OWASP Project Dashboard 2014
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
Builder, Breaker, DefenderOWASP SAMMProposed Project StatusProject NameProject TypeProject LicenseOWASP Mailman Mailing ListProject Wiki PageProject Leader(s) (if exists)Project Leader Email(s) (if exists)Project Description (if available)Project ContributorsProject FounderLast evaluation dateEvaluation LinkRelease status and/or dateRelease LinkNext evaluation dateComments
BuilderConstructionLOWASP Enterprise Security APICodeBSD Licenseesapi-usershttps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_APIChris Schdmit, Kevin WallChris Schmidt, Kevin WallESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.NAJeff Williams7/1/20149/1/2013https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=DownloadsJanuary, 2015
BuilderConstructionFOWASP ModSecurity Core Rule Set ProjectCodeApache License V2.0owasp-modsecurity-core-rule-sethttps://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_ProjectRyan BarnettRyan.Barnett@owasp.orgModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.Breno SilvaRyan BarnettJuly, 20143/1/2014http://sourceforge.net/projects/mod-security/October, 2014Wiki
BuilderConstructionLOWASP CSRFGuard ProjectCodeBSD Licenseowasp-csrfguardhttps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_ProjectEric Sheridaneric.sheridan@owasp.orgCross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens.NAEric SheridanJuly, 2014https://www.owasp.org/images/4/46/Project_Status_Report-CRSFGuard-2.pdfFebraury, 2014https://github.com/aramrami/OWASP-CSRFGuardOctober, 2014Project must update key info on wiki to become candidate flagship.
OtherLOWASP AppSec Tutorial SeriesDocumentationCreative Commons Attribution NonCommercial License V2.0NONEhttps://www.owasp.org/index.php/OWASP_Appsec_Tutorial_SeriesJerry Hoffjerry@owasp.orgThe OWASP Appsec Tutorial Series breaks down security concepts in a easily accessible, friendly way. Each video is 5-10 minutes long and highlights a different security concept, tool or methodology.NAJerry HoffN/A9/1/2012https://www.youtube.com/user/AppsecTutorialSeries
DefenderConstructionLOWASP AppSensor ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-appsensor-projecthttps://www.owasp.org/index.php/OWASP_AppSensor_ProjectMichael CoatesMichael.Coates@owasp.org, jtmelton@gmail.com, colin.watson@owasp.orgThe AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.Dennis Groves, Colin Watson, John MeltonJeff Williams, Michael CoatesN/AMay, 2014https://github.com/jtmelton/appsensor
BreakerVerificationLOWASP CTF ProjectDocumentationUnknownowasp-ctfhttps://www.owasp.org/index.php/Category:OWASP_CTF_ProjectSteven van der Baansteven.van.der.baan@owasp.orgThe OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges. (a copy of the Live CD can help as well)N/AJanuary, 2012https://code.google.com/p/owaspctf/downloads/list
BuilderGovernanceLOWASP Legal ProjectDocumentationUnknownowasp-legalhttps://www.owasp.org/index.php/Category:OWASP_Legal_ProjectJeff Williamsjeff.williams@owasp.orgThe cornerstone of the Legal Project is its Secure Software Development Contract Annex.NAJeff Williams5/4/2009March, 2009https://www.owasp.org/index.php/Category:OWASP_Legal_Project#tab=Downloads
OtherGovernanceLOWASP Podcast ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-podcasthttps://www.owasp.org/index.php/OWASP_PodcastMark MillerMark.Miller@owasp.orgListen as Mark interviews OWASP volunteers, industry experts and leaders within the field of web application security.NAJim ManicoN/AMarch, 2014https://soundcloud.com/owasp-podcast
BuilderGovernanceLVirtual Patching Best PracticesDocumentationCreative Commons Attribution ShareAlike License V3.0NONEhttps://www.owasp.org/index.php/Virtual_Patching_Best_PracticesRyan Barnettdan.cornell@owasp.org, achim@owasp.org, martin.knobloch@owasp.orgThe goal with this paper is to present a virtual patching framework that organizations can follow to maximize the timely implementation of virtual patches, as well as, to demonstrate how the ModSecurity web application firewall can be used to remediate a sampling of vulnerabilities in the OWASP WebGoat application.Dan Cornell
Achim Hoffmann
Martin Knobloch
Ryan BarnettN/AFebruary, 2011https://www.owasp.org/index.php/Summit_2011
BreakerVerificationLOWASP Application Security Verification Standard ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-application-security-verification-standardhttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_ProjectSahba Kazerooni, Daniel Cuthbertsahba@securitycompass.com, daniel.cuthbert@owasp.orgtopn tThe primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard.Abbas Naderi, Jim Manico, Andrew van der Stock, Regio N HartonoMike Boberski, Dave WichersN/AAugust, 2013http://sourceforge.net/projects/owasp/files/ASVS/OWASP%20ASVS%202013%20Beta%20_v1.0.pdf/download
BreakerVerificationLOWASP Code Review Guide ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-codereviewhttps://www.owasp.org/index.php/Category:OWASP_Code_Review_ProjectLarry Conklin, Gary RobinsonLarry.Conklin@owasp.org, gaz_robinson@yahoo.co.ukThe code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.Eoin Keary, Johanna Curiel, Abbas Naderi, Jane O'Connor, Hugo CostaJeff WilliamsN/AFebraury, 2009http://www.lulu.com/shop/owasp-foundation/owasp-code-review/paperback/product-4458615.htmlV. 2 is currently undergoing reviews. The next release will be out later this year.
OtherGovernanceLOWASP Codes of ConductDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-codes-of-conducthttps://www.owasp.org/index.php/OWASP_Codes_of_ConductColin Watsoncolin.watson@owasp.orgThis project envisages to create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations. We set out to define a set of minimal requirements for these organizations specifying what we believe to be the most effective ways to support our mission. We call these requirements a "code of conduct" to imply that these are normative standards, they represent a minimum baseline, and that they are not difficult to achieveNAColin Watson, Jason Li, Paulo CoimbraN/AOctober, 2013http://www.lulu.com/shop/owasp-foundation/owasp-codes-of-conduct/paperback/product-21247130.html
BuilderConstructionLOWASP Development Guide ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-guidehttps://www.owasp.org/index.php/Category:OWASP_Guide_ProjectAndrew van der Stockvanderaj@owasp.orgThe Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.Andrew van der Stock, Dennis GrovesAndrew van der Stock, Dennis GrovesN/AJanuary, 2014https://github.com/OWASP/DevGuide/tree/master/DevGuide2.1.1
BuilderConstructionLOWASP Secure Coding Practices - Quick Reference GuideDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-secure-coding-practiceshttps://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_GuideKeith Turpinkeith.turpin@owasp.orgThe Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest.NAKeith Turpin9/8/2010October, 2012http://sourceforge.net/projects/mod-security/
OtherGovernanceLOWASP Software Assurance Maturity Model (SAMM)DocumentationCreative Commons Attribution ShareAlike License V3.0sammhttps://www.owasp.org/index.php/Category:Software_Assurance_Maturity_ModelSeba, Kuai HinojosaSeba@owasp.org; kuai.hinojosa@owasp.orgThis project is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.Pravir Chandra
Kuai Hinojosa
Bart De Win, Seba
Pravir ChandraN/AMarch, 2009http://www.opensamm.org/download/
BreakerVerificationLOWASP Testing Guide ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-testinghttps://www.owasp.org/index.php/OWASP_Testing_ProjectMatteo Meucci, Andrew Mullermatteo.meucci@owasp.org; Andrew MullerThe OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.Jeff WilliamsDecember, 2008December, 2008https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdfV.4 table of contents finished. A majority of the sections have been written.
BreakerVerificationFOWASP Top Ten ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-toptenhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectDave Wichersdave.wichers@owasp.orgThe OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.Dave Wichers, Jeff WIlliamsJanuary, 2015June, 2013https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_20132/1/2015
BreakerVerificationLOWASP Broken Web Applications ProjectToolGNU General Public License version 2.0 (GPLv2)NONEhttps://www.owasp.org/index.php/OWASP_Broken_Web_Applications_ProjectChuck Willischuck@securityfoundry.comA collection of vulnerable web applications that is distributed on a Virtual Machine.Doug WilsonChuck WillisJuly, 2014https://www.owasp.org/images/1/1f/Project_Status_Report_-_Broken_Web_Applications_Project.pdf9/27/2013http://sourceforge.net/projects/owaspbwa/files/October, 2014Project must update key info on wiki to become candidate flagship.
OtherVerificationLOWASP EnDe ProjectToolGNU General Public License version 2.0 (GPLv2)owasp-ende-projecthttps://www.owasp.org/index.php/Category:OWASP_EnDeAchim Hoffmannachim@owasp.orgEncoder, Decoder, Converter, Transformer, Calculator, for various codings used in the wild wide web. Collection of functions (herein called actions) for various codings, encodings, decodings and convertions. The aim is/was mainly driven by the requirements for HTTP/HTML-based functionality.NAAchim HoffmannJuly, 2014https://www.owasp.org/images/7/76/Project_Status_Report-EnDe.pdfJune, 2012http://ende.my-stp.net/EnDe-1.0rc12.tgzJanuary, 2015Project will keep LAB status.
BreakerVerificationLOWASP Hackademic Challenges ProjectToolApache License V2.0owasp-hackademic-challengeshttps://www.owasp.org/index.php/OWASP_Hackademic_Challenges_ProjectKonstantinos Papapanagiotou
Spyros Gasteratos
Andreas Venieris
anast@owasp.gr, konstantinos@owasp.orgThe Hackademic Challenges is an open source project that can be used to test and improve one's knowledge of web application security.Alex Papanikolaou
Vasileios Vlachos
Anastasios Stasinopoulos
Anastasios Stasinopoulos, Andreas Venieris (Core Developer)July, 2014https://www.owasp.org/images/8/84/Project_Status_Report-Hackademics.pdfFebruary, 2011https://code.google.com/p/owasp-hackademic-challenges/downloads/listOctober, 2014Project must update key info on wiki to become candidate flagship.
BreakerVerificationLOWASP Mantra Security FrameworkToolGNU General Public License version 3.0 (GPLv3)owasp-mantrahttps://www.owasp.org/index.php/OWASP_Mantra_-_Security_FrameworkAbhi M BalaKrishnanabhi@getmantra.comMantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.Yashartha ChaturvediAbhi M BalaKrishnanJuly, 2014https://www.owasp.org/images/a/ab/Project_Status_Report-MantraFramework.pdfJanuary, 2013http://sourceforge.net/projects/getmantra/October, 2014This project will keep it's LAB status for now.
BreakerVerificationLOWASP O2 PlatformToolApache License V2.0owasp-o2-platformhttps://www.owasp.org/index.php/OWASP_O2_PlatformDinis Cruzdinis.cruz@owasp.orgCollection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.NADinis CruzJuly, 2014https://www.owasp.org/images/4/4c/Project_Status_Report_-OWASP_O2.pdfApril, 2013https://o2platform.googlecode.com/files/O2%20Platform%20-%20Main%20O2%20Gui%20v5.3.exeJanuary, 2014
BreakerVerificationLOWASP Vicnum ProjectToolCreative Commons Attribution ShareAlike License V3.0owasp-vicnum-projecthttps://www.owasp.org/index.php/Project_Information:template_Vicnum_ProjectMordecai Kraushar; Nicole BecherMordecai.Kraushar@owasp.org; Nicole.Becher@owasp.orgA lightweight vulnerable web application based on a game played to kill time. It demonstrates common web application vulnerabilities such as cross site scripting . Vicnum is especially helpful to IT auditors who need to hone web security skills.Nicole BecherMordecai KrausharJuly, 20147/16/2012http://sourceforge.net/projects/vicnum/files/October, 2014Project must update key info on wiki to become candidate flagship.
BreakerVerificationFOWASP OWTFToolBSD Licenseowasp_owtfhttps://www.owasp.org/index.php/OWASP_OWTFAbraham ArangurenAbraham.Aranguren@owasp.orgThe Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.
Please see:
Adi Mutu
Alessandro Fanio Gonzalez
Anant Shrivastava
Andrés Riancho
Ankush Jindal
Assem Chelli
Bharadwaj Machiraju
Chema Alonso
Chris John Riley
Christian Mehlmauer
Deep Shah
José Carlos Luna
Krzysztof Kotowicz
Marc Wickenden
Mario Heiderich
Marios Kourtesis
Michael Kohl
Nicolas Gégoire
Robert Hansen
Sandro Gauci
Xavier Mertens
Abraham ArangurenJuly, 2014https://www.owasp.org/images/8/8e/Project_Status_Report-OWTF.pdfJanuary, 2014https://github.com/owtf/owtfOctober, 2014Most info has being update.Project ha sbeing set to Flagship status
BreakerVerificationLOWASP Web Testing Environment ProjectToolGNU General Public License version 3.0 (GPLv3)web-testing-environmenthttps://www.owasp.org/index.php?title=OWASP_Web_Testing_Environment_ProjectMatt Tesauromatt.tesauro@owasp.orgThis CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suiteBrad Causey
Nishi Kumar
Drew Beebe
Matt TesauroJuly, 2014https://www.owasp.org/images/4/45/Project_Status_Report-WebTestingFramework.pdfOctober, 2012http://appseclive.org/downloads/September, 2014Project to be considered a candidate flagship project.
BreakerVerificationLOWASP WebGoat ProjectToolGNU General Public License version 2.0 (GPLv2)owasp-webgoathttps://www.owasp.org/index.php/WebgoatBruce Mayhewwebgoat@owasp.orgThe primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.Abbas NaderiBruce MayhewJuly, 2014https://www.owasp.org/images/2/28/Project_Status_Report-WebGoat-2.pdf10/1/2013https://github.com/mayhew64/webgoatJanuary, 2014
BreakerVerificationLOWASP Zed Attack ProxyToolApache License V2.0NONEhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_ProjectPsiinonpsiinon@gmail.comThis project provides an easy to use integrated penetration testing tool for testing web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.Simon BennettsJuly, 20145/21/2014https://code.google.com/p/zaproxy/wiki/Downloads?tm=2September, 2014Project to be considered a candidate flagship project.
OtherVerificationLO-SaftToolGNU GPL v2O-Safthttps://www.owasp.org/index.php/O-SaftAchim Hoffmannachim@owasp.orgThis tools lists information about remote target's SSL certificate and tests the remote target's SSL connection according given list of ciphers and various SSL configurations.

----- Not part of the brief description, but to get the idea:
The tool currently combines the functionality of some existing tools (sslscan, ssltest.pl sslaudit.pl, ssllyze, ...). It's prepared to make more intensive tests, that's where I expect
help from the community.
NAAchim HoffmannN/AJanuary, 2014https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz
Builder/DefenderVerificationLOWASP Dependency CheckToolAPL 2.0OWASP_Dependency_Checkhttps://www.owasp.org/index.php/OWASP_Dependency_CheckJeremy Longjeremy.long@owasp.orgDependencyCheck is a utility that attempts to detect publicly disclosed
vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
Steve Springett
Will Stranathan
Jeremy LongN/ASeptember, 2014https://github.com/jeremylong/DependencyCheckGraduated to LAB status September, 2014.
BuilderConstructionIOWASP Java Encoder ProjectCodeBSD Licenseowasp-java-encoder-projecthttps://www.owasp.org/index.php/OWASP_Java_Encoder_ProjectJeff Ichnowskijeff.ichnowski@gmail.comThis project is a simple-to-use drop-in encoder class with little baggage.Jeremy LongJeff IchnowskiN/AFebruary, 2014https://code.google.com/p/owasp-java-encoder/
BuilderConstructionIOWASP JSON SanitizerCodeApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_JSON_Sanitizerhttps://www.owasp.org/index.php/OWASP_JSON_SanitizerMike Samuelmikesamuel@gmail.com"As described at http://code.google.com/p/json-sanitizer/

Given JSON-like content, converts it to valid JSON.

This can be attached at either end of a data-pipeline to help satisfy Postel's principle:

be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.

Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML."
Jim ManicoMike SamuelN/A7/5/2014https://code.google.com/p/json-sanitizer/downloads/detail?name=json-sanitizer-2012-10-17.jar&can=2&q=
BuilderConstructionIOWASP PassfaultCodeGNU LGPL v3owasp_passfaulthttps://www.owasp.org/index.php/OWASP_PassfaultCam Morriscam.morris@owasp.orgPassfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.Neeti Pathak
Carlos Vasquez
Chelsea Metcalf
Yang Ou
Cam MorrisN/AMarch, 2014https://github.com/c-a-m/passfault/releases
IOWASP Java File I/O Security ProjectCodeApache 2.0 LicenseOWASP_Java_File_I_O_Security_Projecthttps://www.owasp.org/index.php/OWASP_Java_File_I_O_Security_ProjectAugust DetlefsenAugust.Detlefsen@owasp.orgThe goal of this project is to extract the file handling portions out of the ESAPI validators and make them available in an easy to use library that has no dependencies.NAAugust DetlefsenNAProject is still new, with no release yet.
BuilderConstructionIOWASP Security Research and Development FrameworkCodeGNU GPL v2OWASP_Security_Research_and_Development_Frameworkhttps://www.owasp.org/index.php/OWASP_Security_Research_and_Development_FrameworkAmr ThabetAmr.Thabet@owasp.orgThis is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.
NAAmr ThabetN/ANovember, 2012https://github.com/AmrThabet/winSRDFWas inactivated due to lack of activity, but was reactivated at the project leaders request. Keep an eye on this project to make sure they are producing updates.
BuilderConstructionIOWASP PHPRBAC ProjectCodeCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_PHPRBAChttps://www.owasp.org/index.php/OWASP_PHPRBAC_ProjectAbbas Naderiabbas.naderi@owasp.orgPHPRBAC is a standard NIST Level 2 Hierarchical Role Based Access Control library implemented as a library for PHP. It allows perfectly maintainable function-level access control for enterprise and small applications or even frameworks alike.
Since implementation of NIST Level 2 Hierarchical RBAC is quite complicated, there are very few similar libraries and most of them do not adhere to standards. PHP RBAC is one of the fastest implementations (relying on a SQLite or MySQL backend) and has been tested in industry for more than three years.
A team of volunteer Etebaran Informatics developers
Jesse Burns
Jeffrey N. Carre
Abbas NaderiN/AMarch, 2014http://sourceforge.net/projects/phprbac/
BuilderConstructionIOWASP EJSF ProjectCodeGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_EJSF_Projecthttps://www.owasp.org/index.php/OWASP_EJSF_ProjectProf.Dr.Benoistemmanuel.benoist@bfh.chModern web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation.
There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the
presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception.
The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP.
[JSF-ESAPI Complete Architecture]This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output
validation with escaped “true” or without this parameter, authorization. All the features are included in one framework.
(1) It requires minimal configuration to use the framework.
(2) It ensures retrofit security in the existing application.
(3) It provides the same performance as JSF framework.
(4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”.
(5) The input validation is easy and no additional coding is required.
(6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment.
(7) One framework includes the most secure features.
Rakeshkumar Kachhadiya
Matthey Samuel
Prof.Dr. Emmanual BenoistN/A10/1/2013http://security4web.ch/OWASP/esapi_final.jar
IOWASP iMAS - iOS Mobile Application Security ProjectCodeApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_iMAS_iOS_Mobile_Application_Security_Projecthttps://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_ProjectGregg Ganleygganley@mitre.org, Gregg.Ganley@owasp.orgiMAS – iOS secure application framework to reduce iOS application vulnerabilities and information loss

iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!


iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.
NAGregg GanleyN/ADecember, 2013http://project-imas.github.ioThis project is active, but there have been no updates or releases on the wiki page. It looks like the project still loosely affiliates with OWASP, and the project is active at AppSec events, but I'm not sure it can really be considered an OWASP project anymore.
IOWASP RBAC ProjectCodeApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_RBAC_Projecthttps://www.owasp.org/index.php/OWASP_RBAC_ProjectAbbas Naderiabiusx@owasp.orgThe RBAC project aims to port and promote standard NIST Level 2 RBAC implementations, currently the PHP version is available as a separate project.NAAbbas NaderiN/AThere have been no updates to the wiki page, though this is an active project.
IOWASP PHP Security ProjectCodeCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_PHP_Security_Projecthttps://www.owasp.org/index.php/OWASP_PHP_Security_ProjectAbbas NaderiAbbas.Naderi@owasp.orgOWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.Rahul Chaudhary
Abhishek Das
Shivam Dixit
Zaki Akhmad
Paulo Guerreiro
Abbas NaderiN/AJune, 2014http://github.com/OWASP/phpsec/archive/master.zip
IOWASP Node.js Goat ProjectCodeApache 2.0OWASP_Node_js_Goat_Projecthttps://www.owasp.org/index.php/OWASP_Node_js_Goat_ProjectChetan KarandeChetan.Karande@owasp.orgNode.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.Chetan Karande
Karl Düüna
Andri Möll
Jaap Karan Singh
Michael Ficarra
Thomas Blaesing
Chetan KarandeN/AMay, 2014https://github.com/OWASP/NodeGoat
IOWASP System Vulnerable Code ProjectCodeGNU LGPL v3 LicenseOWASP_System_Vulnerable_Code_Projecthttps://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_ProjectShezan DhakaShezan@owasp.orgThis project aims to develop a security application for checking the security stress and find out the vulnerabilities of the system. This tool also can find out the application vulnerability. I want to make a advanced security tools with exploits and payloads. It will help us to find the vulnerabilities of web application and desktop application both. I will include here more than 1000 exploits and 500 payloads and 30 encoder and some scripts to check the security stress of encrypted data.Ajin
Mehedi Hasan Shuvo
Shezan DhakaN/Ahttp://lappyframework.blogspot.comThis project has been set up to create another tool entirely. There has only been one update on the project and that was in December. The update was a set up of a blogspot stating the intention of creating the tool. I don't think this project has much of a goal in being an OWASP project. I have emailed the project leader asking for clarification.
IOWASP ISO IEC 27034 Application Security Controls ProjectCodeGNU LGPL v3 LicenseOWASP_ISO_IEC_27034_Application_Security_Controls_Projecthttps://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_ProjectJonathan MarcilJonathan.Marcil@owasp.orgConversion of OWASP related documentations and best practices, such as the OWASP Top 10, in Application Security Controls (ASCs) as defined in ISO/IEC 27034. This will enable 27034 stakeholders to use formal structure of OWASP content.Bruno Guay
Daniel Sinnig
Luc Poulin
Jonathan MarcilN/ANo release yet.
IOWASP Secure Headers ProjectCodeApache 2.0 LicenseOWASP_Secure_Headers_Projecthttps://www.owasp.org/index.php/OWASP_Secure_Headers_ProjectJosh MatzJosh.Matz@owasp.orgSetting headers from the server is easy and often doesn't require any code changes. Once set, they can restrict modern browsers from running into easily preventable vulnerabilities. Secure Headers intends to raise awareness and use of these headers.Jim ManicoJosh MatzNANo release yet.
IOWASP Hardened Phalcon ProjectCodeMIT LicenseOWASP_Hardened_Phalconhttps://www.owasp.org/index.php/OWASP_Hardened_Phalcon_ProjectRhodry KorbRhodry.Korb@owasp.orgThe Phalcon Framework is the world's fastest PHP Framework, however like most frameworks it is not 'hardened' by default. OWASP Hardened Phalcon aims to help developers harden their Phalcon applications in-line with the published OWASP guidelines.NARhodry KorbNANo release or updates. Project leader has been contacted for updates. Will inactivate if no updates are made or if project leader doesn't respond.
IOWASP Faux Bank ProjectCodeApache 2.0 Licenseowasp_faux_bankhttps://www.owasp.org/index.php/OWASP_Faux_Bank_ProjectDavie Elliottdavie.elliott@owasp.orgFaux bank has all 10 of the top vulnerabilities implemented, as well as fixes for these vulnerabilities. The idea is that developers can see a real-world system with vulnerabilities, so that they can see what to look for and how to write secure codeNADavie ElliottNAJuly, 2014
BreakerVerificationIOWASP Java HTML Sanitizer ProjectToolBSD Licenseowasp-java-html-sanitizerhttps://www.owasp.org/index.php/OWASP_Java_HTML_SanitizerMike Samuel, Jim Manicomikesamuel@gmail.com, jim@owasp.orgThis is a fast Java-based HTML Sanitizer which provides XSS protection.NAMike SamuelN/A7/2/2014https://code.google.com/p/owasp-java-html-sanitizer/downloads/detail?name=owasp-java-html-sanitizer-r226.zip&can=2&q=
BreakerVerificationIOWASP Java XML Templates ProjectToolBSD Licenseowasp-java-xml-templateshttps://www.owasp.org/index.php/OWASP_Java_XML_Templates_ProjectJeff Ichnowskijeff.ichnowski@gmail.comA fast and secure XHTML-compliant template language that runs on a model similar to JSP.NAN/A2/1/2011https://code.google.com/p/owasp-jxt/downloads/detail?name=jxt-1.0-RC1.zip&can=2&q=Project hasn't had activity on the wiki page or in the code page, but an Openhub account has been created.
BreakerVerificationIOWASP NAXSI ProjectToolGNU General Public License version 2.0 (GPLv2)owasp-naxsi-projecthttps://www.owasp.org/index.php/OWASP_NAXSI_ProjectThibault "bui" Koechlinbui@nbs-system.comthis is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.Sebastien Blot
Antonin Le Faucheux
Didier Conchaudron
Sofian Brabez
Thibault "bui" KoechlinN/AJune, 2014https://github.com/nbs-system/naxsiProject is putting out releases and updates regularly, but has not updated the project wiki page in some time.
BreakerVerificationIOWASP WebGoat.NETToolGNU General Public License version 3.0 (GPLv3)https://www.owasp.org/index.php/Category:OWASP_WebGoat.NETJerry Hoffjerry.hoff@owasp.orgWebGoat.NET is a purposefully broken ASP.NET web application. It contains many common vulnerabilities, and is intended for use in classroom environments.N/A.Jerry HoffN/A5/1/2013https://github.com/OWASP/WebGoat.NET/tree/VS_2010
BreakerVerificationIOWASP Path TraverserToolAttribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0OWASP_Path_Traverserhttps://www.owasp.org/index.php/OWASP_Path_TraverserTal MelamedTal.Melamed@owasp.orgPath Traverser is a tool for security testing of web applications.
It simulates a real Path Traversal attack, only with actual existing files.

It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.

After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files.
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.

If your application could be found at: http://mysrvr:777/home
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc...

After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.

A configuration for excluding/including specific file types is available.
N/ATal MelamedN/A4/1/2013https://github.com/nu11p0inter/PathTraverserNo project release for over a year, and no updates to the project wiki page. However, the project has a Openhub account.
BreakerVerificationIOWASP WatiqayToolGNU GPL v2OWASP_Watiqayhttps://www.owasp.org/index.php/OWASP_WatiqayCarlos Ganoza PlasenciaCarlos.Ganoza@owasp.orgprevents attacks of layer 7 to various websites where client service is running, will have capacity to restore the vulnerable websites and will have a continuous warning system in a personalized way.N/ACarlos Ganoza PlasenciaN/A4/1/2014Project was released at LATAM 2014, but there is no link on the wiki and no updates on the wiki page for over a year. The project also has an Openhub account.
BreakerVerificationIOWASP Security ShepherdToolGNU GPL v3OWASP_Security_Shepherdhttps://www.owasp.org/index.php/OWASP_Security_ShepherdMark DenihanMark.Denihan@owasp.orgSecurity Shepherd is a security aware in depth project. Designed with the aim of fostering security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills.N/AMark DenihanN/A7/18/2014http://sourceforge.net/projects/owaspshepherd/files/
BreakerVerificationIOWASP Xenotix XSS Exploit FrameworkToolCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Xenotix_XSS_Exploit_Frameworkhttps://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_FrameworkAjin AbrahamAjin.Abraham@owasp.orgXenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.N/AAjin AbrahamN/A2/1/2014http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar
BreakerVerificationIOWASP Mantra OSToolCreative Commons Attribution ShareAlike 3.0 LicenseOWASP_Mantra_OShttps://www.owasp.org/index.php/OWASP_Mantra_OSGregory Disney-LeugersGregory.Disney@owasp.orgChromium OS is a safe, fast and secure sand-boxed OS. This makes it ideal to continue on the OWASP Mantra security toolkit project by completing it as an operating system.Matt Tesauro
Abhi BalaKrishnan
Kait Disney-Leugers
Gregory Disney-LeugersN/A10/1/2013http://sourceforge.net/projects/mantraos/New release for this project will be out this fall.
BreakerVerificationIOWASP iGoat ProjectToolGNU General Public License version 3.0 (GPLv3)owasp-igoat-projecthttps://www.owasp.org/index.php/OWASP_iGoat_ProjectKenneth R. van Wykken@krvw.comiGoat is a learning tool for iOS developers (iPhone, iPad, etc.). As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.Jonathan CarterKenneth R. van WykN/A4/9/2014https://drive.google.com/folderview?id=0B4JD0hBwn1-uZmJXU0pfdEUtdlE&usp=sharing
BreakerVerificationIOWASP BricksToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Brickshttps://www.owasp.org/index.php/OWASP_BricksAbhi M Balakrishnanabhi.balakrishnan@owasp.orgBricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to 'break the bricks'.NAAbhi M BalakrishnanN/ANovember, 2013http://sechow.com/bricks/download.html
BreakerVerificationIOWASP Hive ProjectToolCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Hive_Projecthttps://www.owasp.org/index.php/OWASP_Hive_ProjectJason JohnsonJason.Johnson@owasp.orgWe have a hive network that hosts a dashboard with the attitude of the hive and the Internet by using data mined from twitter and others. maybe we can incorporate tools like ZAP or any of the others into this. The thing is we sell this not to make money but to establish a statistics and data rich network. The fact that it cost 35$ with a case that has a WASP on it maybe a bit more. With the push of global security of our assets there is not a better time. I would not ask any other group but owasp this foundation is the smarts of the net. We can make something that is both supportive of our cause and a huge data rich Internet HIVE that if its kicked we know why.OSU
Oklahoma City (The 404)
Jason JohnsonN/AReached out to project leader for project status. There is no release link or recent updates.
IOWASP Rails Goat ProjectToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Rails_Goathttps://www.owasp.org/index.php/OWASP_Rails_Goat_ProjectKen JohnsonKen.Johnson@owasp.orgThis is a Rails application which is vulnerable to the OWASP Top 10. It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each.NAKen JohnsonN/A4/1/2014https://github.com/OWASP/railsgoat
IOWASP Bywaf ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Bywaf_Projecthttps://www.owasp.org/index.php/OWASP_Bywaf_ProjectRafael Gil Lariosrafael.gillarios@owasp.orgDesarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.Adar Grof
Chris Luciano
Luis Brauer
Adan Bazan
Rafael Gil LariosN/A4/29/2014https://github.com/depasonico/bywaf-owasp
IOWASP Mutillidae 2 ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Mutillidae_2_Projecthttps://www.owasp.org/index.php/OWASP_Mutillidae_2_ProjectJeremy DruinJeremy.Druin@owasp.orgNOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a webserver. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on pre-installed platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.NAJeremy DruinN/AMarch, 2014http://sourceforge.net/projects/mutillidae/files/
IOWASP SeraphimDroid ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_SeraphimDroid_Projecthttps://www.owasp.org/index.php/OWASP_SeraphimDroid_ProjectNikola Miloševićnikola.milosevic@owasp.orgSeraphimDroid is educational application for android devices that helps users learn about risks and threats comming from other android applications. Seraphim droid scans your devices and teaches you about risks and threats comming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version Seraphim droid will evolve to application firewall for android devices not alowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.Aleksandar Abu Samra
Chetan Karande
Ali Tekeoglu
Furquan Ahmed
Nikola MiloševićN/AJuly, 2014https://github.com/nikolamilosevic86/owasp-seraphimdroid
IOWASP Androïck ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Androick_Projecthttps://www.owasp.org/index.php/OWASP_Androick_ProjectFlorian PradinesFlorian.Pradines@owasp.orgAndroïck is a tool that allows any user to analyze an application. It can get the apk file, all the datas and the databases in sqlite3 and csv format.Ely de TraviesoFlorian PradinesN/AMay, 2014http://sourceforge.net/projects/androick/files/Release-2.0/No updates to the wiki page in over a year, download link does go to the latest release.
IOWASP Dependency Track ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Dependency_Track_Projecthttps://www.owasp.org/index.php/OWASP_Dependency_Track_ProjectSteve SpringettSteve.Springett@owasp.orgDependency-Track is a Java web application that allows organizations to document the use of third-party components across multiple applications and versions.Nikhil Chitlur NavakiranSteve SpringettN/AMay, 2014https://github.com/stevespringett/dependency-track
IOWASP PHP Portscanner ProjectToolGNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)https://lists.owasp.org/mailman/listinfo/owasp_php_portscanner_projecthttps://www.owasp.org/index.php/OWASP_PHP_Portscanner_ProjectBhavesh NaikBhavesh.Naik@owasp.org; bhavesh_shouts@yahoo.comThe project is simple PoC on how PHP sockets can be used as a security tool to perform port scanning.

The PHP port scanner, runs in web browser (not limited to browser, but can run in CLI with a few tweeks.

No need of hardcore knowledge on PHP is required to construct this scanner, only basics will do just fine !
Saurabh Chandrakant NemadeBhavesh NaikN/AJanuary, 2014https://www.owasp.org/images/1/11/O3P_v2.zip
IOWASP Python Security ProjectToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Python_Security_Projecthttps://www.owasp.org/index.php/OWASP_Python_Security_ProjectEnrico BrancaEnrico.Branca@owasp.orgPython Security is a free, open source, project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.
The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles: - Security in python: white-box analysis, structural and functional analysis - Security of python: black-box analysis, identify and address security-related issues - Security with python: develop security hardened python suitable for high-risk and high-security environments
NAEnrico BrancaN/AJune, 2014https://github.com/ebranca/owasp-pysec
IOWASP WebSpa ProjectToolGNU GPL_v3OWASP_WebSpa_Projecthttps://www.owasp.org/index.php/OWASP_WebSpa_ProjectOliver Merki
oliver.merki@ubs.com; Oliver.Merki@owasp.org
This project implements the concept of web spa, by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.
Yiannis Pavlosoglou
Patryk Arciszewski
Paweł Goleń
Joël Rouiller
Oliver MerkiN/A4/27/2014http://sourceforge.net/projects/webspa/
IOWASP NINJA PingU ProjectToolGNU LGPL v3 LicenseOWASP_NINJA_PingU_Projecthttps://www.owasp.org/index.php/OWASP_NINJA_PingU_ProjectGuifre RuizGuifre.Ruiz@owasp.orgNINJA Pingu will be a high performance host enumerator tool for scanning purposes. It will allow users to enumerate services in networks very fast.NAGuifre RuizN/AJanuary, 2014https://github.com/OWASP/NINJA-PingU/archive/v1.0.1.tar.gz
IOWASP Encoder Comparison Reference ProjectToolApache 2.0 LicenseOWASP_Encoder_Comparison_Reference_Projecthttps://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_ProjectStephanie TanStephanie.Tan@owasp.orgQuick reference for how ESAPI and other framework and native language encoding methods work against ASCII characters. [UPDATE: Added link to working demo]

Web 2.0 web application that allows users to choose which encoder libraries to compare. It should compare ESAPI as well as other

Deliverable includes the source code to the web application
Hosted version so that folks can access this tool without needing to download, install, configure, etc.
NAStephanie TanN/A2/11/2014https://github.com/boldersecurity/encoder-comparison-reference
IOWASP SQLIX ProjectToolCreative Commons Attribution ShareAlike 3.0 Licenseowasp-sqlixhttps://www.owasp.org/index.php/Category:OWASP_SQLiX_ProjectAdopted by Anirudh AnandAnirudh.Anand@owasp.orgSQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).NACedric Cochin, Eric SheridanN/A2008http://cedri.cc/tools/SQLiX_v1.0.tar.gz
Recently adopted. The last release was from 2008.
BreakerVerificationIOWASP Orizon ProjectToolGNU General Public License version 3.0 (GPLv3)owasp-orizonhttps://www.owasp.org/index.php/Category:OWASP_Orizon_ProjectGregory Disney-LeugersGregory.Disney@owasp.orgUnlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.NAPaolo PeregoN/ASeptember, 2008Recently adopted. The alst release was from September, 2008.
IOWASP WASC Distributed Web Honeypots ProjectToolApache 2.0 LicenseOWASP_WASC_Distributed_Web_Honeypots_Projecthttps://www.owasp.org/index.php/OWASP_WASC_Distributed_Web_Honeypots_ProjectRyan BarnettRyan.Barnett@owasp.orgThe goal of the Distributed Web Honeypot (DWH) Project is to identify emerging attacks against web applications and report them to the community including automated scanning activity, probes, as well as, targeted attacks against specific web apps.NARyan BarnettN/A
IOWASP Click Me ProjectToolApache 2.0 LicenseOWASP_Click_Me_Projecthttps://www.owasp.org/index.php/OWASP_Click_Me_ProjectArun KumarArun.Kumar@owasp.orgClickjacker will check if the target web page url (involving sensitive data) is vulnerable to Clickjacking by creating a html,ie.whether it can be loaded from a frame.If your site is vulnerable to Clickjacking then page will get loaded in a frame.Samantha GrovesArun KumarN/AMarch, 2014https://github.com/beingArunkumar/OWASP-ClickMe/releases/download/v1.0/OWASPClickMe.zip
IOWASP Secure TDD ProjectToolApache 2.0 LicenseOWASP_Secure_TDD_Projecthttps://www.owasp.org/index.php/OWASP_Secure_TDD_ProjectNir Valtmannir.valtman@owasp.orgThis project should contain a tool that allows creating security unit tests as part of Test Driven Development (TDD) process. The output of this page is documentation about the process and open source Visual Studio add-on. Today in the agile development world, many streams based on Test Driven Development (TDD). This project presents the approach to reuse this concept in context of security.Lauren Tabak
Niran Yadai
Tal Darsan
Ofir Melinger
Kobi Barzilay
Nir ValtmanN/AJune, 2014https://github.com/SecureTDD/VisualStudio
IOWASP XSecurity ProjectToolGNU General Public License version 3.0 (GPLv3)OWASP_XSecurity_Projecthttps://www.owasp.org/index.php/OWASP_XSecurity_ProjectTokuji AkamineTokuji.Akamine@owasp.orgXSecurity is a security plugin in Xcode plus clang static analyzer checkers for iOS application development. This plugin aims to reduce the vulnerability made during development by detecting the vulnerability as it is being created.Raymund PedraitaTokuji AkamineN/AApril, 2014https://github.com/XSecurity
IOWASP Pyttacker ProjectToolGNU General Public License version 3.0 (GPLv3)OWASP_Pyttacker_Projecthttps://www.owasp.org/index.php/OWASP_Pyttacker_ProjectMario Roblesmario.robles@owasp.orgPyttacker is a portable Web Server that include the features needed for every Pentester when creating reports, helping to create PoCs that show a more descriptive way to create awareness to the businesses by demonstrating realistic but inoffensive "attacks" included as part of the tool.NAMario RoblesN/A4/26/2014https://github.com/RoblesT/pyttacker/archive/master.zip
IOWASP Code Pulse ProjectToolApache 2.0 LicenseOWASP_Code_Pulse_Projecthttps://www.owasp.org/index.php/OWASP_Code_Pulse_ProjectHassan RadwanHassan.Radwan@owasp.orgCode Pulse is a tool that provides insight into the real-time code coverage of black box testing activities. Code Pulse is a software tool, and as such will be delivered as downloadable software that users can run on their systems. Our intent is to be a cross-platform application that runs on Windows, OS X, and Linux.NAHassan RadwanN/A5/28/2014https://github.com/secdec/codepulse/releases
BreakerVerificationIOWASP HTTP POST ToolToolGNU General Public License version 3.0 (GPLv3)owasp-http-post-toolhttps://www.owasp.org/index.php/OWASP_HTTP_Post_ToolTom Brenanntomb@owasp.orgThis QA tool was created to allow you to test your web applications to test availability concerns from HTTP GET and HTTP POST denial of service attacks.NATom BrennanN/A12/1/2010https://github.com/proactiveRISK/ddos-toolboxVersion 4.0 currently in the works.
IOWASP PHP Security Training ProjectToolGNU GPL v3 Licenseowasp_php_security_training_project@lists.owasp.orghttps://www.owasp.org/index.php/OWASP_PHP_Security_Training_ProjectTimo Pageltimo.pagel@owasp.orgThe goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.NATimo PagelN/AMay, 2014https://bitbucket.org/tpagel/php-security-training-system
IOWASP iOSForensicToolGNU GPL v3owasp_ios_forensic_projecthttps://www.owasp.org/index.php/Projects/OWASP_iOSForensicFlorian Pradines, Ely de TraviesoFlorian.Pradines@owasp.org, e.detravieso@phonesec.comOWASP iOSForensic is a python tool to help in forensics analysis on iOS.
It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
NAFlorian PradinesN/A6/9/2014https://github.com/Flo354/iOSForensic/releases/tag/1.0
IOWASP Project MetricsToolGNU GPL v3https://www.owasp.org/index.php/OWASP_Project_MetricsFederico Figusfigus.federico@gmail.comThe goal of this project is to create an automated tool able to connect to the majority of distributed version control systems (DVCS) and generate data to measure project activity and quality using metrics and standard practices.NAFederico FigusN/AN/AProject was created in June. No release yet.
IOWASP Store Sheep ProjectToolGNU GPL v3owasp_store_sheep@lists.owasp.orghttps://www.owasp.org/index.php/OWASP_Store_Sheep_ProjectMarion McCunemarion.mccune@owasp.orgStore Sheep is a training app for Developers wishing to learn to securely code a Windows Store ('Metro Style') App, and Testers wanting to learn to test one. It contains a number of security vulnerabilities with explanations and fixes for them.NAMarion McCuneN/AN/AProject was created in June, but there have been no updates since then. Status update has been requested from project leader.
IOWASP SonarQube ProjectToolApache 2.0 Licenseowasp_sonarqube@lists.owasp.orghttps://www.owasp.org/index.php/OWASP_SonarQube_ProjectSebastien Gioria; Freddy Malletsebastien.gioria@owasp.orgSonarQube is an open platform to manage code quality. The project consist to deliver a set of "standard" profile for security, like OWASP Top10 profile, ASVS profiles, PCI-DSS profile, ....who can be used by team with the support of owaspNASebastien GioriaN/AN/AProject was created in June, but there have been no updates since then. Status update has been requested from project leader.
IOWASP URL CheckerToolGNL GPU v3 licenseowasp_url_checkerhttps://www.owasp.org/index.php/OWASP_URL_CheckerCraig Foxcraig.fox@owasp.orgAn open source scrip-table tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns.NACraig FoxN/AApril, 2014http://www.dreamwalker-software.com/uploads/2/5/3/9/25390328/url_checker_v3_pentest_edition.zip
IOWASP Rainbow Maker ProjectToolGNU GPL v2owasp_rainbow_makerhttps://www.owasp.org/index.php/OWASP_Rainbow_Maker_ProjectTal Melamedtal.melamed@owasp.orgOWASP Rainbow Maker is a tool aimed to break hash signatures. It allows testers to insert a hash value and possible keywords and values that might used by the application to create it, then it tried multiple combinations to find the format used to generate the hash value.NATal MelamedN/AJanuary, 2014https://github.com/nu11p0inter/RainbowMaker/releases
IOWASP JSEC CVE DetailsToolGNU GPL v3owasp-jsec-cve-detailshttps://www.owasp.org/index.php/OWASP_JSEC_CVE_DetailsDibyendu Sikdardibyendu.coder@gmail.comJSEC CVE DETAILS is an opensource application developed in Java that uses the api provided by cvedetails.com to receive latest CVE updates.N/ADibyendu SikdarN/AJune, 2014http://dibsy.github.io/JSEC_CVE_DETAILS/
BreakerVerificationIOWASP ASIDE ProjectToolCreative Commons ShareAlike v.3owasp-aside-projecthttps://www.owasp.org/index.php/OWASP_ASIDE_ProjectJing Xie, Bill Chu, John Meltonjxie2@uncc.edu, billchu@uncc.edu, john.melton@owasp.orgAssured Software Integrated Development Environment (ASIDE) is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs. ASIDE may be useful by professional developers as well.NAJing XieN/AApril, 2014http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_1.0.0.201302251700.jar
OtherIOWASP Data Exchange Format ProjectDocumentApache License V2.0owasp-data-exchange-formathttps://www.owasp.org/index.php/OWASP_Data_Exchange_Format_ProjectPsiinon, Dinis Cruzpsiinon@gmail.com, dinis.cruz@owasp.orgTo define an open format for exchanging data between pentest tools.Daniel Brzozowski
Simon BennettsN/AJuly, 2011https://code.google.com/p/owasp-def/Updated work was posted in June.
BuilderConstructionIOWASP Cheat Sheets ProjectDocumentCreative Commons Attribution ShareAlike License V3.0owasp-cheat-sheetshttps://www.owasp.org/index.php/Cheat_SheetsSherif Koussa, Jim Manicosherif.koussa@owasp.org, jim.manico@owasp.orgThis project was created to provide a concise collection of high value information on specific security topics.Michael Coates
Jeff Williams
Dave Wichers
Kevin Wall
Jeffrey Walton
Eric Sheridan
Kevin Kenan
David Rook
Fred Donovan
Abraham Kang
Dave Ferguson
Shreeraj Shah
Raul Siles
Colin Watson
Jim ManicoN/AConstant updateshttps://www.owasp.org/index.php/Cheat_Sheets#tab=MainThis project is constantly revising and adding new cheet sheets. Currently working on a print edition.
BuilderConstructionIOWASP Proactive ControlsDocumentCreative Commons Attribution ShareAlike 3.0 Licenseowasp_proactive_controls@lists.owasp.orghttps://www.owasp.org/index.php/OWASP_Proactive_ControlsAndrew van der Stockvanderaj@owasp.orgA Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.Danny Harris
Stephen de Vries
Andrew Van Der Stock
Gaz Heyes
Colin Watson
Andrew van der StockN/AMarch, 2014https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls
BuilderConstructionIOWASP Enterprise Application Security ProjectDocumentCreative Commons Attribution ShareAlike License V3.0owasp-eashttps://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_ProjectAlexander Polyakova.polyakov@dsec.ruEnterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment.Dmitriy Evdokimov
Dmitriy Chastuhin
Alexey Sintsov
Michail Markevich
Alexander PolyakovN/AJuly, 2014http://erpscan.com/wp-content/uploads/2014/05/EASSEC-PVAG-ABAP.pdfThe most latest release was part of another project. The 55 page document that's part of the Enterprise Application Security Project can be found through the release link.
BreakerVerificationIOWASP GoatDroid ProjectDocumentGNL GPU v3 licenseowasp-mobile-security-projecthttps://www.owasp.org/index.php/Projects/OWASP_GoatDroid_ProjectJack ManninoJack@nvisiumsecurity.comThe OWASP GoatDroid Project is the Android equivalent to the iGoat Project. Inspired by WebGoat, this project will help educate Android developers on security issues they’ll encounter when writing applications.N/AJack ManninoN/AFall, 2013https://github.com/jackMannino/OWASP-GoatDroid-Project/commits/masterReverted back to a clean project in April, 2014.
OtherIOWASP Request For ProposalDocumentUnknownowasp-rfp-criteriahttps://www.owasp.org/index.php/OWASP_RFP-CriteriaTom Brennantomb@owasp.orgPurpose of this project is to simply provide an objective list and a aggregate set of questions from companies to utilize when they issue a RFPs for web application security.N/ATom BrennanN/A
BreakerVerificationIOWASP University ChallengeDocumentCreative Commons Attribution ShareAlike 3.0 LicenseOWASP_University_Challengehttps://www.owasp.org/index.php/OWASP_University_ChallengeIvan Buetler, Mateo Martinez- Ivan (ivan.buetler@owasp.org)
- Mateo (Mateo.Martinez@owasp.org)
As first time organized at the OWASP AppSec-US 2011 in Minneapolis, this project is to enable "attack & defend" challenges.
First, at OWASP AppSec conferences, later also to enable this outside AppSec conferences.
N/AMartin KnoblochN/AAppSec EU 2014Event held at most of the main AppSec events, last event held at AppSec EU 2014.
BreakerVerificationIOWASP Hacking-LabDocumentCreative Commons Attribution ShareAlike 3.0 LicenseOWASP_Hacking_Labhttps://www.owasp.org/index.php/OWASP_Hacking_LabIvan Buetler, Mateo Martinez- Ivan (ivan.buetler@owasp.org)
- Mateo (Mateo.Martinez@owasp.org)
The current OWASP Hacking-Lab challenge (https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html) is a great succes!
Currently, there is one challenge, the OWASP TopTen with currently 1164 registered users and +500 solutions send in and verified by the OWASP teachers!
Goal is to provide an open and transperent process about the challenges, the teachers and continiously working on extending the available challenges.
Martin KnoblochMartin KnoblochN/Ahttps://www.hacking-lab.com/index.html
DefenderVerificationIWASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)DocumentCreative Commons Attribution License 2.5https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_ProjectOfer Shezafofers@owasp.orgWAFEC provides interested partied, including users, vendors and 3rd party evaluators with a tool to definel, learn about and evaluate the suitability of different WAFs for their needs.Achim Hoffmann
Amichai Shulman
Erwin Huber
Mark Kraynak
Ofer Shezaf
Ryan Barnett
Tal Beery
Ofer ShezafN/A1/1/2006http://projects.webappsec.org/f/wasc-wafec-v1.0.pdfLast update was from January, 2013 and no release since 2006. The project leader doesn't respond to emails, but the project mailing list is active with reviewers.
OtherGovernanceIOWASP CISO SurveyDocumentCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_CISO_Surveyhttps://www.owasp.org/index.php/OWASP_CISO_SurveyTobias Gondromtobias.gondrom@owasp.orgCISO Survey and later the CISO Report on Application and Information Security trends.
Also providing input and data for the CISO guide.
Marco Morana
Stephanie Tan
Colin Watson
Tobias GondromN/AJanuary, 2014https://www.owasp.org/index.php/OWASP_CISO_Survey
DefenderGovernanceIOWASP Application Security Guide For CISOsDocumentCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Application_Security_Guide_For_CISOshttps://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_ProjectMarco MoranaMarco.m.morana@gmail.comThe purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide https://www.owasp.org/index.php/Application_Security_Guide_For_CISOsTobias Gondrom
Eoin Keary
Andy Lewis
Stephanie Tan
Colin Watson
Marco MoranaN/ANovember, 2013https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf
BuilderConstructionIOWASP CornucopiaDocumentCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Cornucopiahttps://www.owasp.org/index.php/OWASP_CornucopiaColin WatsonColin.Watson@owasp.orgCornucopia is a card game used to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. An edition for ecommerce websites exists and alternative versions are planned.Simon Bennetts
Tobias Gondrom
Anthony Harrison
Ken Ferris
Jim Manico
Mark Miller
Cam Morris
Stephen de Vries
Colin WatsonN/AMarch, 2014https://www.owasp.org/images/7/71/Owasp-cornucopia-ecommerce_website.pdf
IOWASP Secure Application Design ProjectDocumentApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Secure_Application_Designhttps://www.owasp.org/index.php/OWASP_Secure_Application_Design_ProjectAshish RaoAshish.Rao@owasp.orgDesign level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually.

Design level security is crucial and must be adopted at an early stage of application development to build a robust system. Thus the aim of this project is to impart secure design guidelines to application developers. The project will highlight vulnerable areas in application designs through real world examples and scenarios and touch up on different aspects of design level security. The focus will also be to explain measures to be taken to prevent such flaws while designing applications.

The guidelines will cover core design concepts which can applicable to any application independent of the platform.

Most of the design flaws will be discussed using sample code incorporated in an insecure design application. The project will also focus on releasing a secure design checklist for reviewing application designs or threat modelling them.
NAAshish RaoN/Ahttps://www.owasp.org/images/f/f7/Checklist_For_Design.pdfThere has been two releases since the project inception, but due to errors, the release has been rolled back to the original. A new release is in the works.
Main menu