> | ||||||
<p style='height:16px;'>.</td> | 93 | I | OWASP iMAS - iOS Mobile Application Security Project | Code | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_iMAS_iOS_Mobile_Application_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project&sa=D&usg=ALhdy2-PfVZDhQfEoh_kguBW_noe9xmmnQ">https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project</a> | Gregg Ganley | [email protected], [email protected] | iMAS – iOS secure application framework to reduce iOS application vulnerabilities and information loss iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate! https://github.com/project-imas/about Details: iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques. | </tr> | ||||||
<p style='height:16px;'>.</td> | 94 | I | OWASP VaultDB Project | Tool | Modified BSD, 3-clause License (we recommend you consider Apache 2.0 instead of this licnese. It is more up-to-date and provides a little more protection from software patent lawsuits) | OWASP_VaultDB_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_VaultDB_Project&sa=D&usg=ALhdy2-hYWA0Qen6uLyhCClLpOGNCPQH6A">https://www.owasp.org/index.php/OWASP_VaultDB_Project</a> | Maxime Labelle | [email protected], [email protected] | NoSQL crypto proxy for modern DBMS and web applications. Supports multi-recipient and group encryption. Loaded with a strong RSA/AES cryptosystem. Scytale sits between your web application and your favorite DBMS and performs encryption and decryption of your web application data. Scytale stores the encrypted data inside your prefered DBMS for storage. It's design is secure, well planned and made to provide developers with a solid method for integrating strong cryptography inside web applications using NoSQL-like transactions. | </tr> | ||||||
<p style='height:16px;'>.</td> | 95 | I | OWASP WS-Amplification DoS Project | Tool | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_WS_Amplification_DoS_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project&sa=D&usg=ALhdy2-cp2otBOOT3EWeK3T2jol51Iy8ww">https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project</a> | Thomas Vissers | [email protected] | The project aims to explore the threat of an Amplification DoS attack that utilises webservices. Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. Read more about it in this article: http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack. It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse. (http://www.fim.uni-passau.de/fileadmin/files/lehrstuhl/meer/publications/pdf/Jensen2009a.pdf) The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. If necessary, a publication involving awareness and countermeasures will follow. | </tr> | ||||||
<p style='height:16px;'>.</td> | 96 | I | OWASP Mutillidae 2 Project | Tool | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Mutillidae_2_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project&sa=D&usg=ALhdy2-luqCGE5tecDITdxyfbnbnwRhuOA">https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project</a> | Jeremy Druin | [email protected] | NOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a webserver. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on pre-installed platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software. | </tr> | ||||||
<p style='height:16px;'>.</td> | 97 | I | OWASP Skanda - SSRF Exploitation Framework | Tool | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Skanda_SSRF_Exploitation_Framework | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Skanda_SSRF_Exploitation_Framework&sa=D&usg=ALhdy29EUbcNi0KGroptu3MH1pHyhjJRTQ">https://www.owasp.org/index.php/OWASP_Skanda_SSRF_Exploitation_Framework</a> | Jayesh Singh Chauhan | [email protected] | Skanda is a SSRF Vulnerability Exploitation Framework. Current version performs Cross Site Port Attack on a vulnerable application and discovers open ports.Future versions will perform advanced attacks like network host discovery, service discovery and service level vulnerability detection and exploitation through SSRF. | </tr> | ||||||
<p style='height:16px;'>.</td> | 98 | I | OWASP RBAC Project | Code | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_RBAC_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_RBAC_Project&sa=D&usg=ALhdy2-2IAwxFpeRtTijtqrgdtjL5_uHqQ">https://www.owasp.org/index.php/OWASP_RBAC_Project</a> | Abbas Naderi | [email protected] | The RBAC project aims to port and promote standard NIST Level 2 RBAC implementations, currently the PHP version is available as a separate project. | </tr> | ||||||
<p style='height:16px;'>.</td> | 99 | I | OWASP PHP Security Project | Code | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_PHP_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_PHP_Security_Project&sa=D&usg=ALhdy2_tMORjNFSVd-V_8yAHpE5h5AyOSQ">https://www.owasp.org/index.php/OWASP_PHP_Security_Project</a> | Abbas Naderi | [email protected] | OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP. | </tr> | ||||||
<p style='height:16px;'>.</td> | 100 | I | OWASP Windows Binary Executable Files Security Checks Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | Windows_Binary_Executable_Files_Security_Checks | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project&sa=D&usg=ALhdy2_RKxX89udlsEKSGeg65wkl4cRatA">https://www.owasp.org/index.php/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project</a> | Dan Vasile | [email protected] | The "Windows Binary Executable Files Security Checks" documentation project aims to provide a security check-list and tools necessary to assess the security of Windows executable files. | </tr> | ||||||
<p style='height:16px;'>.</td> | 101 | I | OWASP Wordpress Security Checklist Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Wordpress_Security_Checklist_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project&sa=D&usg=ALhdy2_YkH0kIi-2o73W2UqtLYnlfYyRmA">https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project</a> | Dan Vasile | [email protected] | While there are several good articles on how to secure a Wordpress installation, there is no project on this topic on which people can discuss and contribute to a definitive and homogeneous checklist. | </tr> | ||||||
<p style='height:16px;'>.</td> | 102 | I | OWASP Simple Host Base Incidence Detection System Project | Code | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Simple_Host_Base_Incidence_Detection_System_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Simple_Host_Base_Incidence_Detection_System_Project&sa=D&usg=ALhdy2-DF4Xfk41uIgrvdeNN8nK0dcy8nA">https://www.owasp.org/index.php/OWASP_Simple_Host_Base_Incidence_Detection_System_Project</a> | Ruwan Pradeep Geeganage | [email protected] | Simple Host Incidence Detection System. This is only runs in Windows OS. Currently tested on windows xp with SP2. | </tr> | ||||||
<p style='height:16px;'>.</td> | 103 | I | OWASP Supporting Legacy Web Applications in the Current Environment Project | Document | CC-BY 3.0 | OWASP_Supporting_Legacy_Web_Applications_in_the_Current_Environment_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Supporting_Legacy_Web_Applications_in_the_Current_Environment_Project&sa=D&usg=ALhdy28jbRC5XTKBNLTaaeahUnuRxpCf9A">https://www.owasp.org/index.php/OWASP_Supporting_Legacy_Web_Applications_in_the_Current_Environment_Project</a> | Shruti Kulkarni | [email protected] | Supporting Legacy Web Applications in the current environment. Legacy web applications are a reality in life. Even now, there are several out there some of them supporting sensitive business area like banking, insurance, marketing and idea generation. As these applications get outsourced for maintenance, security becomes a crucial aspect both from a perspective of outsourcing and the inherent vulnerabilities of the web app. Added to this is the people aspect of lack of knowledge of security. Typically there is a gap between developers maintaining the application and the security personnel who help the developers in making the app more secure. I would like to highlight these challenges and bring forth the critical security points in legacy web apps. | </tr> | ||||||
<p style='height:16px;'>.</td> | 104 | I | OWASP SeraphimDroid Project | Tool | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_SeraphimDroid_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project&sa=D&usg=ALhdy2_Y4XUYbvm-YmB_ZEvDF8IklTkT_A">https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project</a> | Nikola Milošević | [email protected] | SeraphimDroid is educational application for android devices that helps users learn about risks and threats comming from other android applications. Seraphim droid scans your devices and teaches you about risks and threats comming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version Seraphim droid will evolve to application firewall for android devices not alowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge. | </tr> | ||||||
<p style='height:16px;'>.</td> | 105 | I | OWASP Unmaskme Project | Tool | GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces) | OWASP_Unmaskme_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Unmaskme_Project&sa=D&usg=ALhdy293suD3YjO7ryTfAYc8DFmk3DeEmA">https://www.owasp.org/index.php/OWASP_Unmaskme_Project</a> | Emilio Casbas | [email protected] | The goal of this tool is to raise security awareness among web owners in order to help decrease the constant rise of compromised websites. Public resource which will extract metadata from any website (either domain name or IP address, no resource) and will explain it in a brief summary. The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use. It's based mainly on HTTP headers and metadata. Some features of the tool are: Easy to use, only enter a website address to see what's behind the scenes Brief summary about the website configuration Different report colours to highlight web security awareness Detection of CMSs and versions (whatweb core) Warnings about old software being exploited in the wild like joomla-1.5, RoR CVE-2013-0156... Detection of hardening signs such as WAF, CDN, reverse proxy... Detection of blacklisted websites by GoogleSafeBrowsing Detection of suspicious iframes or hidden spam Detection of defacements, directory listings, private IP address in comments... Stats about general web security awareness and some details of compromised websites PoC (Spanish): http://desenmascara.me | </tr> | ||||||
<p style='height:16px;'>.</td> | 106 | I | OWASP File Format Validation Project | Code Library Project | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_File_Format_Validation_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_File_Format_Validation_Project&sa=D&usg=ALhdy2-7Itsc5KUMwUVUl6wsAoQKr40ChA">https://www.owasp.org/index.php/OWASP_File_Format_Validation_Project</a> | Georges-B Michel | [email protected] | This project is to provide to developers a library to help them to validate formats of a file properly. Validation is based on the official specifications (ISO, RFC, UIT-T, ...) of tested formats and not only on signatures. | </tr> | ||||||
<p style='height:16px;'>.</td> | 107 | I | OWASP Androïck Project | Tool Project | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Androick_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Androick_Project&sa=D&usg=ALhdy2-Ryn5bz4z3t07Ia1kYkMWDa-KjjA">https://www.owasp.org/index.php/OWASP_Androick_Project</a> | Florian Pradines | [email protected] | Androïck is a tool that allows any user to analyze an application. It can get the apk file, all the datas and the databases in sqlite3 and csv format. | </tr> | ||||||
<p style='height:16px;'>.</td> | 108 | I | OWASP SafeNuGet Project | Tool Project | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_SafeNuGet_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_SafeNuGet_Project&sa=D&usg=ALhdy28zfJ1Ulp4D7KzYC-jHyGV80b29-g">https://www.owasp.org/index.php/OWASP_SafeNuGet_Project</a> | Erlend Oftedal | [email protected] | SafeNuGet is an MsBuild plugin that will break the build if the .NET project is using libraries with known vulnerabilities. Thus the goal is to reduce OWASP Top 10 2013 A9. | </tr> | ||||||
<p style='height:16px;'>.</td> | 109 | I | OWASP WebSandBox Project | Tool Project | GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces) | OWASP_Web_Sand_Box_project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_WebSandBox_Project&sa=D&usg=ALhdy2__Zi1JX-vo4x7pSBGWhOnue0pk-w">https://www.owasp.org/index.php/OWASP_WebSandBox_Project</a> | Gregory Disney | [email protected] | A Web sandbox written purely in Perl, similar to Fogger. Web SandBox is a application to sandbox web applications using javascript v8 by , sandboxing ALLOWALL.undef & domuent.location in V8, so the browser cant leave the sandboxed site. It also uses Webkit to act as the browser. The tool is also useful for web testing with Pharos proxy, or ZAP. For getting results only for the sandboxed site. | </tr> | ||||||
<p style='height:16px;'>.</td> | 110 | I | OWASP HA Vulnerability Scanner Project | Tool Project | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_HA_Vulnerability_Scanner_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_HA_Vulnerability_Scanner_Project&sa=D&usg=ALhdy2-sk6BYgSZSiKq2wX5m0DLbBcAP2A">https://www.owasp.org/index.php/OWASP_HA_Vulnerability_Scanner_Project</a> | Dhruv Jain | [email protected] | It is a vulnerability scanner written in PHP. It is able to scan URLs requested and run variety of tests to find security flaws | </tr> | ||||||
<p style='height:16px;'>.</td> | 111 | I | OWASP Security Principles Project | Documentation Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Security_Principles_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Security_Principles_Project&sa=D&usg=ALhdy28_1yS_712dmzBwG_Gv5CSZyDiz8w">https://www.owasp.org/index.php/OWASP_Security_Principles_Project</a> | Dennis Groves | [email protected] | The idea is to distill the fundamentals of security into a set of concise principles that must be present in any system through out the requirements, architecture, development, testing and implementation of a system. | </tr> | ||||||
<p style='height:16px;'>.</td> | 112 | I | OWASP Dependency Track Project | Tool Project | GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) | OWASP_Dependency_Track_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Dependency_Track_Project&sa=D&usg=ALhdy2_avftpayFsPeSwzfcCc5ge-1GxYA">https://www.owasp.org/index.php/OWASP_Dependency_Track_Project</a> | Steve Springett | [email protected] | Dependency-Track is a Java web application that allows organizations to document the use of third-party components across multiple applications and versions. | </tr> | ||||||
<p style='height:16px;'>.</td> | 113 | I | OWASP SecLists Project | Code Library Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_SecLists_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_SecLists_Project&sa=D&usg=ALhdy29WUN70OUF5WOsPdExLKPnphes6ZA">https://www.owasp.org/index.php/OWASP_SecLists_Project</a> | Daniel Miessler | [email protected] | SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed. | </tr> | ||||||
<p style='height:16px;'>.</td> | 114 | Other | L | OWASP AppSec Tutorial Series | Documentation | Creative Commons Attribution NonCommercial License V2.0 | NONE | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series&sa=D&usg=ALhdy29uzvw31YMdHDFV-WedYwKJ77X5Bw">https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series</a> | Jerry Hoff | [email protected] | The OWASP Appsec Tutorial Series breaks down security concepts in a easily accessible, friendly way. Each video is 5-10 minutes long and highlights a different security concept, tool or methodology. | Media | appsec-tutorial | 15 | A series to break down security concepts in easy to understand videos</tr> | ||
<p style='height:16px;'>.</td> | 115 | Defender | Construction | L | OWASP AppSensor Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-appsensor-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_AppSensor_Project&sa=D&usg=ALhdy2-bw5BGi9Otd4wv0REEayheCYBeFQ">https://www.owasp.org/index.php/OWASP_AppSensor_Project</a> | Michael Coates | [email protected], [email protected], [email protected] | The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities. | Need to push to mainstream | appsensor | 9 | A framework to detect and respond to attacks from within applications</tr> | |
<p style='height:16px;'>.</td> | 116 | Breaker | Verification | L | OWASP Broken Web Applications Project | Tool | GNU General Public License version 2.0 (GPLv2) | NONE [3] | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project&sa=D&usg=ALhdy29Thj18sOxh7gUikpulMx1NejAF1A">https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project</a> | Chuck Willis | [email protected] | A collection of vulnerable web applications that is distributed on a Virtual Machine. | bwa | 3 | A collection of vulnerable web applications distributed on a VM</tr> | ||
<p style='height:16px;'>.</td> | 117 | Breaker | Verification | L | OWASP CSRFTester Project | Tool | GNU Library or Lesser General Public License (LGPL) | owasp-csrftester | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project&sa=D&usg=ALhdy2-iUY7sKq-JRBNtwX5O92LRAl2DEA">https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project</a> | Eric Sheridan | [email protected] | The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws. | csrftester | 10 | A tool to test applications for CSRF flaws</tr> | ||
<p style='height:16px;'>.</td> | 118 | Breaker | Verification | L | OWASP CTF Project | Documentation | Unknown | owasp-ctf | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_CTF_Project&sa=D&usg=ALhdy29nJiGE5dDwnelPGtxLz1hjvH0n-A">https://www.owasp.org/index.php/Category:OWASP_CTF_Project</a> | Steven van der Baan | [email protected] | Need to follow up | ctf | 3 | A web-based hacking challenge application for capture the flag events</tr> | ||
<p style='height:16px;'>.</td> | 119 | Other | Verification | L | OWASP EnDe Project | Tool | GNU General Public License version 2.0 (GPLv2) | owasp-ende-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_EnDe&sa=D&usg=ALhdy2-2Y_WNDggACjISjxC9hASMyFOA6A">https://www.owasp.org/index.php/Category:OWASP_EnDe</a> | Achim Hoffmann | [email protected] | Encoder, Decoder, Converter, Transformer, Calculator, for various codings used in the wild wide web. Collection of functions (herein called actions) for various codings, encodings, decodings and convertions. The aim is/was mainly driven by the requirements for HTTP/HTML-based functionality. | ende-project | 12 | An encoder, decoder, converter, transformer, calculator. Builder, Breaker, and Defender.</tr> | ||
<p style='height:16px;'>.</td> | 120 | Breaker | Verification | L | OWASP Hackademic Challenges Project | Tool | Apache License V2.0 | owasp-hackademic-challenges | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project&sa=D&usg=ALhdy2903Y6MiA22V2TaxJhDCIaUk5qycA">https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project</a> | Anastasios Stasinopoulos, Konstantinos Papapanagiotou | [email protected], [email protected] | The Hackademic Challenges is an open source project that can be used to test and improve one's knowledge of web application security. | hackademic | 10 | An learning tool to exploit vulnerabilities in a realistic application</tr> | ||
<p style='height:16px;'>.</td> | 121 | Breaker | Verification | L | OWASP HTTP POST Tool | Tool | GNU General Public License version 3.0 (GPLv3) | owasp-http-post-tool | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool&sa=D&usg=ALhdy2-isHi8OJqIbKBX5Al1ZistOb0X6g">https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool</a> | Tom Brenann | [email protected] | This QA tool was created to allow you to test your web applications to test availability concerns from HTTP GET and HTTP POST denial of service attacks. | http-post-tool | 14 | An denial of service testing tool using HTTP requests</tr> | ||
<p style='height:16px;'>.</td> | 122 | Breaker | Verification | I | OWASP Java XML Templates Project | Tool | BSD License | owasp-java-xml-templates | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Java_XML_Templates_Project&sa=D&usg=ALhdy2_UG3bNRTfgfJVhjej5tZUcD0e4KQ">https://www.owasp.org/index.php/OWASP_Java_XML_Templates_Project</a> | Jeff Ichnowski | [email protected] | A fast and secure XHTML-compliant template language that runs on a model similar to JSP. | java-xml-tmpl | 13 | A fast and secure XHTML-compliant template language similar to JSP</tr> | ||
<p style='height:16px;'>.</td> | 123 | Builder | Governance | L | OWASP Legal Project | Documentation | Unknown | owasp-legal | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Legal_Project&sa=D&usg=ALhdy29OlwnS1vEeJdlZJATjujsBWttqtQ">https://www.owasp.org/index.php/Category:OWASP_Legal_Project</a> | Jeff Williams | [email protected] | The cornerstone of the Legal Project is its Secure Software Development Contract Annex. | legal | 5 | Guide to writing contract language for acquiring secure software</tr> | ||
<p style='height:16px;'>.</td> | 124 | Breaker | Verification | L | OWASP Mantra Security Framework | Tool | GNU General Public License version 3.0 (GPLv3) | owasp-mantra | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework&sa=D&usg=ALhdy28K455zcaL1vGdrActVH-p-bCW-0Q">https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework</a> | Abhi M BalaKrishnan | [email protected] | Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. | Release: Mantra Security Toolkit - 0.52, December 5, 2010 | mantra | 6 | A collection of free and open source tools integrated into a browser</tr> | |
<p style='height:16px;'>.</td> | 125 | Breaker | Verification | L | OWASP Mutillidae Project | Tool | Creative Commons Attribution ShareAlike License V3.0 | owasp-mutillidae | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Mutillidae&sa=D&usg=ALhdy2_RR3Nqn6_3KLhuTroaHqsywEku9w">https://www.owasp.org/index.php/Category:OWASP_Mutillidae</a> | Adrian Crenshaw | [email protected] | A deliberately vulnerable set of PHP scripts that implement the OWASP Top 10. | mutillidae | 10 | A deliberately vulnerable set of PHP scripts</tr> | ||
<p style='height:16px;'>.</td> | 126 | Breaker | Verification | L | OWASP O2 Platform | Tool | Apache License V2.0 | owasp-o2-platform | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_O2_Platform&sa=D&usg=ALhdy2-JI5hrsxTibUbeg9G0z_m5SEjCbg">https://www.owasp.org/index.php/OWASP_O2_Platform</a> | Dinis Cruz | [email protected] | Collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile. | o2-platform | 11 | A framework to automate testing through creation of scripted workflows</tr> | ||
<p style='height:16px;'>.</td> | 127 | Other | Governance | L | OWASP Podcast Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | owasp-podcast | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Podcast&sa=D&usg=ALhdy28spxZcVSZRBPdVnVqsViKxRT4vaw">https://www.owasp.org/index.php/OWASP_Podcast</a> | Jim Manico | [email protected] | Listen as Jim interviews OWASP volunteers, industry experts and leaders within the field of web application security. | Media | podcast | 7 | A podcast interview series about OWASP and application security</tr> | |
<p style='height:16px;'>.</td> | 128 | Breaker | Verification | L | OWASP Vicnum Project | Tool | Creative Commons Attribution ShareAlike License V3.0 | owasp-vicnum-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Project_Information:template_Vicnum_Project&sa=D&usg=ALhdy286d5vhBTlTrzzZwTxuvbNlPIqAyw">https://www.owasp.org/index.php/Project_Information:template_Vicnum_Project</a> | Mordecai Kraushar; Nicole Becher | [email protected]; [email protected] | A lightweight vulnerable web application based on a game played to kill time. It demonstrates common web application vulnerabilities such as cross site scripting . Vicnum is especially helpful to IT auditors who need to hone web security skills. | vicnum | 6 | A vulnerable web application created as a capture-the-flag style game </tr> | ||
<p style='height:16px;'>.</td> | 129 | Breaker | Verification | L | OWASP Wapiti Project | Tool | GNU Library or Lesser General Public License (LGPL) | owasp-wapiti | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project&sa=D&usg=ALhdy28C6ze_Ei_Ql8PJxybaN5mnMwK52g">https://www.owasp.org/index.php/Category:OWASP_Wapiti_Project</a> | Nicolas Surribas | [email protected] | This project to audit the security of web applications in an easy way. It performs a "black-box" scans acting like a fuzzer, injecting payloads to see if an application is vulnerable. | wapiti | 6 | A web application scanner that explores and fuzzes target sites</tr> | ||
<p style='height:16px;'>.</td> | 130 | Breaker | Verification | L | OWASP Yasca Project | Tool | BSD/GPL | owasp-yasca-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Project_Information:template_Yasca_Project&sa=D&usg=ALhdy2-tdc8wUggRbYMQUuHtos8UYOgTyw">https://www.owasp.org/index.php/Project_Information:template_Yasca_Project</a> | Michael Scovetta | [email protected] | Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code | yasca-project | 13 | A code scanning tool combines tools such as FindBugs, PMD, Lint, etc.</tr> | ||
<p style='height:16px;'>.</td> | 131 | Builder | Governance | L | Virtual Patching Best Practices | Documentation | Creative Commons Attribution ShareAlike License V3.0 | NONE | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Virtual_Patching_Best_Practices&sa=D&usg=ALhdy2_3ZoRPka_SVx8NUfuiIaz1GFiLYQ">https://www.owasp.org/index.php/Virtual_Patching_Best_Practices</a> | Dan Cornell, Achim Hoffmann, Martin Knobloch | [email protected], [email protected], [email protected] | The goal with this paper is to present a virtual patching framework that organizations can follow to maximize the timely implementation of virtual patches, as well as, to demonstrate how the ModSecurity web application firewall can be used to remediate a sampling of vulnerabilities in the OWASP WebGoat application. | virt-patch | 10 | A process to implement timely virtual patches for applications</tr> | ||
<p style='height:16px;'>.</td> | 132 | I | OWASP PHP Portscanner Project | Tool | GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces) | <a target="_blank" href="https://www.google.com/url?q=https://lists.owasp.org/mailman/listinfo/owasp_php_portscanner_project&sa=D&usg=ALhdy28SETP8_zyiJAnHP78LVW0NdaLX3g">https://lists.owasp.org/mailman/listinfo/owasp_php_portscanner_project</a> | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_PHP_Portscanner_Project&sa=D&usg=ALhdy29jR9iRP9PIeuopkf9ieEvynH4VoA">https://www.owasp.org/index.php/OWASP_PHP_Portscanner_Project</a> | Bhavesh Naik | [email protected]; [email protected] | The project is simple PoC on how PHP sockets can be used as a security tool to perform port scanning. The PHP port scanner, runs in web browser (not limited to browser, but can run in CLI with a few tweeks. No need of hardcore knowledge on PHP is required to construct this scanner, only basics will do just fine ! | </tr> | ||||||
<p style='height:16px;'>.</td> | 133 | I | OWASP Ruby on Rails Security Guide Project | Documentation | Creative Commons Attribution ShareAlike License V3.0 | OWASP_Ruby_on_Rails_and_friends_Security_Guide | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Ruby_on_Rails_and_friends_Security_Guide&sa=D&usg=ALhdy2_cJUwa77J864YfoSpTd7DyYPmzGQ">https://www.owasp.org/index.php/OWASP_Ruby_on_Rails_and_friends_Security_Guide</a> | Paolo Perego | [email protected] | The Ruby on Rails Security Project is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites | No activity since 2009; Paolo has adopted this project (Aug 30th 2013) Former mailing list: owasp-ruby-on-rails-v2 Former wiki site: https://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2 | ruby-guide | 10 | A guide to Ruby on Rails security topics</tr> | |||
<p style='height:16px;'>.</td> | 134 | I | OWASP Framework Security Project | Documentation | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Framework_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Framework_Security_Project&sa=D&usg=ALhdy2-mbJJVjTaqL1k8fXWqI8w8bmqgug">https://www.owasp.org/index.php/OWASP_Framework_Security_Project</a> | Michael Coates | [email protected] | The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks and coordinating with developers and the framework leaders to effectively integrate the missing security controls. This project requires the collaboration between security experts, security minded developers and framework developers and leaders. | The primary deliverable of this project is source code that is accepted into frameworks. The OWASP Framework Security Project will maintain documentation to indicate which security controls have been accepted and links to code and documentation at each framework.</tr> | ||||||
<p style='height:16px;'>.</td> | 135 | Breaker | Verification | I | OWASP Java HTML Sanitizer Project | Tool | BSD License | owasp-java-html-sanitizer | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer&sa=D&usg=ALhdy2-W_j1jMgUK9xAvuchzAbZ2RCkhXQ">https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer</a> | Mike Samuel, Jim Manico | [email protected], [email protected] | This is a fast Java-based HTML Sanitizer which provides XSS protection. | java-html-sanit | 15 | A fast Java-based HTML Sanitizer which provides XSS protection</tr> | ||
<p style='height:16px;'>.</td> | 136 | I | OWASP JAWS Project | Code Library | GNU LGPL v3 License (similar to GPL but modified for use with libraries that may be called by other proprietary programs) | OWASP_JAWS_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_JAWS_Project&sa=D&usg=ALhdy2--Qyrc4eNDWgCOwvmoMa5OqVsd-Q">https://www.owasp.org/index.php/OWASP_JAWS_Project</a> | Maarten Mestdagh | [email protected] | The purpose of the project is to have a workset with runnable java code that shows secure coding practices in a working way. Too many times developers end up at some developer forum where someone asks a question and the solutions (that may be working but not necessarily in a secure way) are copied and end up in production code. The project will demonstrate how to implement existing solutions leveraging on existing material from the OWASP community. The code in the project will have the necessary code coverage and matching unit tests to help the developer understand the correct way to implement the code into their own projects. Next to this all code will be deployable and as such runnable in a provided server so developers may play with the code and get a better understanding of the solution. The provided pages in the application will provide both a protected as well as an unprotected part so the developers can get a better understanding of how the solution mitigates some of the dangers. | * Next month I was thinking about getting the skeleton ready. This means the accounts/credentials (wiki, ...) followed by the 'official' request to create the project. Once this is done, I would like to make sure the homepage is set up properly, the repository (GIT probably) is set up, we have a system for continuous build/integration, have the account for i18n, IDE, ... * From October on I would like to focus on the real development and adding of content. * By end of this year I would like to have 10 working protection samples in the application, fully testable, unit tested and code covered. * As soon as the content is 'to the team's opinion' ready to be challenged I would like to go 'live' :-) The idea is to have a project that runs with as less as possible configuration, set up or rights needed on the system. I want the developers to be able to run it and play with it as fast as possible. As sometimes the systems (within a corporate environment) are locked down I also don't want them to install anything (or as less as possible). The application would contain a good (protected) page and a bad (broken) page for each of the solution. The page would contain a very high level summary about what it is about, why it is important and links to other OWASP projects if applicable (thinking of JAVA project, ASVS, CSRFGuard, Code Snippets, ...) for more info and further reading. At a later stage, I would like to introduce for each of the given solutions an architectural background so a developer could challenge if the solution is the right fit for his/her problem and make a well considered choice from the solutions. Some security problems may require a slightly different approach based on the the architecture of the application or any restrictions from a corporate/project point of view (e.g. a team may decide not to use any beta-solutions or solution that conflict with other in place frameworks, ...). These are my ideas at the moment, but of course based on the input from contributors and feedback from the community, some stuff may change.</tr> | ||||||
<p style='height:16px;'>.</td> | I | OWASP Media Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Media_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Media_Project&sa=D&usg=ALhdy2_-aY-rB38c6YAoQjjT--rJS3P0cA">https://www.owasp.org/index.php/OWASP_Media_Project</a> | Jonathan Marcil | [email protected] | The OWASP Media Project is an infrastructure project that gather, consolidate and promote OWASP content in video format on a central appealing hub. The first and main instance of the project will be a YouTube channel. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Global Chapter Meetings Project | Documentation | Apache 2.0 | OWASP_Global_Chapter_Meetings_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Global_Chapter_Meetings_Project&sa=D&usg=ALhdy2_1YRjBqyuz1ElbSx9JC4L2ak-CJg">https://www.owasp.org/index.php/OWASP_Global_Chapter_Meetings_Project</a> | Yvan Boily | [email protected] | The Global Chapter Meetups project seeks to connect participants globally by placing a spotlight on local chapters once a month. Opening the gates for participation will foster communication between chapters and strengthen the community. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Node.js Goat Project | Code | Apache 2.0 | OWASP_Node_js_Goat_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project&sa=D&usg=ALhdy28rFbHBCdj1fZcIIb3oJs95ImMTqQ">https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project</a> | Chetan Karande | [email protected] | Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Pygoat Project | Tool | GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces) | OWASP_Pygoat_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Pygoat_Project&sa=D&usg=ALhdy2-T7TL-97cNOvEFk2hq9-N3qx9htA">https://www.owasp.org/index.php/OWASP_Pygoat_Project</a> | Kyle Rippee | [email protected] | Pygoat is similar to that of WebGoat or railsgoat in that is an application specifically deigned to be insecure in hopes of teaching others about code flaws in web applications. In this specific context it will focus mainly on Python and Django code libraries. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Python Security Project | Tool | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Python_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Python_Security_Project&sa=D&usg=ALhdy2-gjRN7cQyYza-oSJSPHs8tOVn3Lw">https://www.owasp.org/index.php/OWASP_Python_Security_Project</a> | Enrico Branca | [email protected] | Python Security is a free, open source, project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles: - Security in python: white-box analysis, structural and functional analysis - Security of python: black-box analysis, identify and address security-related issues - Security with python: develop security hardened python suitable for high-risk and high-security environments | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Vulnerable Web Applications Directory Project | Documentation | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_Vulnerable_Web_Applications_Directory_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project&sa=D&usg=ALhdy2-2pef3QSjb04zZDNczbkQsL4mEvQ">https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project</a> | Raul Siles | [email protected] | The OWASP Vulnerable Web Applications Directory is a comprehensive and well maintained registry of all known vulnerable web applications currently available. | "Co-leader - Simon Bennetts / [email protected] wiki account: psiinon"</tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP GameSec Framework Project | Documentation | Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) | OWASP_GameSec_Framework | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_GameSec_Framework_Project&sa=D&usg=ALhdy28aDUU2xREJzq6Pv98Cvx-OKaDMig">https://www.owasp.org/index.php/OWASP_GameSec_Framework_Project</a> | Jason Haddix | [email protected] | Some of the most prolific apps these days are video games. They are sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, monetary transfers, social interactions, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). This NEW OWASP project will help classify the diverse types of game hacks that exist for some of the worlds biggest games. We'll use history as an example, and break down the flaws as much as possible, creating a do-not-do list of flaws new game companies can reference when creating new games. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP SWAAT Project | Tool | Unknown | NONE | <a target="_blank" href="https://www.google.com/url?q=https://owasp.org/index.php/Category:OWASP_SWAAT_Project&sa=D&usg=ALhdy2_daVV_S42nDuxvEAaMnk99lr1Kcg">https://owasp.org/index.php/Category:OWASP_SWAAT_Project</a> | Adam Caudill | [email protected] | SWAAT is an open source web application source code analysis tool. SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the .xml files. | Needs project information | swaat | 5 | A source code analysis tool for JSP, ASP, .NET and PHP web pages</tr> | ||||
<p style='height:16px;'>.</td> | I | OWASP WebSpa Project | Tool | GNU GPL_v3 | OWASP_WebSpa_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_WebSpa_Project&sa=D&usg=ALhdy2-06dmpPl9S2T0mKe9Jgo2qrWcu8w">https://www.owasp.org/index.php/OWASP_WebSpa_Project</a> | Oliver Merki | [email protected]; [email protected] | This project implements the concept of web spa, by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Financial Information Exchange Security Project | Tool | Apache 2.0 | OWASP_Financial_Information_Exchange_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Financial_Information_Exchange_Security_Project&sa=D&usg=ALhdy2_VxYZw3RY6nHrHLwDBsNNJP5fc9w">https://www.owasp.org/index.php/OWASP_Financial_Information_Exchange_Security_Project</a> | Myles Hosford | [email protected] | The project focuses on the FIX protocol with the aim of developing a java client to be used during security assessments of custom FIX implementations The project will also produce best practice guidance for FIX protocol security. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Security Labeling System Project | Documentation | Creative Commons Attribution Share Alike 3.0 | OWASP_Security_Labeling_System_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project&sa=D&usg=ALhdy2-5cpO-anP_p7DojMTVxL61v5xQ4w">https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project</a> | Luis Enriquez | [email protected] | Creating a security labeling system for software and web applications This labeling system would be based in different criteria It concerns technical and legal security The former idea was proposed by jeff Williams years ago | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Securing Internet of Things (IoTs) | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_IoTs_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_IoTs_Project&sa=D&usg=ALhdy28lozG5p2p9TYXVlD--hdtA4QhKnQ">https://www.owasp.org/index.php/OWASP_IoTs_Project</a> | Vinayk Bansal | [email protected] | Advances in technology have led to the creation of intelligent and connected devices -- Internet of Things (IoTs) -- that can sense and act upon the environment. In not-so-distant future, IoTs will be pervasive in all aspects of human life such as: home, education, healthcare, and commerce. Since IoTs will access and act upon physical and digital reality surrounding humans, their security and privacy is of prime importance. A lack of appropriate security in IoTs can lead to grave outcomes including physical harm to humans. It is crucial that we study the IoT architectures and technologies to uncover the security flaws. And guide developers how to securely develop IoTs. Goal of the project is to extensively research the various architectural models (peer-to-peer and client-server models) used by IoTs such as: Connected Home Devices (smart TVs, gaming consoles, toys) and Sensor devices (monitoring cameras, motion detectors). And identify the flaws in design, implementation and communication models.One of the goal for this project is to publish these security flaws and associated risks. Second goal for the project is to provide the secure security architectural patterns for IoTs to guide secure design and development. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP STeBB Project | Tool | Apache 2.0 | OWASP_STeBB_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_STeBB_Project&sa=D&usg=ALhdy2_ek63rX3ReIIj_CJujL3RJ3aVVew">https://www.owasp.org/index.php/OWASP_STeBB_Project</a> | sreenath sasikumar, Rejah Rehim | [email protected], [email protected] | The project is a tool which would be delivered as an executable ( eg: http://sourceforge.net/projects/stebb/ ). It is not a documentation. It would be software tool which can be downloaded/installed and used to security test web applications. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Insecure Web Components Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_Insecure_Web_Components_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Insecure_Web_Components_Project&sa=D&usg=ALhdy2_MMZWFXbk36ZUYi1v5U4LKv54thQ">https://www.owasp.org/index.php/OWASP_Insecure_Web_Components_Project</a> | Tony Uv | [email protected] | The project will focus on identifying the top default insecurities that affect enterprise web software and frameworks, including, but not limited to the following: - Java - .NET - PHP - Ruby on Rails - Django | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Reverse Engineering and Code Modification Prevention Project | Documentation | Apache 2.0 | OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project&sa=D&usg=ALhdy2-5MjzzJMf9TIm5ywQAvbhxWBn0cg">https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project</a> | Jonathan Carter | [email protected] | The purpose of the project is to educate application security experts about the risks and appropriate mitigation techniques that organizations should implement to prevent an adversary from reverse engineering or modifying the developer's code within untrustworthy environments. The primary audiences for this project include: security analysts, security architects, security designers, security champions within the software engineering communities, and security auditors. In each of these roles, this project will educate them about the relevant risks and how to combat those risks as it relates to their particular role. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP System Vulnerable Code Project | Code | GNU LGPL v3 License | OWASP_System_Vulnerable_Code_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project&sa=D&usg=ALhdy2-Hsv9cYjTRl_bkrkIJ3tBl3GC_JA">https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project</a> | Shezan Dhaka | [email protected] | This project aims to develop a security application for checking the security stress and find out the vulnerabilities of the system. This tool also can find out the application vulnerability. I want to make a advanced security tools with exploits and payloads. It will help us to find the vulnerabilities of web application and desktop application both. I will include here more than 1000 exploits and 500 payloads and 30 encoder and some scripts to check the security stress of encrypted data. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP ISO IEC 27034 Application Security Controls Project | Code | GNU LGPL v3 License | OWASP_ISO_IEC_27034_Application_Security_Controls_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project&sa=D&usg=ALhdy2-imodlNrjVN8jeMNrQi6f4RjVhbA">https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project</a> | Jonathan Marcil | [email protected] | Conversion of OWASP related documentations and best practices, such as the OWASP Top 10, in Application Security Controls (ASCs) as defined in ISO/IEC 27034. This will enable 27034 stakeholders to use formal structure of OWASP content. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP NINJA PingU Project | Tool | GNU LGPL v3 License | OWASP_NINJA_PingU_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project&sa=D&usg=ALhdy280tufoYwJzWEU8UzhCVM4x3Zfeyw">https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project</a> | Guifre Ruiz | [email protected] | NINJA Pingu will be a high performance host enumerator tool for scanning purposes. It will allow users to enumerate services in networks very fast. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Student Chapters Project | Operational | Creative Commons Attribution Share Alike 3.0 | Owasp-student-chapters-program | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Student_Chapters_Program&sa=D&usg=ALhdy29N6u3ptlIvS8AcnnfXY4L8uGIqww">https://www.owasp.org/index.php/OWASP_Student_Chapters_Program</a> | Mateo Martinez | [email protected] | The Open Web Application Security Project (OWASP) has local chapters around the world that help teach, learn, and inspire application security. Our College Chapters program helps to extend application security into colleges and universities worldwide. If your school has a computer science or management information systems degree, we want to start a College Chapter there. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Mobile Security Project - Mobile Threat Model | Documentation | owasp-mobile-security-project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Mobile_Security_Project&sa=D&usg=ALhdy2-7M0T49E2A39jQszgJmRMYPscKJA">https://www.owasp.org/index.php/OWASP_Mobile_Security_Project</a> | Daniel Miessler | [email protected] | Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features. | </tr> | ||||||||
<p style='height:16px;'>.</td> | I | OWASP Speakers Project | Documentation | Creative Commons Attribution Share Alike 3.0 | owasp_speakers_project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Speakers_Project&sa=D&usg=ALhdy28aAmMYISDR0usmvZwEqwP5HYVUyw">https://www.owasp.org/index.php/Category:OWASP_Speakers_Project</a> | Mateo Martinez | [email protected] | This program allows two parties to find each other: Local chapters or application security events that want to attract an OWASP speaker OWASP speakers to entertain OWASP presentations and that want to see the world | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Education Project | Documentation | Creative Commons Attribution Share Alike 3.0 | owasp-education | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Education_Project&sa=D&usg=ALhdy28f_8zjkidsNQgflDJCD4beGRoWOg">https://www.owasp.org/index.php/Category:OWASP_Education_Project</a> | Kostantinos P.(Kostas); Vasileios | - Kostas ([email protected]) - Vasileios ([email protected]) | The project will continuously deliver education material about OWASP tooling and documentation. This aims to create an easy entrance towards understanding application security and usage of the OWASP tooling. By creating education documentation papers, screen scrape video courses and setting up an OWASP Boot camp, a controlled education process of a standardized quality can be created continuously. With the setup of a OWASP Boot camp, the OWASP word can be spread in a controlled manner and deliver high quality training., both inside and outside of the OWASP community. The OWASP Education Project will setup and standardize OWASP trainings manuals and materials to ensure a certain level of quality of the trainings. Trainings about the OWASP tooling and projects will have to be reviewed by the Projects. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Internet of Things Top 10 Project | Documentation | Creative Commons Attribution Share Alike 3.0 | OWASP_Internet_of_Things_Top_Ten_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project&sa=D&usg=ALhdy2_9L5CVUlPvySHMnlLqfhdPB0He7A">https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project</a> | Daniel Miessler | [email protected] | Oxford defines the Internet of Things as “a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.” The OWASP Internet of Things (IoT) Top 10 is a project designed to help vendors who are interested in making common appliances and gadgets network/Internet accessible. The project walks through the top ten security problems that are seen with IoT devices, and how to prevent them. Examples of IoT Devices: Cars, lighting systems, refrigerators, telephones, SCADA systems, traffic control systems, home security systems, TVs, DVRs, etc… Internet of Things Top 10 (tentative): Administrative Interface with Weak/Default Credentials Buffer Overflow of Available Network Service Lack of Network Encryption Insecure Software Update System Denial of Service Information Disclosure Through Network Services Insecure Web Interface Network Attack Magnification Trivial Physical Security Bypass Poor Security Management Capabilities | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Encoder Comparison Reference Project | Tool Project | Apache 2.0 License | OWASP_Encoder_Comparison_Reference_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project&sa=D&usg=ALhdy28bHkuaG8NRaRTi7Cq0viVUwKTUaQ">https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project</a> | Stephanie Tan | [email protected] | Quick reference for how ESAPI and other framework and native language encoding methods work against ASCII characters. [UPDATE: Added link to working demo] Web 2.0 web application that allows users to choose which encoder libraries to compare. It should compare ESAPI as well as other Deliverable includes the source code to the web application Hosted version so that folks can access this tool without needing to download, install, configure, etc. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Ultimatum Project | Code Library Project | GNU GPL v3 License | OWASP_Ultimatum_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Ultimatum_Project&sa=D&usg=ALhdy2_tvIG3ChUpTkuuwOb9TyNBqta64w">https://www.owasp.org/index.php/OWASP_Ultimatum_Project</a> | Robin Nayak | [email protected] | The OWASP ultimatum Projct will be a all in one vulnerability testing tool it will automatically keep updating so that it has got latest vulnerability information on which it can work on it can also be used to pentest different web server applications. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP .NET Project | Documentation Project | Creative Commons Attribution ShareAlike License V3.0 | owasp-dotnet | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_.NET_Project&sa=D&usg=ALhdy2_Bd3J9BbgEjLGMTyYpeLuXHb1KCw">https://www.owasp.org/index.php/Category:OWASP_.NET_Project</a> | Bill Sempf | [email protected] | The project will contain information, materials and software that are relevant to building secure .NET web applications and services. The goal of the project is to provide deep content for all roles related to .NET web applications and services including: Architectural guidance, Developer tools, information and checklists, IT professional content (for those that deploy and maintain .NET websites), Penetration testing resources, Incident response resources. The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux). The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project. | Merge into ESAPI | 0 | </tr> | |||||
<p style='height:16px;'>.</td> | I | OWASP Research Book Project | Documentation Project | Creative Commons Attribution ShareAlike License V3.0 | OWASP_Research_Book_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Research_Book_Project&sa=D&usg=ALhdy28ymopxdNhV2SjMpQ1xjsL8vfAA5w">https://www.owasp.org/index.php/OWASP_Research_Book_Project</a> | Ahmed Neil | [email protected] | OWASP Research Book is a consolidated publication with a collection of research papers that have been donated to OWASP. I have been investigating maybe all web application penetration books may be all the top I found were not including if not just a few information about OWASP or any of our projects. Whilst, all penetration testing events list at least one or two of our projects (such as top ten, ZAP ..etc). The matter that made think why not we make an initiative where we assemble all the knowledge regarding web application penetration testing / remedy in one book and the OWASP experts pour there knowledge and experience in this book. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Open Cyber Security Framework Project | Documentation Project | Creative Commons Attribution ShareAlike License V3.0 | OWASP_Open_Cyber_Security_Framework_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Open_Cyber_Security_Framework_Project&sa=D&usg=ALhdy29oaWvpSn_3kOHU3CMzFV8_X1I2Xg">https://www.owasp.org/index.php/OWASP_Open_Cyber_Security_Framework_Project</a> | Mateo Martinez | [email protected] | The project intent is to create a practical framework for Cybersecurity. Currently there are some frameworks from NISTor from ISACA and other paid or local frameworks, but there s no open framework that governments or organization are able to adopt. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP ISO Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_ISO_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_ISO_Project&sa=D&usg=ALhdy2-0u9Uj5AN7DLvWd_lLc6UvIr1kZA">https://www.owasp.org/index.php/OWASP_ISO_Project</a> | Sebastien Gioria | [email protected] | 1/ Setting up a OWASP ISO Project 2/ Having a small group of what we call OWASP ISO Liaison. In the OWASP Terminology it's an OWASP Project leader(s). 3/ Setting some contributors to the OWASP Project. Role of the OWASP ISO Liaison: This is mostly "project manager(s)". He need to find the good contributors in the OWASP projects/community to review and or contribute to the ISO guidances. OWASP ISO Liaison must attend and participate to the ISO Working Group physically and to ISO Ad-hoc meeting remotely or physically (depending of the meeting site). Role of the OWASP Contributors : This is mostly an expert on the subject. They contribute in reviewing/commenting and or contributing to the ISO guidances. => Best Effort role. OWASP Contributor can be a chapter leader to facilitate for the country langage/facilities/... or project leader or event just a member as long as the OWASP ISO Liaison trust him. OWASP Contributor can also decide to join in and help the OWASP ISO Liaison online as well. An OWASP ISO Liaison can also be OWASP Contributor at the same time if the opportunity is there. Costs/Charges : - There is 2 meeting per working group at ISO per year. It's seem OWASP could be in 2 group. So there will be 4 meeting/year for OWASP ISO Liaison. - I think a OWASP ISO Liaison agent will have a charge of 1 or 2 day per month to compile and exchanges with the contributors/ISO. I recommend to have 3 or 4 OWASP ISO Liaison all over the world. (EU, US, ASIA, ...) to optimize flying cost and timezone attend to the meetings | </tr> | |||||||
<p style='height:16px;'>.</td> | 37 | I | OWASP SQLIX Project | Tool | Creative Commons Attribution ShareAlike 3.0 License | owasp-sqlix | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_SQLiX_Project&sa=D&usg=ALhdy29w99F17gZ2QnZnizbUnT93_E5lDw">https://www.owasp.org/index.php/Category:OWASP_SQLiX_Project</a> | Adopted by Anirudh Anand | [email protected] | SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls). | Project was adopted on February 2014 | sqlix | 5 | A full Perl-based SQL scanner</tr> | |||
<p style='height:16px;'>.</td> | I | OWASP Top 10 Privacy Risks Project | Documentation | GNU GPL v3 License | OWASP_Top_10_Privacy_Risks_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project&sa=D&usg=ALhdy2-SnWFU3OFk1x36gWTTsb10jU6ASg">https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project</a> | Florian Stahl | [email protected] | The deliverable of the project will be a PDF document or web site with a list of the top 10 privacy risks in web applications and possible counter-measures. The goal is to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. The list will cover technological and organizational aspects like missing data encryption or the lack of transparency. | </tr> | |||||||
<p style='height:16px;'>.</td> | Breaker | Verification | I | OWASP LAPSE Project | Tool | GNU General Public License version 3.0 (GPLv3) | owasp-lapse | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_LAPSE_Project&sa=D&usg=ALhdy2_HjAAi9al20wHtlF9BpHJ-vP51Ig">https://www.owasp.org/index.php/OWASP_LAPSE_Project</a> | Gregory Disney | [email protected] | A tool for detecting vulnerabilities in Java EE Applications. LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project. The project's second push is being led by Pablo Martín Pérez, Evalues Lab ICT Security Researcher, developing LAPSE+, an enhanced version of LAPSE. | lapse | 5 | An Eclipse-based source-code static analysis tool for Java</tr> | |||
<p style='height:16px;'>.</td> | I | OWASP WASC Web Hacking Incidents Database Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_WASC_Web_Hacking_Incidents_Database_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_WASC_Web_Hacking_Incidents_Database_Project&sa=D&usg=ALhdy2-1ppghfUiCIoh8sGMMoBBROj4UQA">https://www.owasp.org/index.php/OWASP_WASC_Web_Hacking_Incidents_Database_Project</a> | Ryan Barnett | [email protected] | The web hacking incident database (WHID) is a project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. This data is in contrast to many public statistics reports on vulnerability prevalence in that it shows what types of vulnerabilities attackers are actively exploiting. | </tr> | |||||||
<p style='height:16px;'>.</td> | Breaker | Verification | I | OWASP Orizon Project | Tool | GNU General Public License version 3.0 (GPLv3) | owasp-orizon | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/Category:OWASP_Orizon_Project&sa=D&usg=ALhdy2-zTrt9NKcvC1djaBZu2AotWhyv6A">https://www.owasp.org/index.php/Category:OWASP_Orizon_Project</a> | Gregory Disney | [email protected] | Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded. | Adopted on February 19th 2014 | orizon | 6 | An extensible code review engine to be used for source code assessment</tr> | ||
<p style='height:16px;'>.</td> | I | OWASP Security Frameworks Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_Security_Frameworks_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Security_Frameworks_Project&sa=D&usg=ALhdy297qlFosHjAgaJeZ5-v8iibeTUeyA">https://www.owasp.org/index.php/OWASP_Security_Frameworks_Project</a> | Ari Elias-Bachrach | [email protected] | This project is a series of design patterns that can be used by language designers and architects to create secure frameworks for developers, thereby relieving developers of the work of implementing security themselves. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP WASC Distributed Web Honeypots Project | Tool | Apache 2.0 License | OWASP_WASC_Distributed_Web_Honeypots_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_WASC_Distributed_Web_Honeypots_Project&sa=D&usg=ALhdy28VzVw7p2QHAXDNWIlDcsLk7CXrwQ">https://www.owasp.org/index.php/OWASP_WASC_Distributed_Web_Honeypots_Project</a> | Ryan Barnett | [email protected] | The goal of the Distributed Web Honeypot (DWH) Project is to identify emerging attacks against web applications and report them to the community including automated scanning activity, probes, as well as, targeted attacks against specific web apps. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Click Me Project | Tool | Apache 2.0 License | OWASP_Click_Me_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Click_Me_Project&sa=D&usg=ALhdy28eJaEwgZK8EYvYBofAmd-B59MRuA">https://www.owasp.org/index.php/OWASP_Click_Me_Project</a> | Arun Kumar | [email protected] | Clickjacker will check if the target web page url (involving sensitive data) is vulnerable to Clickjacking by creating a html,ie.whether it can be loaded from a frame.If your site is vulnerable to Clickjacking then page will get loaded in a frame. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Secure TDD Project | Tool | Apache 2.0 License | OWASP_Secure_TDD_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Secure_TDD_Project&sa=D&usg=ALhdy2_HdYtZ0jE7NJQyh-pUZ_Z5nQP-hQ">https://www.owasp.org/index.php/OWASP_Secure_TDD_Project</a> | Nir Valtman | [email protected] | This project should contain a tool that allows creating security unit tests as part of Test Driven Development (TDD) process. The output of this page is documentation about the process and open source Visual Studio add-on. Today in the agile development world, many streams based on Test Driven Development (TDD). This project presents the approach to reuse this concept in context of security. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP XSecurity Project | Tool | GNU General Public License version 3.0 (GPLv3) | OWASP_XSecurity_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_XSecurity_Project&sa=D&usg=ALhdy2_vK_HzlScIB_JEFc-9ncPvWtsdeQ">https://www.owasp.org/index.php/OWASP_XSecurity_Project</a> | Tokuji Akamine | [email protected] | XSecurity is a security plugin in Xcode plus clang static analyzer checkers for iOS application development. This plugin aims to reduce the vulnerability made during development by detecting the vulnerability as it is being created. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Incident Response Project | Documentation | Creative Commons Attribution ShareAlike 3.0 License | OWASP_Incident_Response_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Incident_Response_Project&sa=D&usg=ALhdy28otySkFtqpUOe045VxyYh-zkGUqA">https://www.owasp.org/index.php/OWASP_Incident_Response_Project</a> | Tom Brenann | [email protected] | OWASP Incident Response Project will provide users with a current set of tools and best practices for dealing with a hacked web application. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Pyttacker Project | Tool | GNU General Public License version 3.0 (GPLv3) | OWASP_Pyttacker_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Pyttacker_Project&sa=D&usg=ALhdy2-lSloEF6CfHTDnJJ08NIcm46O1RQ">https://www.owasp.org/index.php/OWASP_Pyttacker_Project</a> | Mario Robles | [email protected] | Pyttacker is a portable Web Server that include the features needed for every Pentester when creating reports, helping to create PoCs that show a more descriptive way to create awareness to the businesses by demonstrating realistic but inoffensive "attacks" included as part of the tool. | </tr> | |||||||
<p style='height:16px;'>.</td> | D | OWASP JOTP Project | Tool | TBD | OWASP_JOTP_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_JOTP_Project&sa=D&usg=ALhdy281-3qTPg7mnmOtWjeS3ZF2-YcqVQ">https://www.owasp.org/index.php/OWASP_JOTP_Project</a> | Rob Upcraft | [email protected] | jOTP is a lightweight web application, implemented in Java as a small set of RESTful services, that can be used to generate, validate, and automatically expire one-time use password tokens. This tool could be useful in scenarios that require multifactor authentication, but do not allow for more expensive / complex solutions that require physical tokens (magnetic id cards, RSA hard tokens, etc). Tokens generated may be sent either via email or SMS text message to end users. A common use case for jOTP is as follows: 1. Client web application displays login page to user. 2. User enters username, password, and cell phone number. 3. Client application makes a call to jOTP, which subsequently generates a token and sends it to the user's cell phone. 4. The user receives the token, and enters it on the login page. 5. The client application contacts jOTP to validate the token. If the token was valid, along with the username/password (validated separately), the user is logged in. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Java File I/O Security Project | Code Library | Apache 2.0 License | OWASP_Java_File_I_O_Security_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Java_File_I_O_Security_Project&sa=D&usg=ALhdy29b8k4eRHRRGwnmu-vK1YnDM4SNDw">https://www.owasp.org/index.php/OWASP_Java_File_I_O_Security_Project</a> | August Detlefsen | [email protected] | The goal of this project is to extract the file handling portions out of the ESAPI validators and make them available in an easy to use library that has no dependencies. | </tr> | |||||||
<p style='height:16px;'>.</td> | I | OWASP Code Pulse Project | Tool | Apache 2.0 License | OWASP_Code_Pulse_Project | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Code_Pulse_Project&sa=D&usg=ALhdy2-XW-Fh3FrmdU0ASLtZZIjIbE-OeA">https://www.owasp.org/index.php/OWASP_Code_Pulse_Project</a> | Hassan Radwan | [email protected] | Code Pulse is a tool that provides insight into the real-time code coverage of black box testing activities. Code Pulse is a software tool, and as such will be delivered as downloadable software that users can run on their systems. Our intent is to be a cross-platform application that runs on Windows, OS X, and Linux. | </tr> | |||||||
<p style='height:16px;'>.</td> | Other | I | OWASP Embedded Application Security | Documentation Project | Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects) | OWASP_Embedded_Application_Security | <a target="_blank" href="https://www.google.com/url?q=https://www.owasp.org/index.php/OWASP_Embedded_Application_Security&sa=D&usg=ALhdy2-Lf28RQCuf0qN2HGJP1aRc31f1KA">https://www.owasp.org/index.php/OWASP_Embedded_Application_Security</a> | Aaron Weaver | [email protected] | Each year more consumer devices are wifi capable with many devices containing an embedded web server. The Internet of "Things" will push the number of internet capable devices into the billions. Research has shown most devices have little to none in the way of secure programming. There are many challenges in the embedded field including limited memory, a small stack and the challenge of pushing firmware updates. The goal of this project is to identify the risks in embedded hardware applications, create a list of best practices and draw on the resources OWASP already has and bring that to the embedded world. | </tr> | ||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr> | ||||||||||||||||
<p style='height:16px;'>.</td> | </tr></table> [1] Not for modification - used to generate export </body></html>
[2] http://groups.google.com/group/zaproxy-develop [3] [email protected] --jason.li Mon Jun 06 2011 17:18:58 GMT+0100 (GMT Daylight Time) |