|Builder, Breaker, Defender||OWASP SAMM||Proposed Project Status||Project Name||Project Type||Project License||OWASP Mailman Mailing List||Project Wiki Page||Project Leader(s) (if exists)||Project Leader Email(s) (if exists)||Project Description (if available)||Project Contributors||Project Founder||Last evaluation date||Evaluation Link||Release status and/or date||Release Link||Next evaluation date||Comments|
|Builder||Construction||L||OWASP Enterprise Security API||Code||BSD License||esapi-users||https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API||Chris Schdmit, Kevin Wall||Chris Schmidt, Kevin Wall||ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.||NA||Jeff Williams||7/1/2014||9/1/2013||https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads||January, 2015|
|Builder||Construction||F||OWASP ModSecurity Core Rule Set Project||Code||Apache License V2.0||owasp-modsecurity-core-rule-set||https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project||Ryan Barnett||Ryan.Barnett@owasp.org||ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.||Breno Silva||Ryan Barnett||July, 2014||3/1/2014||http://sourceforge.net/projects/mod-security/||October, 2014||Wiki|
|Builder||Construction||L||OWASP CSRFGuard Project||Code||BSD License||owasp-csrfguard||https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project||Eric Sheridanfirstname.lastname@example.org||Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens.||NA||Eric Sheridan||July, 2014||https://www.owasp.org/images/4/46/Project_Status_Report-CRSFGuard-2.pdf||Febraury, 2014||https://github.com/aramrami/OWASP-CSRFGuard||October, 2014||Project must update key info on wiki to become candidate flagship.|
|Other||L||OWASP AppSec Tutorial Series||Documentation||Creative Commons Attribution NonCommercial License V2.0||NONE||https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series||Jerry Hoffemail@example.com||The OWASP Appsec Tutorial Series breaks down security concepts in a easily accessible, friendly way. Each video is 5-10 minutes long and highlights a different security concept, tool or methodology.||NA||Jerry Hoff||N/A||9/1/2012||https://www.youtube.com/user/AppsecTutorialSeries|
|Defender||Construction||L||OWASP AppSensor Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-appsensor-project||https://www.owasp.org/index.php/OWASP_AppSensor_Project||Michael Coates||Michael.Coates@owasp.org, firstname.lastname@example.org, email@example.com||The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.||Dennis Groves, Colin Watson, John Melton||Jeff Williams, Michael Coates||N/A||May, 2014||https://github.com/jtmelton/appsensor|
|Breaker||Verification||L||OWASP CTF Project||Documentation||Unknown||owasp-ctf||https://www.owasp.org/index.php/Category:OWASP_CTF_Project||Steven van der Baanfirstname.lastname@example.org||The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges. (a copy of the Live CD can help as well)||N/A||January, 2012||https://code.google.com/p/owaspctf/downloads/list|
|Builder||Governance||L||OWASP Legal Project||Documentation||Unknown||owasp-legal||https://www.owasp.org/index.php/Category:OWASP_Legal_Project||Jeff Williamsemail@example.com||The cornerstone of the Legal Project is its Secure Software Development Contract Annex.||NA||Jeff Williams||5/4/2009||March, 2009||https://www.owasp.org/index.php/Category:OWASP_Legal_Project#tab=Downloads|
|Other||Governance||L||OWASP Podcast Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-podcast||https://www.owasp.org/index.php/OWASP_Podcast||Mark Miller||Mark.Miller@owasp.org||Listen as Mark interviews OWASP volunteers, industry experts and leaders within the field of web application security.||NA||Jim Manico||N/A||March, 2014||https://soundcloud.com/owasp-podcast|
|Builder||Governance||L||Virtual Patching Best Practices||Documentation||Creative Commons Attribution ShareAlike License V3.0||NONE||https://www.owasp.org/index.php/Virtual_Patching_Best_Practices||Ryan Barnettfirstname.lastname@example.org, email@example.com, firstname.lastname@example.org||The goal with this paper is to present a virtual patching framework that organizations can follow to maximize the timely implementation of virtual patches, as well as, to demonstrate how the ModSecurity web application firewall can be used to remediate a sampling of vulnerabilities in the OWASP WebGoat application.||Dan Cornell|
|Ryan Barnett||N/A||February, 2011||https://www.owasp.org/index.php/Summit_2011|
|Breaker||Verification||L||OWASP Application Security Verification Standard Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-application-security-verification-standard||https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project||Sahba Kazerooni, Daniel Cuthbertemail@example.com, firstname.lastname@example.org t||The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard.||Abbas Naderi, Jim Manico, Andrew van der Stock, Regio N Hartono||Mike Boberski, Dave Wichers||N/A||August, 2013||http://sourceforge.net/projects/owasp/files/ASVS/OWASP%20ASVS%202013%20Beta%20_v1.0.pdf/download|
|Breaker||Verification||L||OWASP Code Review Guide Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-codereview||https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project||Larry Conklin, Gary Robinson||Larry.Conklin@owasp.org, email@example.com||The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.||Eoin Keary, Johanna Curiel, Abbas Naderi, Jane O'Connor, Hugo Costa||Jeff Williams||N/A||Febraury, 2009||http://www.lulu.com/shop/owasp-foundation/owasp-code-review/paperback/product-4458615.html||V. 2 is currently undergoing reviews. The next release will be out later this year.|
|Other||Governance||L||OWASP Codes of Conduct||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-codes-of-conduct||https://www.owasp.org/index.php/OWASP_Codes_of_Conduct||Colin Watsonfirstname.lastname@example.org||This project envisages to create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations. We set out to define a set of minimal requirements for these organizations specifying what we believe to be the most effective ways to support our mission. We call these requirements a "code of conduct" to imply that these are normative standards, they represent a minimum baseline, and that they are not difficult to achieve||NA||Colin Watson, Jason Li, Paulo Coimbra||N/A||October, 2013||http://www.lulu.com/shop/owasp-foundation/owasp-codes-of-conduct/paperback/product-21247130.html|
|Builder||Construction||L||OWASP Development Guide Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-guide||https://www.owasp.org/index.php/Category:OWASP_Guide_Project||Andrew van der Stockemail@example.com||The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.||Andrew van der Stock, Dennis Groves||Andrew van der Stock, Dennis Groves||N/A||January, 2014||https://github.com/OWASP/DevGuide/tree/master/DevGuide2.1.1|
|Builder||Construction||L||OWASP Secure Coding Practices - Quick Reference Guide||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-secure-coding-practices||https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide||Keith Turpinfirstname.lastname@example.org||The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest.||NA||Keith Turpin||9/8/2010||October, 2012||http://sourceforge.net/projects/mod-security/|
|Other||Governance||L||OWASP Software Assurance Maturity Model (SAMM)||Documentation||Creative Commons Attribution ShareAlike License V3.0||samm||https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model||Seba, Kuai Hinojosa||Seba@owasp.org; email@example.com||This project is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.||Pravir Chandra|
Bart De Win, Seba
|Pravir Chandra||N/A||March, 2009||http://www.opensamm.org/download/|
|Breaker||Verification||L||OWASP Testing Guide Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-testing||https://www.owasp.org/index.php/OWASP_Testing_Project||Matteo Meucci, Andrew Mullerfirstname.lastname@example.org; Andrew Muller||The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.||Jeff Williams||December, 2008||December, 2008||https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf||V.4 table of contents finished. A majority of the sections have been written.|
|Breaker||Verification||F||OWASP Top Ten Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-topten||https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project||Dave Wichersemail@example.com||The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.||Dave Wichers, Jeff WIlliams||January, 2015||June, 2013||https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013||2/1/2015|
|Breaker||Verification||L||OWASP Broken Web Applications Project||Tool||GNU General Public License version 2.0 (GPLv2)||NONE||https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project||Chuck Willisfirstname.lastname@example.org||A collection of vulnerable web applications that is distributed on a Virtual Machine.||Doug Wilson||Chuck Willis||July, 2014||https://www.owasp.org/images/1/1f/Project_Status_Report_-_Broken_Web_Applications_Project.pdf||9/27/2013||http://sourceforge.net/projects/owaspbwa/files/||October, 2014||Project must update key info on wiki to become candidate flagship.|
|Other||Verification||L||OWASP EnDe Project||Tool||GNU General Public License version 2.0 (GPLv2)||owasp-ende-project||https://www.owasp.org/index.php/Category:OWASP_EnDe||Achim Hoffmannemail@example.com||Encoder, Decoder, Converter, Transformer, Calculator, for various codings used in the wild wide web. Collection of functions (herein called actions) for various codings, encodings, decodings and convertions. The aim is/was mainly driven by the requirements for HTTP/HTML-based functionality.||NA||Achim Hoffmann||July, 2014||https://www.owasp.org/images/7/76/Project_Status_Report-EnDe.pdf||June, 2012||http://ende.my-stp.net/EnDe-1.0rc12.tgz||January, 2015||Project will keep LAB status.|
|Breaker||Verification||L||OWASP Hackademic Challenges Project||Tool||Apache License V2.0||owasp-hackademic-challenges||https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project||Konstantinos Papapanagiotou|
|firstname.lastname@example.org, email@example.com||The Hackademic Challenges is an open source project that can be used to test and improve one's knowledge of web application security.||Alex Papanikolaou |
|Anastasios Stasinopoulos, Andreas Venieris (Core Developer)||July, 2014||https://www.owasp.org/images/8/84/Project_Status_Report-Hackademics.pdf||February, 2011||https://code.google.com/p/owasp-hackademic-challenges/downloads/list||October, 2014||Project must update key info on wiki to become candidate flagship.|
|Breaker||Verification||L||OWASP Mantra Security Framework||Tool||GNU General Public License version 3.0 (GPLv3)||owasp-mantra||https://www.owasp.org/index.php/OWASP_Mantra_-_Security_Framework||Abhi M BalaKrishnanfirstname.lastname@example.org||Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.||Yashartha Chaturvedi||Abhi M BalaKrishnan||July, 2014||https://www.owasp.org/images/a/ab/Project_Status_Report-MantraFramework.pdf||January, 2013||http://sourceforge.net/projects/getmantra/||October, 2014||This project will keep it's LAB status for now.|
|Breaker||Verification||L||OWASP O2 Platform||Tool||Apache License V2.0||owasp-o2-platform||https://www.owasp.org/index.php/OWASP_O2_Platform||Dinis Cruzemail@example.com||Collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.||NA||Dinis Cruz||July, 2014||https://www.owasp.org/images/4/4c/Project_Status_Report_-OWASP_O2.pdf||April, 2013||https://o2platform.googlecode.com/files/O2%20Platform%20-%20Main%20O2%20Gui%20v5.3.exe||January, 2014|
|Breaker||Verification||L||OWASP Vicnum Project||Tool||Creative Commons Attribution ShareAlike License V3.0||owasp-vicnum-project||https://www.owasp.org/index.php/Project_Information:template_Vicnum_Project||Mordecai Kraushar; Nicole Becher||Mordecai.Kraushar@owasp.org; Nicole.Becher@owasp.org||A lightweight vulnerable web application based on a game played to kill time. It demonstrates common web application vulnerabilities such as cross site scripting . Vicnum is especially helpful to IT auditors who need to hone web security skills.||Nicole Becher||Mordecai Kraushar||July, 2014||7/16/2012||http://sourceforge.net/projects/vicnum/files/||October, 2014||Project must update key info on wiki to become candidate flagship.|
|Breaker||Verification||F||OWASP OWTF||Tool||BSD License||owasp_owtf||https://www.owasp.org/index.php/OWASP_OWTF||Abraham Aranguren||Abraham.Aranguren@owasp.org||The Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.|
|Adi Mutu |
Alessandro Fanio Gonzalez
Chris John Riley
José Carlos Luna
|Abraham Aranguren||July, 2014||https://www.owasp.org/images/8/8e/Project_Status_Report-OWTF.pdf||January, 2014||https://github.com/owtf/owtf||October, 2014||Most info has being update.Project ha sbeing set to Flagship status|
|Breaker||Verification||L||OWASP Web Testing Environment Project||Tool||GNU General Public License version 3.0 (GPLv3)||web-testing-environment||https://www.owasp.org/index.php?title=OWASP_Web_Testing_Environment_Project||Matt Tesaurofirstname.lastname@example.org||This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite||Brad Causey|
|Matt Tesauro||July, 2014||https://www.owasp.org/images/4/45/Project_Status_Report-WebTestingFramework.pdf||October, 2012||http://appseclive.org/downloads/||September, 2014||Project to be considered a candidate flagship project.|
|Breaker||Verification||L||OWASP WebGoat Project||Tool||GNU General Public License version 2.0 (GPLv2)||owasp-webgoat||https://www.owasp.org/index.php/Webgoat||Bruce Mayhewemail@example.com||The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.||Abbas Naderi||Bruce Mayhew||July, 2014||https://www.owasp.org/images/2/28/Project_Status_Report-WebGoat-2.pdf||10/1/2013||https://github.com/mayhew64/webgoat||January, 2014|
|Breaker||Verification||L||OWASP Zed Attack Proxy||Tool||Apache License V2.0||NONE||https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project||Psiinonfirstname.lastname@example.org||This project provides an easy to use integrated penetration testing tool for testing web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.||Simon Bennetts||July, 2014||5/21/2014||https://code.google.com/p/zaproxy/wiki/Downloads?tm=2||September, 2014||Project to be considered a candidate flagship project.|
|Other||Verification||L||O-Saft||Tool||GNU GPL v2||O-Saft||https://www.owasp.org/index.php/O-Saft||Achim Hoffmannemail@example.com||This tools lists information about remote target's SSL certificate and tests the remote target's SSL connection according given list of ciphers and various SSL configurations.|
----- Not part of the brief description, but to get the idea:
The tool currently combines the functionality of some existing tools (sslscan, ssltest.pl sslaudit.pl, ssllyze, ...). It's prepared to make more intensive tests, that's where I expect
help from the community.
|NA||Achim Hoffmann||N/A||January, 2014||https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz|
|Builder/Defender||Verification||L||OWASP Dependency Check||Tool||APL 2.0||OWASP_Dependency_Check||https://www.owasp.org/index.php/OWASP_Dependency_Check||Jeremy Longfirstname.lastname@example.org||DependencyCheck is a utility that attempts to detect publicly disclosed|
vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
|Jeremy Long||N/A||September, 2014||https://github.com/jeremylong/DependencyCheck||Graduated to LAB status September, 2014.|
|Builder||Construction||I||OWASP Java Encoder Project||Code||BSD License||owasp-java-encoder-project||https://www.owasp.org/index.php/OWASP_Java_Encoder_Project||Jeff Ichnowskiemail@example.com||This project is a simple-to-use drop-in encoder class with little baggage.||Jeremy Long||Jeff Ichnowski||N/A||February, 2014||https://code.google.com/p/owasp-java-encoder/|
|Builder||Construction||I||OWASP JSON Sanitizer||Code||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||OWASP_JSON_Sanitizer||https://www.owasp.org/index.php/OWASP_JSON_Sanitizer||Mike Samuelfirstname.lastname@example.org||"As described at http://code.google.com/p/json-sanitizer/|
Given JSON-like content, converts it to valid JSON.
This can be attached at either end of a data-pipeline to help satisfy Postel's principle:
be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.
Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML."
|Jim Manico||Mike Samuel||N/A||7/5/2014||https://code.google.com/p/json-sanitizer/downloads/detail?name=json-sanitizer-2012-10-17.jar&can=2&q=|
|Builder||Construction||I||OWASP Passfault||Code||GNU LGPL v3||owasp_passfault||https://www.owasp.org/index.php/OWASP_Passfault||Cam Morrisemail@example.com||Passfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.||Neeti Pathak|
|Cam Morris||N/A||March, 2014||https://github.com/c-a-m/passfault/releases|
|I||OWASP Java File I/O Security Project||Code||Apache 2.0 License||OWASP_Java_File_I_O_Security_Project||https://www.owasp.org/index.php/OWASP_Java_File_I_O_Security_Project||August Detlefsen||August.Detlefsen@owasp.org||The goal of this project is to extract the file handling portions out of the ESAPI validators and make them available in an easy to use library that has no dependencies.||NA||August Detlefsen||NA||Project is still new, with no release yet.|
|Builder||Construction||I||OWASP Security Research and Development Framework||Code||GNU GPL v2||OWASP_Security_Research_and_Development_Framework||https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework||Amr Thabet||Amr.Thabet@owasp.org||This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.|
This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.
|NA||Amr Thabet||N/A||November, 2012||https://github.com/AmrThabet/winSRDF||Was inactivated due to lack of activity, but was reactivated at the project leaders request. Keep an eye on this project to make sure they are producing updates.|
|Builder||Construction||I||OWASP PHPRBAC Project||Code||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_PHPRBAC||https://www.owasp.org/index.php/OWASP_PHPRBAC_Project||Abbas Naderifirstname.lastname@example.org||PHPRBAC is a standard NIST Level 2 Hierarchical Role Based Access Control library implemented as a library for PHP. It allows perfectly maintainable function-level access control for enterprise and small applications or even frameworks alike.|
Since implementation of NIST Level 2 Hierarchical RBAC is quite complicated, there are very few similar libraries and most of them do not adhere to standards. PHP RBAC is one of the fastest implementations (relying on a SQLite or MySQL backend) and has been tested in industry for more than three years.
|A team of volunteer Etebaran Informatics developers|
Jeffrey N. Carre
|Abbas Naderi||N/A||March, 2014||http://sourceforge.net/projects/phprbac/|
|Builder||Construction||I||OWASP EJSF Project||Code||GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)||OWASP_EJSF_Project||https://www.owasp.org/index.php/OWASP_EJSF_Project||Prof.Dr.Benoistemail@example.com||Modern web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation. |
There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the
presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception.
The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP.
[JSF-ESAPI Complete Architecture]This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output
validation with escaped “true” or without this parameter, authorization. All the features are included in one framework.
(1) It requires minimal configuration to use the framework.
(2) It ensures retrofit security in the existing application.
(3) It provides the same performance as JSF framework.
(4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”.
(5) The input validation is easy and no additional coding is required.
(6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment.
(7) One framework includes the most secure features.
|Prof.Dr. Emmanual Benoist||N/A||10/1/2013||http://security4web.ch/OWASP/esapi_final.jar|
|I||OWASP iMAS - iOS Mobile Application Security Project||Code||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||OWASP_iMAS_iOS_Mobile_Application_Security_Project||https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project||Gregg Ganleyfirstname.lastname@example.org, Gregg.Ganley@owasp.org||iMAS – iOS secure application framework to reduce iOS application vulnerabilities and information loss|
iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!
iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.
|NA||Gregg Ganley||N/A||December, 2013||http://project-imas.github.io||This project is active, but there have been no updates or releases on the wiki page. It looks like the project still loosely affiliates with OWASP, and the project is active at AppSec events, but I'm not sure it can really be considered an OWASP project anymore.|
|I||OWASP RBAC Project||Code||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||OWASP_RBAC_Project||https://www.owasp.org/index.php/OWASP_RBAC_Project||Abbas Naderiemail@example.com||The RBAC project aims to port and promote standard NIST Level 2 RBAC implementations, currently the PHP version is available as a separate project.||NA||Abbas Naderi||N/A||There have been no updates to the wiki page, though this is an active project.|
|I||OWASP PHP Security Project||Code||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_PHP_Security_Project||https://www.owasp.org/index.php/OWASP_PHP_Security_Project||Abbas Naderi||Abbas.Naderi@owasp.org||OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.||Rahul Chaudhary|
|Abbas Naderi||N/A||June, 2014||http://github.com/OWASP/phpsec/archive/master.zip|
|I||OWASP Node.js Goat Project||Code||Apache 2.0||OWASP_Node_js_Goat_Project||https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project||Chetan Karande||Chetan.Karande@owasp.org||Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.||Chetan Karande|
Jaap Karan Singh
|Chetan Karande||N/A||May, 2014||https://github.com/OWASP/NodeGoat|
|I||OWASP System Vulnerable Code Project||Code||GNU LGPL v3 License||OWASP_System_Vulnerable_Code_Project||https://www.owasp.org/index.php/OWASP_System_Vulnerable_Code_Project||Shezan Dhaka||Shezan@owasp.org||This project aims to develop a security application for checking the security stress and find out the vulnerabilities of the system. This tool also can find out the application vulnerability. I want to make a advanced security tools with exploits and payloads. It will help us to find the vulnerabilities of web application and desktop application both. I will include here more than 1000 exploits and 500 payloads and 30 encoder and some scripts to check the security stress of encrypted data.||Ajin|
Mehedi Hasan Shuvo
|Shezan Dhaka||N/A||http://lappyframework.blogspot.com||This project has been set up to create another tool entirely. There has only been one update on the project and that was in December. The update was a set up of a blogspot stating the intention of creating the tool. I don't think this project has much of a goal in being an OWASP project. I have emailed the project leader asking for clarification.|
|I||OWASP ISO IEC 27034 Application Security Controls Project||Code||GNU LGPL v3 License||OWASP_ISO_IEC_27034_Application_Security_Controls_Project||https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project||Jonathan Marcil||Jonathan.Marcil@owasp.org||Conversion of OWASP related documentations and best practices, such as the OWASP Top 10, in Application Security Controls (ASCs) as defined in ISO/IEC 27034. This will enable 27034 stakeholders to use formal structure of OWASP content.||Bruno Guay|
|Jonathan Marcil||N/A||No release yet.|
|I||OWASP Secure Headers Project||Code||Apache 2.0 License||OWASP_Secure_Headers_Project||https://www.owasp.org/index.php/OWASP_Secure_Headers_Project||Josh Matz||Josh.Matz@owasp.org||Setting headers from the server is easy and often doesn't require any code changes. Once set, they can restrict modern browsers from running into easily preventable vulnerabilities. Secure Headers intends to raise awareness and use of these headers.||Jim Manico||Josh Matz||NA||No release yet.|
|I||OWASP Hardened Phalcon Project||Code||MIT License||OWASP_Hardened_Phalcon||https://www.owasp.org/index.php/OWASP_Hardened_Phalcon_Project||Rhodry Korb||Rhodry.Korb@owasp.org||The Phalcon Framework is the world's fastest PHP Framework, however like most frameworks it is not 'hardened' by default. OWASP Hardened Phalcon aims to help developers harden their Phalcon applications in-line with the published OWASP guidelines.||NA||Rhodry Korb||NA||No release or updates. Project leader has been contacted for updates. Will inactivate if no updates are made or if project leader doesn't respond.|
|I||OWASP Faux Bank Project||Code||Apache 2.0 License||owasp_faux_bank||https://www.owasp.org/index.php/OWASP_Faux_Bank_Project||Davie Elliottfirstname.lastname@example.org||Faux bank has all 10 of the top vulnerabilities implemented, as well as fixes for these vulnerabilities. The idea is that developers can see a real-world system with vulnerabilities, so that they can see what to look for and how to write secure code||NA||Davie Elliott||NA||July, 2014|
|Breaker||Verification||I||OWASP Java HTML Sanitizer Project||Tool||BSD License||owasp-java-html-sanitizer||https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer||Mike Samuel, Jim Manicoemail@example.com, firstname.lastname@example.org||This is a fast Java-based HTML Sanitizer which provides XSS protection.||NA||Mike Samuel||N/A||7/2/2014||https://code.google.com/p/owasp-java-html-sanitizer/downloads/detail?name=owasp-java-html-sanitizer-r226.zip&can=2&q=|
|Breaker||Verification||I||OWASP Java XML Templates Project||Tool||BSD License||owasp-java-xml-templates||https://www.owasp.org/index.php/OWASP_Java_XML_Templates_Project||Jeff Ichnowskiemail@example.com||A fast and secure XHTML-compliant template language that runs on a model similar to JSP.||NA||N/A||2/1/2011||https://code.google.com/p/owasp-jxt/downloads/detail?name=jxt-1.0-RC1.zip&can=2&q=||Project hasn't had activity on the wiki page or in the code page, but an Openhub account has been created.|
|Breaker||Verification||I||OWASP NAXSI Project||Tool||GNU General Public License version 2.0 (GPLv2)||owasp-naxsi-project||https://www.owasp.org/index.php/OWASP_NAXSI_Project||Thibault "bui" Koechlinfirstname.lastname@example.org||this is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.||Sebastien Blot|
Antonin Le Faucheux
|Thibault "bui" Koechlin||N/A||June, 2014||https://github.com/nbs-system/naxsi||Project is putting out releases and updates regularly, but has not updated the project wiki page in some time.|
|Breaker||Verification||I||OWASP WebGoat.NET||Tool||GNU General Public License version 3.0 (GPLv3)||https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET||Jerry Hoffemail@example.com||WebGoat.NET is a purposefully broken ASP.NET web application. It contains many common vulnerabilities, and is intended for use in classroom environments.||N/A.||Jerry Hoff||N/A||5/1/2013||https://github.com/OWASP/WebGoat.NET/tree/VS_2010|
|Breaker||Verification||I||OWASP Path Traverser||Tool||Attribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0||OWASP_Path_Traverser||https://www.owasp.org/index.php/OWASP_Path_Traverser||Tal Melamed||Tal.Melamed@owasp.org||Path Traverser is a tool for security testing of web applications.|
It simulates a real Path Traversal attack, only with actual existing files.
It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.
After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files.
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.
If your application could be found at: http://mysrvr:777/home
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc...
After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.
A configuration for excluding/including specific file types is available.
|N/A||Tal Melamed||N/A||4/1/2013||https://github.com/nu11p0inter/PathTraverser||No project release for over a year, and no updates to the project wiki page. However, the project has a Openhub account.|
|Breaker||Verification||I||OWASP Watiqay||Tool||GNU GPL v2||OWASP_Watiqay||https://www.owasp.org/index.php/OWASP_Watiqay||Carlos Ganoza Plasencia||Carlos.Ganoza@owasp.org||prevents attacks of layer 7 to various websites where client service is running, will have capacity to restore the vulnerable websites and will have a continuous warning system in a personalized way.||N/A||Carlos Ganoza Plasencia||N/A||4/1/2014||Project was released at LATAM 2014, but there is no link on the wiki and no updates on the wiki page for over a year. The project also has an Openhub account.|
|Breaker||Verification||I||OWASP Security Shepherd||Tool||GNU GPL v3||OWASP_Security_Shepherd||https://www.owasp.org/index.php/OWASP_Security_Shepherd||Mark Denihan||Mark.Denihan@owasp.org||Security Shepherd is a security aware in depth project. Designed with the aim of fostering security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills.||N/A||Mark Denihan||N/A||7/18/2014||http://sourceforge.net/projects/owaspshepherd/files/|
|Breaker||Verification||I||OWASP Xenotix XSS Exploit Framework||Tool||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Xenotix_XSS_Exploit_Framework||https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework||Ajin Abraham||Ajin.Abraham@owasp.org||Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.||N/A||Ajin Abraham||N/A||2/1/2014||http://opensecurity.in/downloads/OWASP_Xenotix_XSS_Exploit_Framework_V5.rar|
|Breaker||Verification||I||OWASP Mantra OS||Tool||Creative Commons Attribution ShareAlike 3.0 License||OWASP_Mantra_OS||https://www.owasp.org/index.php/OWASP_Mantra_OS||Gregory Disney-Leugers||Gregory.Disney@owasp.org||Chromium OS is a safe, fast and secure sand-boxed OS. This makes it ideal to continue on the OWASP Mantra security toolkit project by completing it as an operating system.||Matt Tesauro|
|Gregory Disney-Leugers||N/A||10/1/2013||http://sourceforge.net/projects/mantraos/||New release for this project will be out this fall.|
|Breaker||Verification||I||OWASP iGoat Project||Tool||GNU General Public License version 3.0 (GPLv3)||owasp-igoat-project||https://www.owasp.org/index.php/OWASP_iGoat_Project||Kenneth R. van Wykfirstname.lastname@example.org||iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.||Jonathan Carter||Kenneth R. van Wyk||N/A||4/9/2014||https://drive.google.com/folderview?id=0B4JD0hBwn1-uZmJXU0pfdEUtdlE&usp=sharing|
|Breaker||Verification||I||OWASP Bricks||Tool||OWASP_Bricks||https://www.owasp.org/index.php/OWASP_Bricks||Abhi M Balakrishnanemail@example.com||Bricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to 'break the bricks'.||NA||Abhi M Balakrishnan||N/A||November, 2013||http://sechow.com/bricks/download.html|
|Breaker||Verification||I||OWASP Hive Project||Tool||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Hive_Project||https://www.owasp.org/index.php/OWASP_Hive_Project||Jason Johnson||Jason.Johnson@owasp.org||We have a hive network that hosts a dashboard with the attitude of the hive and the Internet by using data mined from twitter and others. maybe we can incorporate tools like ZAP or any of the others into this. The thing is we sell this not to make money but to establish a statistics and data rich network. The fact that it cost 35$ with a case that has a WASP on it maybe a bit more. With the push of global security of our assets there is not a better time. I would not ask any other group but owasp this foundation is the smarts of the net. We can make something that is both supportive of our cause and a huge data rich Internet HIVE that if its kicked we know why.||OSU|
Oklahoma City (The 404)
|Jason Johnson||N/A||Reached out to project leader for project status. There is no release link or recent updates.|
|I||OWASP Rails Goat Project||Tool||OWASP_Rails_Goat||https://www.owasp.org/index.php/OWASP_Rails_Goat_Project||Ken Johnson||Ken.Johnson@owasp.org||This is a Rails application which is vulnerable to the OWASP Top 10. It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each.||NA||Ken Johnson||N/A||4/1/2014||https://github.com/OWASP/railsgoat|
|I||OWASP Bywaf Project||Tool||GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)||OWASP_Bywaf_Project||https://www.owasp.org/index.php/OWASP_Bywaf_Project||Rafael Gil Lariosfirstname.lastname@example.org||Desarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.||Adar Grof|
|Rafael Gil Larios||N/A||4/29/2014||https://github.com/depasonico/bywaf-owasp|
|I||OWASP Mutillidae 2 Project||Tool||GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)||OWASP_Mutillidae_2_Project||https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project||Jeremy Druin||Jeremy.Druin@owasp.org||NOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a webserver. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on pre-installed platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.||NA||Jeremy Druin||N/A||March, 2014||http://sourceforge.net/projects/mutillidae/files/|
|I||OWASP SeraphimDroid Project||Tool||OWASP_SeraphimDroid_Project||https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project||Nikola Miloševićemail@example.com||SeraphimDroid is educational application for android devices that helps users learn about risks and threats comming from other android applications. Seraphim droid scans your devices and teaches you about risks and threats comming from application permissions. Also this project will deliver paper on android permissions, their regular use, risks and malicious use. In second version Seraphim droid will evolve to application firewall for android devices not alowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.||Aleksandar Abu Samra|
|Nikola Milošević||N/A||July, 2014||https://github.com/nikolamilosevic86/owasp-seraphimdroid|
|I||OWASP Androïck Project||Tool||OWASP_Androick_Project||https://www.owasp.org/index.php/OWASP_Androick_Project||Florian Pradines||Florian.Pradines@owasp.org||Androïck is a tool that allows any user to analyze an application. It can get the apk file, all the datas and the databases in sqlite3 and csv format.||Ely de Travieso||Florian Pradines||N/A||May, 2014||http://sourceforge.net/projects/androick/files/Release-2.0/||No updates to the wiki page in over a year, download link does go to the latest release.|
|I||OWASP Dependency Track Project||Tool||OWASP_Dependency_Track_Project||https://www.owasp.org/index.php/OWASP_Dependency_Track_Project||Steve Springett||Steve.Springett@owasp.org||Dependency-Track is a Java web application that allows organizations to document the use of third-party components across multiple applications and versions.||Nikhil Chitlur Navakiran||Steve Springett||N/A||May, 2014||https://github.com/stevespringett/dependency-track|
|I||OWASP PHP Portscanner Project||Tool||GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)||https://lists.owasp.org/mailman/listinfo/owasp_php_portscanner_project||https://www.owasp.org/index.php/OWASP_PHP_Portscanner_Project||Bhavesh Naik||Bhavesh.Naik@owasp.org; firstname.lastname@example.org||The project is simple PoC on how PHP sockets can be used as a security tool to perform port scanning.|
The PHP port scanner, runs in web browser (not limited to browser, but can run in CLI with a few tweeks.
No need of hardcore knowledge on PHP is required to construct this scanner, only basics will do just fine !
|Saurabh Chandrakant Nemade||Bhavesh Naik||N/A||January, 2014||https://www.owasp.org/images/1/11/O3P_v2.zip|
|I||OWASP Python Security Project||Tool||OWASP_Python_Security_Project||https://www.owasp.org/index.php/OWASP_Python_Security_Project||Enrico Branca||Enrico.Branca@owasp.org||Python Security is a free, open source, project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.|
The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles: - Security in python: white-box analysis, structural and functional analysis - Security of python: black-box analysis, identify and address security-related issues - Security with python: develop security hardened python suitable for high-risk and high-security environments
|NA||Enrico Branca||N/A||June, 2014||https://github.com/ebranca/owasp-pysec|
|I||OWASP WebSpa Project||Tool||GNU GPL_v3||OWASP_WebSpa_Project||https://www.owasp.org/index.php/OWASP_WebSpa_Project||Oliver Merki|
This project implements the concept of web spa, by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.
|I||OWASP NINJA PingU Project||Tool||GNU LGPL v3 License||OWASP_NINJA_PingU_Project||https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project||Guifre Ruiz||Guifre.Ruiz@owasp.org||NINJA Pingu will be a high performance host enumerator tool for scanning purposes. It will allow users to enumerate services in networks very fast.||NA||Guifre Ruiz||N/A||January, 2014||https://github.com/OWASP/NINJA-PingU/archive/v1.0.1.tar.gz|
|I||OWASP Encoder Comparison Reference Project||Tool||Apache 2.0 License||OWASP_Encoder_Comparison_Reference_Project||https://www.owasp.org/index.php/OWASP_Encoder_Comparison_Reference_Project||Stephanie Tan||Stephanie.Tan@owasp.org||Quick reference for how ESAPI and other framework and native language encoding methods work against ASCII characters. [UPDATE: Added link to working demo]|
Web 2.0 web application that allows users to choose which encoder libraries to compare. It should compare ESAPI as well as other
Deliverable includes the source code to the web application
Hosted version so that folks can access this tool without needing to download, install, configure, etc.
|I||OWASP SQLIX Project||Tool||Creative Commons Attribution ShareAlike 3.0 License||owasp-sqlix||https://www.owasp.org/index.php/Category:OWASP_SQLiX_Project||Adopted by Anirudh Anand||Anirudh.Anand@owasp.org||SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).||NA||Cedric Cochin, Eric Sheridan||N/A||2008||http://cedri.cc/tools/SQLiX_v1.0.tar.gz|
Recently adopted. The last release was from 2008.
|Breaker||Verification||I||OWASP Orizon Project||Tool||GNU General Public License version 3.0 (GPLv3)||owasp-orizon||https://www.owasp.org/index.php/Category:OWASP_Orizon_Project||Gregory Disney-Leugers||Gregory.Disney@owasp.org||Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.||NA||Paolo Perego||N/A||September, 2008||Recently adopted. The alst release was from September, 2008.|
|I||OWASP WASC Distributed Web Honeypots Project||Tool||Apache 2.0 License||OWASP_WASC_Distributed_Web_Honeypots_Project||https://www.owasp.org/index.php/OWASP_WASC_Distributed_Web_Honeypots_Project||Ryan Barnett||Ryan.Barnett@owasp.org||The goal of the Distributed Web Honeypot (DWH) Project is to identify emerging attacks against web applications and report them to the community including automated scanning activity, probes, as well as, targeted attacks against specific web apps.||NA||Ryan Barnett||N/A|
|I||OWASP Click Me Project||Tool||Apache 2.0 License||OWASP_Click_Me_Project||https://www.owasp.org/index.php/OWASP_Click_Me_Project||Arun Kumar||Arun.Kumar@owasp.org||Clickjacker will check if the target web page url (involving sensitive data) is vulnerable to Clickjacking by creating a html,ie.whether it can be loaded from a frame.If your site is vulnerable to Clickjacking then page will get loaded in a frame.||Samantha Groves||Arun Kumar||N/A||March, 2014||https://github.com/beingArunkumar/OWASP-ClickMe/releases/download/v1.0/OWASPClickMe.zip|
|I||OWASP Secure TDD Project||Tool||Apache 2.0 License||OWASP_Secure_TDD_Project||https://www.owasp.org/index.php/OWASP_Secure_TDD_Project||Nir Valtmanemail@example.com||This project should contain a tool that allows creating security unit tests as part of Test Driven Development (TDD) process. The output of this page is documentation about the process and open source Visual Studio add-on. Today in the agile development world, many streams based on Test Driven Development (TDD). This project presents the approach to reuse this concept in context of security.||Lauren Tabak|
|Nir Valtman||N/A||June, 2014||https://github.com/SecureTDD/VisualStudio|
|I||OWASP XSecurity Project||Tool||GNU General Public License version 3.0 (GPLv3)||OWASP_XSecurity_Project||https://www.owasp.org/index.php/OWASP_XSecurity_Project||Tokuji Akamine||Tokuji.Akamine@owasp.org||XSecurity is a security plugin in Xcode plus clang static analyzer checkers for iOS application development. This plugin aims to reduce the vulnerability made during development by detecting the vulnerability as it is being created.||Raymund Pedraita||Tokuji Akamine||N/A||April, 2014||https://github.com/XSecurity|
|I||OWASP Pyttacker Project||Tool||GNU General Public License version 3.0 (GPLv3)||OWASP_Pyttacker_Project||https://www.owasp.org/index.php/OWASP_Pyttacker_Project||Mario Roblesfirstname.lastname@example.org||Pyttacker is a portable Web Server that include the features needed for every Pentester when creating reports, helping to create PoCs that show a more descriptive way to create awareness to the businesses by demonstrating realistic but inoffensive "attacks" included as part of the tool.||NA||Mario Robles||N/A||4/26/2014||https://github.com/RoblesT/pyttacker/archive/master.zip|
|I||OWASP Code Pulse Project||Tool||Apache 2.0 License||OWASP_Code_Pulse_Project||https://www.owasp.org/index.php/OWASP_Code_Pulse_Project||Hassan Radwan||Hassan.Radwan@owasp.org||Code Pulse is a tool that provides insight into the real-time code coverage of black box testing activities. Code Pulse is a software tool, and as such will be delivered as downloadable software that users can run on their systems. Our intent is to be a cross-platform application that runs on Windows, OS X, and Linux.||NA||Hassan Radwan||N/A||5/28/2014||https://github.com/secdec/codepulse/releases|
|Breaker||Verification||I||OWASP HTTP POST Tool||Tool||GNU General Public License version 3.0 (GPLv3)||owasp-http-post-tool||https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool||Tom Brenannemail@example.com||This QA tool was created to allow you to test your web applications to test availability concerns from HTTP GET and HTTP POST denial of service attacks.||NA||Tom Brennan||N/A||12/1/2010||https://github.com/proactiveRISK/ddos-toolbox||Version 4.0 currently in the works.|
|I||OWASP PHP Security Training Project||Tool||GNU GPL v3 Licensefirstname.lastname@example.org||https://www.owasp.org/index.php/OWASP_PHP_Security_Training_Project||Timo Pagelemail@example.com||The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part.||NA||Timo Pagel||N/A||May, 2014||https://bitbucket.org/tpagel/php-security-training-system|
|I||OWASP iOSForensic||Tool||GNU GPL v3||owasp_ios_forensic_project||https://www.owasp.org/index.php/Projects/OWASP_iOSForensic||Florian Pradines, Ely de Travieso||Florian.Pradines@owasp.org, firstname.lastname@example.org||OWASP iOSForensic is a python tool to help in forensics analysis on iOS.|
It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
|I||OWASP Project Metrics||Tool||GNU GPL v3||https://www.owasp.org/index.php/OWASP_Project_Metrics||Federico Figusemail@example.com||The goal of this project is to create an automated tool able to connect to the majority of distributed version control systems (DVCS) and generate data to measure project activity and quality using metrics and standard practices.||NA||Federico Figus||N/A||N/A||Project was created in June. No release yet.|
|I||OWASP Store Sheep Project||Tool||GNU GPL firstname.lastname@example.org||https://www.owasp.org/index.php/OWASP_Store_Sheep_Project||Marion McCuneemail@example.com||Store Sheep is a training app for Developers wishing to learn to securely code a Windows Store ('Metro Style') App, and Testers wanting to learn to test one. It contains a number of security vulnerabilities with explanations and fixes for them.||NA||Marion McCune||N/A||N/A||Project was created in June, but there have been no updates since then. Status update has been requested from project leader.|
|I||OWASP SonarQube Project||Tool||Apache 2.0 Licensefirstname.lastname@example.org||https://www.owasp.org/index.php/OWASP_SonarQube_Project||Sebastien Gioria; Freddy Malletemail@example.com||SonarQube is an open platform to manage code quality. The project consist to deliver a set of "standard" profile for security, like OWASP Top10 profile, ASVS profiles, PCI-DSS profile, ....who can be used by team with the support of owasp||NA||Sebastien Gioria||N/A||N/A||Project was created in June, but there have been no updates since then. Status update has been requested from project leader.|
|I||OWASP URL Checker||Tool||GNL GPU v3 license||owasp_url_checker||https://www.owasp.org/index.php/OWASP_URL_Checker||Craig Foxfirstname.lastname@example.org||An open source scrip-table tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns.||NA||Craig Fox||N/A||April, 2014||http://www.dreamwalker-software.com/uploads/2/5/3/9/25390328/url_checker_v3_pentest_edition.zip|
|I||OWASP Rainbow Maker Project||Tool||GNU GPL v2||owasp_rainbow_maker||https://www.owasp.org/index.php/OWASP_Rainbow_Maker_Project||Tal Melamedemail@example.com||OWASP Rainbow Maker is a tool aimed to break hash signatures. It allows testers to insert a hash value and possible keywords and values that might used by the application to create it, then it tried multiple combinations to find the format used to generate the hash value.||NA||Tal Melamed||N/A||January, 2014||https://github.com/nu11p0inter/RainbowMaker/releases|
|I||OWASP JSEC CVE Details||Tool||GNU GPL v3||owasp-jsec-cve-details||https://www.owasp.org/index.php/OWASP_JSEC_CVE_Details||Dibyendu Sikdarfirstname.lastname@example.org||JSEC CVE DETAILS is an opensource application developed in Java that uses the api provided by cvedetails.com to receive latest CVE updates.||N/A||Dibyendu Sikdar||N/A||June, 2014||http://dibsy.github.io/JSEC_CVE_DETAILS/|
|Breaker||Verification||I||OWASP ASIDE Project||Tool||Creative Commons ShareAlike v.3||owasp-aside-project||https://www.owasp.org/index.php/OWASP_ASIDE_Project||Jing Xie, Bill Chu, John Meltonemail@example.com, firstname.lastname@example.org, email@example.com||Assured Software Integrated Development Environment (ASIDE) is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs. ASIDE may be useful by professional developers as well.||NA||Jing Xie||N/A||April, 2014||http://webpages.uncc.edu/~jzhu16/edu.uncc.sis.aside_126.96.36.199302251700.jar|
|Other||I||OWASP Data Exchange Format Project||Document||Apache License V2.0||owasp-data-exchange-format||https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project||Psiinon, Dinis Cruzfirstname.lastname@example.org, email@example.com||To define an open format for exchanging data between pentest tools.||Daniel Brzozowski|
|Simon Bennetts||N/A||July, 2011||https://code.google.com/p/owasp-def/||Updated work was posted in June.|
|Builder||Construction||I||OWASP Cheat Sheets Project||Document||Creative Commons Attribution ShareAlike License V3.0||owasp-cheat-sheets||https://www.owasp.org/index.php/Cheat_Sheets||Sherif Koussa, Jim Manicofirstname.lastname@example.org, email@example.com||This project was created to provide a concise collection of high value information on specific security topics.||Michael Coates|
|Jim Manico||N/A||Constant updates||https://www.owasp.org/index.php/Cheat_Sheets#tab=Main||This project is constantly revising and adding new cheet sheets. Currently working on a print edition.|
|Builder||Construction||I||OWASP Proactive Controls||Document||Creative Commons Attribution ShareAlike 3.0 Licensefirstname.lastname@example.org||https://www.owasp.org/index.php/OWASP_Proactive_Controls||Andrew van der Stockemail@example.com||A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.||Danny Harris|
Stephen de Vries
Andrew Van Der Stock
|Andrew van der Stock||N/A||March, 2014||https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Top_Ten_Proactive_Controls|
|Builder||Construction||I||OWASP Enterprise Application Security Project||Document||Creative Commons Attribution ShareAlike License V3.0||owasp-eas||https://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_Project||Alexander Polyakovfirstname.lastname@example.org||Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment.||Dmitriy Evdokimov |
|Alexander Polyakov||N/A||July, 2014||http://erpscan.com/wp-content/uploads/2014/05/EASSEC-PVAG-ABAP.pdf||The most latest release was part of another project. The 55 page document that's part of the Enterprise Application Security Project can be found through the release link.|
|Breaker||Verification||I||OWASP GoatDroid Project||Document||GNL GPU v3 license||owasp-mobile-security-project||https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project||Jack Mannino||Jack@nvisiumsecurity.com||The OWASP GoatDroid Project is the Android equivalent to the iGoat Project. Inspired by WebGoat, this project will help educate Android developers on security issues they’ll encounter when writing applications.||N/A||Jack Mannino||N/A||Fall, 2013||https://github.com/jackMannino/OWASP-GoatDroid-Project/commits/master||Reverted back to a clean project in April, 2014.|
|Other||I||OWASP Request For Proposal||Document||Unknown||owasp-rfp-criteria||https://www.owasp.org/index.php/OWASP_RFP-Criteria||Tom Brennanemail@example.com||Purpose of this project is to simply provide an objective list and a aggregate set of questions from companies to utilize when they issue a RFPs for web application security.||N/A||Tom Brennan||N/A|
|Breaker||Verification||I||OWASP University Challenge||Document||Creative Commons Attribution ShareAlike 3.0 License||OWASP_University_Challenge||https://www.owasp.org/index.php/OWASP_University_Challenge||Ivan Buetler, Mateo Martinez||- Ivan (firstname.lastname@example.org)|
- Mateo (Mateo.Martinez@owasp.org)
|As first time organized at the OWASP AppSec-US 2011 in Minneapolis, this project is to enable "attack & defend" challenges.|
First, at OWASP AppSec conferences, later also to enable this outside AppSec conferences.
|N/A||Martin Knobloch||N/A||AppSec EU 2014||Event held at most of the main AppSec events, last event held at AppSec EU 2014.|
|Breaker||Verification||I||OWASP Hacking-Lab||Document||Creative Commons Attribution ShareAlike 3.0 License||OWASP_Hacking_Lab||https://www.owasp.org/index.php/OWASP_Hacking_Lab||Ivan Buetler, Mateo Martinez||- Ivan (email@example.com)|
- Mateo (Mateo.Martinez@owasp.org)
|The current OWASP Hacking-Lab challenge (https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html) is a great succes!|
Currently, there is one challenge, the OWASP TopTen with currently 1164 registered users and +500 solutions send in and verified by the OWASP teachers!
Goal is to provide an open and transperent process about the challenges, the teachers and continiously working on extending the available challenges.
|Martin Knobloch||Martin Knobloch||N/A||https://www.hacking-lab.com/index.html|
|Defender||Verification||I||WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)||Document||Creative Commons Attribution License 2.5||https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project||Ofer Shezaffirstname.lastname@example.org||WAFEC provides interested partied, including users, vendors and 3rd party evaluators with a tool to definel, learn about and evaluate the suitability of different WAFs for their needs.||Achim Hoffmann|
|Ofer Shezaf||N/A||1/1/2006||http://projects.webappsec.org/f/wasc-wafec-v1.0.pdf||Last update was from January, 2013 and no release since 2006. The project leader doesn't respond to emails, but the project mailing list is active with reviewers.|
|Other||Governance||I||OWASP CISO Survey||Document||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_CISO_Survey||https://www.owasp.org/index.php/OWASP_CISO_Survey||Tobias Gondromemail@example.com||CISO Survey and later the CISO Report on Application and Information Security trends. |
Also providing input and data for the CISO guide.
|Tobias Gondrom||N/A||January, 2014||https://www.owasp.org/index.php/OWASP_CISO_Survey|
|Defender||Governance||I||OWASP Application Security Guide For CISOs||Document||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Application_Security_Guide_For_CISOs||https://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_Project||Marco Morana||Marco.firstname.lastname@example.org||The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs||Tobias Gondrom|
|Marco Morana||N/A||November, 2013||https://www.owasp.org/images/d/d6/Owasp-ciso-guide.pdf|
|Builder||Construction||I||OWASP Cornucopia||Document||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Cornucopia||https://www.owasp.org/index.php/OWASP_Cornucopia||Colin Watson||Colin.Watson@owasp.org||Cornucopia is a card game used to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. An edition for ecommerce websites exists and alternative versions are planned.||Simon Bennetts|
Stephen de Vries
|Colin Watson||N/A||March, 2014||https://www.owasp.org/images/7/71/Owasp-cornucopia-ecommerce_website.pdf|
|I||OWASP Secure Application Design Project||Document||OWASP_Secure_Application_Design||https://www.owasp.org/index.php/OWASP_Secure_Application_Design_Project||Ashish Rao||Ashish.Rao@owasp.org||Design level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually. |
Design level security is crucial and must be adopted at an early stage of application development to build a robust system. Thus the aim of this project is to impart secure design guidelines to application developers. The project will highlight vulnerable areas in application designs through real world examples and scenarios and touch up on different aspects of design level security. The focus will also be to explain measures to be taken to prevent such flaws while designing applications.
The guidelines will cover core design concepts which can applicable to any application independent of the platform.
Most of the design flaws will be discussed using sample code incorporated in an insecure design application. The project will also focus on releasing a secure design checklist for reviewing application designs or threat modelling them.
|NA||Ashish Rao||N/A||https://www.owasp.org/images/f/f7/Checklist_For_Design.pdf||There has been two releases since the project inception, but due to errors, the release has been rolled back to the original. A new release is in the works.|