Incubator Project Application
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
Still loading...
TimestampWhat is the name of the Project?What type of project would you like to create?Which open source license will your project be using?Project leader nameWhat is your email address?What is your SourceForge ID (if you have one)?What do you expect to be your project's tangible deliverable?How would you describe your project in 250 characters?What is the roadmap for your project?Additional CommentsWhat is your OWASP Wiki ID (if you have one)?Will you require a GitHub repository for your project?If so, then what is your GitHub account name?Project Details PageNotes
10/12/2011 4:20:50Top 10 DefensesDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 LicenseAndrew van der Stockvanderaj@owasp.orgajvWiki + PDFA Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project. commentary in Leaders list as well as recommendation by Mark Curphey et al for a new project. vanderaj
10/12/2011 13:31:48ESSSDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 LicenseMike Boberskiboberski_michael@bah.comA series of "standards" documentsWhile third-party penetration test reports might provide a clean bill of health, no vulnerabilities, this does little satisfy concerns that enterprise software was designed and developed in a well-constructed manner. It's that part ESSS addresses.ESSS#1: Mandatory Injection Protection - Draft Version 0.1
ESSS#2: Comprehensive Secret Protection - Draft Version 0.1
ESSS#3: Transaction Protection - Draft Version 0.1
ESSS#4: Inherent Web Service Protection - Draft Version 0.1
ESSS#5: Non-Bypassable Access Control Protection - Under Construction
ESSS#6: PKI & WS-Security Protection - Under Construction
ESSS#7: PKI & SAML Protection -Under Construction
ESSS#8: Inherent Mobile Code Protection - Under Construction
Project content is currently hosted at, the new OWASP project page would include links to that site, similar to OpenSAMM. Please see for current project materials.mike.boberski owasp_esss@lists.owasp.org1. Project already underway. Waiting for GPC advice to see if we should create OWASP version of it2. Request withdrawn by submitter. (7 Aug 2012: Mike has gotten back to me. He has gone ahead and started this project without owasp. He is not too keen on creating an OWASP version, but is willing to do it if other's are interested. I have asked the board for their input. Waiting to hear back from them) (9 Aug 2012: Board got back to me with their input. I have contacted Mike to ask if he would be interested in labeling his project as an OWASP project so he can benefit from the brand and the community. I am waiting to hear back from him.) (10 Aug 2012: Mike has gotten back to me. He asked to have the project set up as an OWASP Project. The project set up is now complete.) (23 Aug 2012: Mike has decided to withdraw the project. He found the release review process too complicated/fussy)
10/13/2011 5:26:41File Hash RepositoryTool ProjectApache 2.0 LicenseLucas C. Ferreiralucas.ferreira@owasp.orgExecutables: server and several clients. If possible a running instance of the server for clients to query.The goal of this project is to build a repository of hashes of executable and source files. This repository can then be queried by clients to determine the status os of files based on their hashes. Some statuses are GOOD, MALWARE, SOURCE CHECKED, etc. This repository can consolidate several available sources (NIST, MHR, VirusTotal, etc) and provide better query capabilities.1. have a running version of the server able to answer queries via DNS
2. transform proof-of-concept code into production-ready code
3. have the server query sources for unknown hashes
4. implement other query interfaces
5. incorporate new information sources
6. produce an upload interface
proof-of-concept code is available.sapao seems to already be set up. Contacted Lucas to make sure it has been and if he needs anything else. (Aug 7 2012: Lucas has contacted me to confirm his project has already been set up. This project set up is now complete.)
10/20/2011 4:40:59WebGoat.NETTool ProjectGNU GPL v3Jerry Hoffjerry@owasp.orgWebGoat.NET ASP.NET Web ApplicationWebGoat.NET is a purposefully broken ASP.NET web application. It contains many common vulnerabilities, and is intended for use in classroom environments. WebGoat.NET current has multiple modules that have been completed, and many that are not complete. I intend to elicit help from the OWASP community to continuously add and improve WebGoat.NET, in addition to working on this as often as I can to build WebGoat.NET into an enterprise-level training tool.Thank you!Jerry Hoff seems to already be set up. Contacted Jerry to make sure it has been and if he needs anything else.
10/28/2011 16:17:30AJAX Crawling ToolTool ProjectGNU GPL v3Skyler Onkenskyler.onken@gmail.comRunnable JARA tool which will automate the crawling of AJAX applications. It can be daisy-chained with other proxies (like ZAP or Burpe) to allow the functionality of those tools to be used on aspects of a web app that traditional spidering tools will miss. Here is a demo of the tool so far: this tool will have another optional component that will allow fuzzing of these requests from within the tool itself if desired. However, at this point the AJAX crawling functionality is the true value. The target would be to have an automated fuzzing tool that would crawl a target site (including SOAP and REST) and then fuzz those discovered requests. At the end, the tools deliverables would be for QA/Researchers to discover unprotected entry points and malformed input. seems to already be set up. Contacted Skyler to make sure it has been and if he needs anything else. Skyler got back to me. Set him up with an Email and mailing list. Set up complete.
11/8/2011 8:09:10smart city administrationTool ProjectApache 2.0 Licensemanish kumarmanish139051@gmail.commanish139051@gmail.comit will clearly tangiblethis project will provide the direct interface between the people and the administrator.this project will provide the direct interface between the people and the administratormanish139051@gmail.comI don't feel I have enough information. I have sent an e-mail to ask for more before I set this up. (7 Aug 2012: Have not heard back from Manish. I will leave this until the end of the week. If I have not heard back, then I will mark this project incomplete. (10 Aug 2012: I have not heard from Manish regarding this application. This project is now an incomplete application)
11/8/2011 8:09:29smart city administrationTool ProjectApache 2.0 Licensemanish kumarmanish139051@gmail.commanish139051@gmail.comit will clearly tangiblethis project will provide the direct interface between the people and the administrator.this project will provide the direct interface between the people and the administratormanish139051@gmail.comDuplicate Application
11/11/2011 13:16:01Java/J2EE Secure Development CurriculumDocumentation ProjectCreative Commons Attribution-NoDerivs 3.0 UnportedDr. A. L. Gottliebanthony.gottlieb@owasp.orgPDF documentThe OWASP Java/J2EE software security curriculum is offered as prescriptive guidance for those wishing to educate themselves or others on how to secure Java/J2EE software development. Included are core education tracks based on job
description and specialization tracks based on specific areas of software security.
Course descriptions are provided as a point of reference for those wishing to know what content OWASP recommends.
Because so few developers secure their software development, this curriculum shows:

1. The scope of software security is vast with respect to content throughout the SDLC
2. There are many appealing career paths within software security
3. What demonstrable skills need to be transferred to students
4. How to train an entire software development workforce to develop securely
5. What to do when a development shop must adopt secure software best practices
Contacted Dr. Gottlieb and asked him if he has this project set up already. I want to make sure before I start the process. Set up is pending while we wait for his confirmation. (7 Aug 2012: Was contacted by Dr. Gottlieb. He asked for the project to be set up. I have set it up for him. This set up is now complete.
12/19/2011 9:37:01xsserTool ProjectGNU GPL v3psyepsylon@riseup.nethttps://xsser.sf.neta Debian community packageCross Site "Scripter" (XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

It contains several options to try to bypass certain filters, and various special techniques of code injection.
XSSer is currently in version 1.6b (01/12/2011), called "Grey Swarm"

The next step in the Roadmap is to stabilize the tool (bugfixing), to improve accuracy of the injections and to grow on the community.

Actually, XSSer allows WebSockets technology that are necessary to be researched in order to connect all the tools in a single direction. The name of this feature is "swarm", and needs to be tested as well as having new developments.

It is also necessary to investigate new XSS vectors.

Also, to implement a messaging system and enhance the functionality of connection between XSSer participants.

Finally, it is necessary to give more visibility to the tool
The main objective is to provide a free software tool specialized in the exploitation of XSS attacks, the second most common vulnerability as ranked by OWASP.Looks like a great project. Waiting for him to confirm his name as he left this field blank so I can't set up an e-mail for him. Project set up pending his reply. (7 Aug 2012: Have not had a reply from him. I will wait until the end of the week. If I hear no reply, I will mark this project incomplete.) ( 14 Aug 2012: He/she has not supplied me with his real name so I am marking this application as incomplete) (Aug 23 2012: Epsylon has come back to me with his real name. Fabio Cerullo and I had a meeting to discuss this project as Epsylon would like to donate his project to OWASP. I saw no issue with this as he was honest about his identity, as far as we could tell, and he only wanted to donate the project. I have set him up with all the necessary materials, and I have communicated the donation process to him. This project set up is now complete.)
12/20/2011 0:06:45AW00tCode ProjectGNU GPL v2Nitin Aryanitin.arya@owasp.orgRevealing the beuty of small code that changes a malicious file to a trusted one. Combining them will make a quick payload generator .Its an implementation of binary stubs from basic to the polymorphic code that will show how viruses and malicious files get themselves undetected from the Antiviruses.

The generated stubs can be appended to any program and also a new approach of AV avoidance will be shown also special programs for hunting down the signatures and extracting them, and editing them for better use will be incorporated.
This program will help in generating a better AV approach via understanding the basics of signature pattern and other latest techniques that fail at some point in detecting the malicious code .
We can personally configure our AV for better protection after we go deep in this project.
Th AW00T will be provided both as command line and separate binaries for its implementation .It will enable us to have a deeper study about malicious codes as well as we will we will be testing all the AV vendors side by side.Nitin aryaThis project is waiting confirmation that it has not been set up for him yet. (9 Aug 2012: He has responded to me message, but it was not clear as to whether he wanted this project set up or not. I have contacted him again for further confirmation) Nitin has gotten back to me and confirmed that he wants the project set up. This project set up is now complete.
1/2/2012 21:39:52PassfaultCode ProjectGNU LGPL v3Cam Morriscam.morris@gmail.com3683875JARPassfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.The core library is complete as well as a Java Applet and JSON Service. Remaining to do items follow:

- Maven build. Currently the core library is ant. The applet is a NetBeans project and the JSON service is an eclipse project.
- Document each pattern finder on the OWASP wiki
- ESAPI Authenticator Decorator: Implement an ESAPI Authenticator that will enhance an existing authenticator with passfault implementing the "verifyPasswordStrength" method.
- JQuery Plugin: A JQuery plugin that will let a web site use either the passfault applet or a passfault JSON Service to analyze a password
- Configuration File: Current configuration of word lists and pattern finders is in code only.
I was pursuing the possibility of selling this tool, but I decided I'd like it on OWASP. Passfault is currently published under AGPL, but if accepted by OWASP I think LGPL would be more appropriate.

Here some links that may be of interest:
Demo site:

Below is a list of patents I applied for while researching this approach (Novell owns them and I ceased employment there in 2008). Passfault does not infringe on any of these patents but they should probably be listed up front. Passfault implements an alternative to the first patent. The rest of the patents could be implemented using passfault.
2/8/2012 14:12:36OctoMSCode ProjectCreative Commons Attribution ShareAlike 3.0 LicenseValentino-Jivko Radosavlevicivalentino@radosavlevici.comA zip archive containing the PHP FrameworkOctoMS is a free open-source PHP Framework designed on the MVC pattern that focuses on delivering useful debugging information and both offline & online documentation inside the application that is being developed through an intuitive AJAX interface.OctoMS is an open-source project hosted on Google Projects:

The main attribute of the framework is a "Wizard", an AJAX interface that replaces the page the developer is currently working on if:
1. The script encounters a handleable error
2. The script fails to catch an Exception
3. The developer writes help(); in the controller that serves the current page
4. The developer appends ?debug:developer@email.address to the current page's URL

This wizard consists of 2 windows:
1. Search area
The developer can search for detailed usage information on any of the methods created in the application.
Example: searching for "view -core" will return the list of methods found in the view core library with the following information:
* Description
* List of parameters
* Return values
* Code examples
* How to deploy the "view" core library in the controller
This information is gathered by reading the application source-files and indexing the method comments.

The developer can also search for online help and use task management tools through the SSL-encrypted API provided by This section of the project is a Software as a Service (SaaS) and is available for an individual monthly fee.

2. Debugging area
In the event of an error the debugging area shows a new window detailing where the error occured and a backtrace. Code previews from the files listed in the backtrace tree are also shown.

The developer can debug any web page of the application. The debugging information returned is:
* Routing directives
* Controller information
* List of loaded object (libraries and models)
* List of available helper functions
* Memory and time consumption
* Headers list
* Output buffer
2/9/2012 12:50:19PHP TestCode ProjectApache 2.0 LicenseAkhil V Lakhiltulip@gmail.comsdsdsdssdssdsd
2/27/2012 9:11:26OWASP BSI IT-Grundschutz Baustein Webanwendungen ReviewDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 LicenseRalf Reinhardtralf.reinhardt@owasp.orgpdfTechnical review of the module web application
("Baustein Webanwendungen") of the IT-baseline protection catalog ("IT
Grundschutz Katalog") of the German Federal Office for Information
Security ("BSI") from the OWASP's point of view.
- Building a core review team
- Review of the BSI documents
- Review of OWASP's review itself
- Releasing the results
The German "Federal Office for Information Security" (BSI), which is
comparable to departments focused on security in organizations like NIST
or CCTA, offers the IT Baseline Protection ("IT-Grundschutz") for public
usage, which is based on ISO/IEC 27001. The IT Baseline Protection
include a catalog of approx. 80 "Bausteine" (building blocks). Those
blocks are dealing with one particular subject of IT security. They are
usually written in the German language and later translated to English.
They become the de facto standard for IT security and related
certifications in Germany after they are finally released.

In January 2012 the draft of the block "Webanwendungen" (web
applications) was released with a request for comments. Since this is
the core expertise of OWASP we invited a delegate of the BSI to attend
the last chapter meeting of the German Chapter which took place in
Frankfurt / Main on the 3rd of February. The meeting's outcome was the
strong wish to perform a review of that very web application block as an
OWASP project. This project will help to expand the visibility of OWASP
in the German IT security landscape broadly.

Project links to external sites:
BSI itself:
About "BSI":
About "IT-Grundschutz Katalog":
BSI main documents (German language):
BSI "Entwurf Baustein Webanwendungen" (German language):
Ralf ReinhardtProject seems to already be set up. Contacted Ralf so he can confirm this to me, and asked if he needed further assistance from us. Waiting to hear back. (Sept 5 2012: I have gotten a response from Ralf. The project is currently completed and in the process of being reviewed by the BSI)
3/7/2012 23:45:45wap2goTool ProjectCreative Commons Attribution ShareAlike 3.0 Licensejamaldinibrahim_jamaldeen@yahoo.comhttp://jamal880.peperonity.comcommunity welcomenonenoneContacted Ibrahim to ask if he was still interested in pursuing this project.
3/9/2012 13:05:35OWTFTool ProjectBSD LicenseAbraham Arangurenabraham.aranguren@gmail.comA downloadable tool (mostly python)The Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.
Please see:
The roadmap is to improve security testing efficiency by gradually integrate the best tools to unite them and make them work together with the security tester instead of having the security tester babysit them.

OWTF also aims to be a respository of PoC resource links to assist exploitation of vulnerabilities in order to illustrate risk to businesses.
Please see:
3/20/2012 10:26:53tsonyCode ProjectGNU GPL v2thehuuthecusc@gmail.comhuuthecuscsa dfad ad ad as a dad a dad Huuthe
3/31/2012 11:06:41testCode ProjectGNU GPL v2testtesttesttesttesttesttesttest
4/5/2012 6:20:28dddCode ProjectGNU GPL v2dexdd@d.comskdslkkdjfkdfkdkfjkdfjkkjkdjjdkjdkdsjkd.cklxklk
4/6/2012 10:29:24ShoppingOnlineCode ProjectGNU GPL v2Quocquocnsh@yahoo.comI would like web security betterMy project would like to build the website to support user can buy some items in the internet. At first, i want to build the simple website. After that, I try to improve security about this web site.Contacted Quoc and asked him for more information on his project. I suspect he has trouble with English and that is why his submission is less robust.
4/17/2012 13:45:19OWASP Java Uncertain Form Submit PreventionCode ProjectGNU GPL v3Pravin Kaushikpravinkaushik.bsp@gmail.comJARJava Uncertain Form Submit Prevention will be useful to develop web application that avoid duplicate and unauthorized post.
There are already token is present in servlet but it has limitation.
Like -Not able to handle multiple request from a client.

From Start
Analysis - 10 days
Code Implementation -15 days
Testing (Manual and Atomization) -10 days
Time to Time enhancement (if require)
4/27/2012 6:34:40SarvatraCode ProjectApache 2.0 Licenseaaadhaval.maheshwari@sarvatra.injar abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc abc
5/3/2012 7:59:18ECUADORCode ProjectGNU GPL v3Diego Balsecadbalseca@slogic-ec.comParticipant IPCopOWAS Community for Latin people (Ecuador)- 2 Month enrrollement of participants
- 6 month Ecuador OWAS Community
5/11/2012 20:59:32Odz MultiCMSScannerTool ProjectGNU GPL v3Mennouchi Islam Azeddineazeddine.mennouchi@owasp.orgmiahacka multi languages (php,python)Odz MulticmsScanner is a vulns. scanner for Joomla , WP , Xoops , Nuke that can scan the hole server of any sites with the previous scripts installed in and then detect their vulns.Our project start with a PHP version and then we wiil start working on a python version and a GUI version in the futurProject Contributor : Khaled ===> ked-h@hotmail.comMennouchi IIslam AzeddineProject Seems to be set up. Contacted Azeddine to make sure. Waiting for his reply. Fixed the structure of their wiki page. (9 Aug 2012: The project has already been set up. I have received confirmation from Azeddine Islam) This project set up is now confirmed.
5/19/2012 12:50:39shopingcartCode ProjectBSD projectIncomplete. Waiting for Manish to give me more information. I will wait five days until I mark this an incomplete Project. (10 Aug 2012: I have not received word from the project lead. This project is now marked as incomplete application.)
5/22/2012 15:03:49SokaCode ProjectGNU GPL v2Abecndcanyon@gmail.com5214yesThis description will be used to summarize your project on the OWASP Projects Portal. This description is meant to be a very quick overview (250 character limit) of your project that let's a consumer walk The purpose of the roadmap is to help others understand what your vision for the project is and where the project is going. It gives the community a chance to understand the context and the goal of the sss5214
6/1/2012 3:49:27Forensic GuideDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 LicenseCarlos Solis Salazarcarlos.solis@gmail.comcarlossolisPDF document, VideoA massive document covering all aspects of forensic analysis applications, which includes items such as how to conduct a forensic analysis and application to be considered at the time of development to make the subsequent forensic analysisDevelop a document that specifies the aspects to consider in the forensic process, such as Indentification, presevación, analysis and presentation. which will deepen the tools and techniques to execute each of the stages.
Also, will touch all aspects of the considerations to make when developing an application to facilitate forensic analysis applications.
It is estimated that the first version of the document is available in 6-8 months.
Carlos SolísProject seems to already be set up. I contacted Carlos to confirm this. Their wiki page was not set up the right way either, so I fixed it for them. Waiting to hear back from Carlos now. (Aug 14 2012: contacted him one last time for confirmation)
6/2/2012 9:03:59BellonaTool ProjectGNU GPL v3R3boot3r@Xriankashyap@gmail.compdfDdos pentest engineidk
6/9/2012 2:05:05PRACTICETool ProjectGNU GPL v3HIeethatch00@hotmail.comHackingIt is going to be awesomeIDK
5/4/2012 15:42:05global-virtualCode ProjectCreative Commons Attribution ShareAlike 3.0 Licenseevertronever@ever.comloanderddsfoi dofsij pasok ejw ijwo posdf k dsofk pok efjk oepkf we
6/21/2012 18:15:06XeleniumTool ProjectGNU GPL v3Vasanthkumar Velayudhamvvk.victory@gmail.com Testing ToolHi,

Warm Greetings!!!

I propose the Xelenium project under OWASP initiative. Here the objective is to use the powerful features of open source functional test automation tool - Selenium in identifying the security threats. I would like to develop a flexible automated solution, which would identify various security threats present in the application.
Please find below the current roadmap for Xelenium project:

Current Status:

Xelenium solution is available which can be used to identify the reflected cross site scripting threats. Please refer the sourceforge link mentioned above.


Addressing the current limitations of Xelenium
- Support for textboxes present in multiple iframes of a window.
- Support for predefined values of the field.


Including the feature to identify DOM based XSS in web application.

Sep - Oct'12:

Including the feature to identify HTTP Splitting bugs in web application.

Nov - Dec'12:

Including the feature to identify SQL injection bugs in web application.
I would request the coordinators to try the current Xelenium solution, which is avilable in the below mentioned link.

I would be grateful if you provide me with your feedback, which would help me in enhancing this solution.

Thanks, looking forward for your support for my humble effort.
(Aug 8 2012) I believe this project has already been set up. I emailed the project lead to confirm this. (Aug 15 2012: I have e-mailed the project lead again today. I have not had a reply at all. If I do not hear from him by the end of the week, I will mark his project active as this is the status it seems to be under)
6/23/2012 20:31:05Intelligent SecurityCode ProjectGNU GPL v3Arvind Iyerarvind05@gmail.comA packaged VMThis project will create a code library that implements machine learning concepts for use in security applications/tools/modules. The project leader invites programmers, researchers and other subject-matter-experts to contribute to this effort. We will be joined by a shared belief that the future of application security is AI/machine learning.I believe that the future of application security is in AI/machine learning. To make meaningful use of machine learning concepts in app security requires teamwork and collaborating between open source contributors (the drivers of innovation in software) and researchers. This project aims to facilitate that. A detailed roadmap will be posted over the next few weeks as the project gains traction.(Aug 8 2012) I believe this project has already been set up. I emailed the project lead to confirm this. (Aug 15 2012: I have e-mailed the project lead again today. I have not had a reply at all. If I do not hear from him by the end of the week, I will mark his project active as this is the status it seems to be under)
6/24/2012 0:21:23OWASP 1-LinerCode ProjectCreative Commons Attribution ShareAlike 3.0 LicenseJohn Wilanderjohn.wilander@owasp.orgAn official demo system for OWASPOWASP 1-Liner is intended for demos (talks, tutorials, proof-of-concepts) and possibly training in application security. It's a deliberately vulnerable Java- and JavaScript-based chat application where users communicate via so called one-liners. A one-liner is a short text message sent into cyberspace, open to read for anyone accessing the system. Chat messages are only sent locally on the demo machine as for now.I've been coding and using the application for two years and also promised to release it. My plan is to release it at OWASP AppSec Research 2012 this summer if the project is accepted. Then the roadmap is to continue adding demos just like I have before. Hopefully other community members will like it and start adding demos too.I've already put it on GitHub: Check it out and let me know if you get it working or have issues.

The repo contains several other libraries which are all free software but under a variety of licenses. See the readme file for an overview. 8 2012) I believe this project has already been set up. I emailed the project lead to confirm this. Have updated the project wiki page to reflect standard project wiki page set up. (9 August 2012: John has confirmed the project set up.) Set up Completed
6/25/2012 16:30:12proyectoCode ProjectApache 2.0 Licenseproyectoraulito_mat_hotmail.comAsoAsolocalhost/proyecto/proyecto
6/27/2012 13:54:16Path TraverserTool ProjectAttribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0Tal Melamedtalm@appsec.itexecutablePath Traverser is a tool for security testing of web applications.
It simulates a real Path Traversal attack, only with actual existing files.

It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.

After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files.
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.

If your application could be found at: http://mysrvr:777/home
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc...

After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.

A configuration for excluding/including specific file types is available.
alpha: (Win 32/64) - released

beta: (Win 32/64, MacOS) - Aug 31
*minor bugs fixe, *MacOS compatibility

GA: (Win 32,64, MacOS, Linux) - Dec 31
*optimization, *Linux compatibility, *minor bugs fix
alpha version is available for free @

There are still undiscovered bugs which causes it to crash.

7/1/2012 7:11:21watiqayTool ProjectGNU GPL v2Carlos Ganoza Plasenciacganozap@gmail.comsource codeprevents attacks of layer 7 to various websites where client service is running, will have capacity to restore the vulnerable websites and will have a continuous warning system in a personalized way.Base structure (70%)
Basic documentation (10%)
GUI integration (50%)
Monitor function with crontab (100%)
alert system (90%)
change detection (100%)
django support (0%)

Stage two (additional features)
Blocking IP's (0%)
Remote restore (0%)
Site Blocked (0%)

watiqay team:
John Vargas Pérez (OWASP Perú Chapter Lider, Security Consultant en Open-Sec): Asesoría Técnica
Nicolás Valcárcel (Ubuntu Perú Member ): python module
David Salcedo (web developer en SirDev): GUI desing
Carlos Ganoza PlasenciaCompleted
7/2/2012 22:46:28OWASP Mantra OSTool ProjectCreative Commons Attribution ShareAlike 3.0 LicenseGregory Disneygddisney@gmail.comBackSploitISO for USB & ARMChromium OS is a safe, fast and secure sand-boxed OS. This makes it ideal to continue on the OWASP Mantra security toolkit project by completing it as an operating system. Roadmap:
1. Get UI and tools working on Chromium OS
2. Brand Chromium OS as OWASP Mantra OS
3. Add additional tools such as CISCO toolkit and others used by testers.
4. Add Backtrack toolkit to Mantra OS

Goal to have project in beta by August
A. Possibly have a marketable tool built on the raspberry pi to help further the OWASP project
Gregory DisneyDoes not have a contact e-mail. I took a shot and sent out an e-mail to a Gmail account using his name. I'll see if this works. He has e-mailed me back and confirmed his application. This project set up is now complete. (8 Aug 2012)
7/24/2012 11:47:02Mark DenihanTool ProjectGNU GPL v3Mark Denihanmarkdenihan@gmail.commarkdenihanA security awareness web application including a portable cross platform compatible server package Security Shepherd is a security aware in depth project. Designed with the aim of fostering security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills.The current objectives of the Security Shepherd project are;

To create more levels to provide a wider coverage of vulnerabilities

Extend admin UI configuration options

Create a cloud like synchronizing mechanism to enable automatic updating.

Create a framework for creating levels so that users with no programming experience can contribute.
This Project was used for the CTF at the OWASP Google Hackathon in July

Security Shepherd is made up of two parts:
A secure dashboard application that serves up the levels for the user and an exposed server that hosts the sub applications with vulnerabilities. The vulnerabilities are real and are hardened or disarmed so that they cannot be used to compromise or destroy the application server or it's environment.
7/24/2012 18:56:41Xenotix XSS TesterTool ProjectCreative Commons Attribution ShareAlike 3.0 LicenseAjin Abrahamajin25@gmail.comDownloadable toolXenotix XSS Tester is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease.Version 1

• Built in XSS Payloads
• XSS Key logger
• XSS Executable Drive-by downloader
• Automatic XSS Testing
• XSS Encoder
Completed(10 Aug 2012: Project Lead removed application)
7/25/2012 23:12:58study loak moscowCode ProjectGNU GPL v3SLMToolsh683995@rtrtr.comfor testing onlyFor testingfor testing!
7/29/2012 20:08:58polCode ProjectGNU GPL v2genoplamour010101bbbbb
8/1/2012 19:43:38Xenotix XSS Exploit FrameworkTool ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Ajin Abrahamajin25@gmail.comA download able executable binaryXenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.current features
Built in XSS Payloads
XSS Key logger
XSS Executable Drive-by downloader
Automatic XSS Testing
XSS Encoder

To be implemented in future
support for geeko and webkit rendering engines
XSS Proxy to tunnel victim-server communication project might be a duplicate of one I already set up but I am not certain. I have e-mailed the project leader to make sure. I am waiting to hear back from him. (9 Aug 2012) (10 Aug 2012: Project leader has gotten back to me. He says that the original project application is incorrect and that this is the right one. I have deleted the first application/project pages and I have updated his information with this project. The project set up is now complete.)
8/3/2012 14:51:56hutrapCode ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
8/6/2012 16:59:56setDocumentation ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)testkakanda@gmal.comtesttesttest
8/21/2012 9:24:31TmtCode ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)hsjalice8790@gmail.comdownloadedacademic management programconfirm security level
8/21/2012 21:12:53OnyxCode ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Abhishek Yadavabhi.xell@gmail.comAn ASP.NET secure application infrastructure.Our team envisions designing and developing a Secure and Optimized web application framework that could be implemented in any production grade web application built on ASP.NET framework.
The practices adopted would be implemented on an in-house application to benchmark and leverage performance and security of the application.
22/8/2012 : Finalizing Project Synopsis.
23/8/2012 : Communicating Design & Development Objectives.
24/8/2012 : Commencement of development of primary deliverables.
24/9/2012 : Submission of primary deliverables.
(Aug 28 2012: This project set up is now complete.
8/28/2012 17:25:32OWASP Crossword of the MonthDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Reef D'Souzareeftim@gmail.comPDF, Flash file hosted onlineWe at MyAppSecurity plan on releasing fun application security related quizzes and crosswords which would help educate application developers and security professionals alike in a fun way.

I believe that this project will reach out to a bigger audience if it involved the OWASP community. I would like to lead an OWASP Crossword of the Month project which can be promoted via the OWASP Newsletter and other outlets.
Releasing a crossword once a month on secure development, application security, top breaches etc. which will help educate builders, breakers and defenders on application security in a fun interactive way.

Currently there is one such crossword hosted by MyAppSecurity which I have developed and I look forward to collaborating with the OWASP community on building more.
(Sept 5 2012: This project set up is now complete.
8/31/2012 5:27:44unxzooTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)unxzoounxzoo@gmail.comThe knowledge by understand owasp functionallityThe first instance, I need to know what is the OWASP Project for this, the download is for this purpose.The next step in the test probably are contribute for the owasp project.(Sept 5 2012: I have contacted him regarding his application. He seems to only want information on OWASP and did not know who to ask) ( We have responded to his query. This project is now closed)
9/10/2012 15:03:30TestingTheWebCode ProjectGNU LGPL v3 License (similar to GPL but modified for use with libraries that may be called by other proprietary programs)TestingTheWebalexandrapaval@hotmail.comsecurity testTrying to check securityTrying to check security( Sept 20, 2012: I have asked Alexandra to provide more information on her project as she provided no roadmap and a very small description)
9/25/2012 6:58:10jjTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)jjkanjacobjames1990@gmail.comnovery goodi dnt knwhaha( Oct 04, 2012: Not a real application)
10/31/2012 23:15:01Periodic Table of VulnerabilitiesDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)James Landisjcl24@cornell.eduPDFThere are many anthologies of vulnerabilities and weaknesses (including CWE-25, TCv2, and OWASP top 10), but there is no attempt to classify these issues based on how they should best be solved. In the past, we have tried to teach developers how to avoid introducing these problems, but it appears via the lesson of Buffer Overflow that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code at all. The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible.There is really only one clear milestone, which is to ensure that the community agrees about how each vulnerability is most efficiently solved. The Periodic Table captures that agreement in an easily referenceable form. Ideally, the document will influence the direction of many other OWASP projects. For example, the Top 10 Defenses project might eventually choose to focus only on the issues that will require developer attention, or there may be different Top 10s for WAF vendors, framework developers, and browser vendors. A new project, similar to WAFEC, could also be started based on the Table which measures how well frameworks are actually meeting the requirements to address certain vulnerabilities. But once there is agreement, the Table will remain generally static, while accommodating new vulnerability research or lessons learned from trying to apply the table to real world situations.just requested "James Landis"Project Successfully Set up. November 09, 2012
11/2/2012 8:13:26PSAITool Projectno licenseS palsobhan.pal@gmail.comweb security testweb security testweb security test(Nov 02, 2012: Not a real application)
11/6/2012 20:19:35Application Security Awareness Top 10 E-Learning ProjectDocumentation ProjectAppSec Labs licenseErez MetulaErez@appsec-labs.comdownloaded and online viewThe Application Security E-Learning project has set itself the goal of delivering intuitive, concise and precise content in the fundementals of application secure coding.
Main target audience: programmers who wish to learn/ review application security fundementals.
raise programmer awareness to awareness by delivering quality content open to all They did not pick an open source license so I asked them to choose one as I cannot set up a project that has not chosen a license. They chose: GNU Lesser General Public License. They want to make sure that no-one edits their work. Anyone can use it, but no one should edit their platform. I suggested they use another license as GNU might not cover this, and I let them know that we would not be able to police their work in this way. They would have to manage/communicate their desires to the community. Project Successfully Set up. November 15, 2012
11/8/2012 19:56:20JSON SanitizerCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Mike Samuelmikesamuel@gmail.comA JAR libraryAs described at

Given JSON-like content, converts it to valid JSON.

This can be attached at either end of a data-pipeline to help satisfy Postel's principle:

be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.

Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.
The project has been implemented and is usable in its current form. I expect to respond to feature requests on an interrupt basis. Over the next year, I hope to identify 2 or more co-maintainers for the project and bring them up to speed at which point the project should be self-sustaining in my absence.Mike_SamuelProject Successfully Set up. November 14, 2012
11/20/2012 13:14:54WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)Documentation ProjectCreative Commons Attribution License 2.5Ofer Shezafofer@shezaf.comA document is several formats including PDF and HTML versionsWAFEC provides interested partied, including users, vendors and 3rd party evaluators with a tool to definel, learn about and evaluate the suitability of different WAFs for their needs.This is an established and highly used project which issues its first release in 2006. We are currently working on version 2, and still have not set a delivery date.This entry is intended to make WAFEC a joined WASC/OWASP project as dissussed previously. Please do not prepend OWASP to the name. I already put it the name as to be "WASC/OWASP...." to reflect our understanding.

More information on the project can be found here:
Oshezaf(Having trouble setting up the mailing list. Have to ask IT for help. Nov 22 2012) (Project Successfully set up. November 26, 2012)
11/25/2012 23:31:01SamuraiWTFTool ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Kevin Johnson and Justin Searlejustin.searle@owasp.orgm33asLive Linux DVD for Web Pentesting The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications. We've been a project since July 2008 and have had around 12 releases. We try to release every 3-4 months. Our current stable branch is 2.x. You can download the latest release at .meeas(Having trouble setting up the mailing list. Have to ask IT for help. I am in the process of getting a new admin password. Dec 04 2012) (Project Successfully set up. Dec 04, 2012)
11/27/2012 18:22:53DTVTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Prasannamuthuramalingamk@eprocorp.comweb applicationweb applicationweb application
12/1/2012 22:55:33Security Research and Development FrameworkCode Library ProjectGNU GPL v2Amr code, executable dll, pdf decumentation for itThis is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.
In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:
Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

• Assembler and Disassembler
• x86 Emulator
• Debugger
• PE Analyzer
• Process Analyzer (Loaded DLLs, Memory Maps … etc)
• MD5, SSDeep and Wildlist Scanner (YARA)
• API Hooker and Process Injection
• Backend Database, XML Serializer
• And many more
In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

• Object-oriented and easy to use development framework
• Easy IRP dispatching mechanism
• SSDT Hooker
• Layered Devices Filtering
• TDI Firewall
• File and Registry Manager
• Kernel Mode easy to use internet sockets
• Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code:

Join Us:

Do you get benefit from this framework and you need to give something back?
Do you want to add something to your CV?
Do you want to meet smart developers and join a big community?
Do you want to learn new things?

Here is place … join the development community, meet new smart people and have fun.

To do list:
Here ... what we wish to finish in the next 12 months ... still the 6 months plan didn't finished (will be cut from the 12 months plan).

1. Antivirus:
a. XRAY Tool
b. Heuristics Analysis
c. Behavior-based Detection Tools.
d. More File Formats (PDF, apk, …)
e. OpenSBI and other Virus Classification File Formats
f. Sandboxing Mechanism.
i. Using API/ SSDT Hooking
ii. Emulation Based on Pokas Emulator.
g. Update System with Flexible Mechanism

2. Malware Analysis:
a. SSDT Hooking for (Processes, Files, Registry and Sockets System Calls)
b. API Hooking (for the same as above)
c. Improvement in Pokas Emulator, Assembler and Disassembler
d. Packet Capturing Tool and Emulated IRC and HTTP Connection (Server emulate the replies to the malware and log the data)
e. Recursive Disassembler
f. More APIs Emulation in Pokas x86 Emulator
g. Support more Instructions (All FPU instructions, All general purpose instructions and support mmx and 3dnow)
h. Support idb (IDA Pro Database) to read it and use its analysis

3. Unpackers:
I’m aiming to create a database for all static unpacking codes for the mostly common unpackers and I hope it could be updated by the community

4. Integrations:

a. Integration into IDA Pro Plugin Interface … and in (Debugger Menu)
b. OllyDbg Plugin Interface
c. Ollyscript Executer on cDebugger
d. Metasploit Integeration (in Meterpreter Post Exploitation
e. Python, Ruby, Delphi Header files and cTypes for SRDF.dll

5. Network:
a. Support NDIS, kernel sockets and more new libraries
b. Process Analyzer in Kernel-Mode
c. Packet Capturing Library
d. More Debugging and Bug fixing

6. Others:
a. We need to build website.
b. We need activities for learning.
c. We need more documentations and tutorials
d. We need more helpful tools and applications based on SRDF
The source code and the documentations is at : Successfully Set up. December 10, 2012
12/3/2012 15:23:05OWASP PressDocumentation ProjectCC-BY-SAdennis grovesdennis.groves@owasp.orgCreation of the OWASP Press publication systemThe OWASP press is a pattern for massive community collaboration on OWASP documentation projects with just-in-time publication.The project is largely a publication framework and methodology at this juncture. In the future, I should like to have all OWASP documentation projects successfully open to massive community participation, authoring and just-in-time publication. User:Dennis_GrovesProject Successfully Set up. December 10, 2012
12/11/2012 7:11:54MerlinCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)vamsivijay.hs.26@gmail.comn/an/an/a
12/12/2012 13:03:10CISO SurveyDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Tobias Gondromtobias.gondrom@owasp.orgNAThe CISO ReportCISO Survey and later the CISO Report on Application and Information Security trends.
Also providing input and data for the CISO guide.
Dec 2012: Send out Survey
Feb-15, 2013: Close Survey
Mar 2013: analyze data and write report
Apr 2013: finalize CISO report
tgondromProject Successfully Set up. December 19, 2012
12/13/2012 21:35:56Application Security Guide For CISOsDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Marco MoranaMarco.m.morana@gmail.comYes, the deliverable will be a guide on wiki as well as PDFThe purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide project initiated as unofficial project in 2011. In Q4 2012 the project has been rebooted as it was selected among the project reboot in 2012

As for 12/12/2012 the roadmap for completing this project is the following:
1) beta status, that is all chapters of the guide completed by end of Q4 2012
2) revision to include feedback from CISO's survey by the end of Q2 2013
3) final revision to reach release ready status in Q3 2013
This project is developed in parallel with the CISO 2013 survey Successfully Set up. December 19, 2012
12/14/2012 6:15:45Medical warehouseDocumentation ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Dhanashri Joshidhanashri.joshi15@gmail.comPublicity of the projectA warehouse is a commercial building for storage of goods. Warehouses are used by manufacturers, importers, exporters, wholesalers, transport businesses, customs, etc. They are usually large plain buildings in industrial areas of cities and towns and villages. They usually have loading docks to load and unload goods from trucks. Sometimes warehouses are designed for the loading and unloading of goods directly from railways, airports, or seaports.Planning
Research And Analysis
This is not a real application. December 19, 2012
12/17/2012 23:00:41O-SaftTool ProjectGPL .tgz .zipThis tools lists information about remote target's SSL certificate and tests the remote target's SSL connection according given list of ciphers and various SSL configurations.

----- Not part of the brief description, but to get the idea:
The tool currently combines the functionality of some existing tools (sslscan,, ssllyze, ...). It's prepared to make more intensive tests, that's where I expect
help from the community.
* review the code (technically, note that it is a testing and not a security tool)
* add proper metric for risks rating
* add missing functionality
* encourage other admins and developers to fix their SSL issues ;-)
I'd like to omit the OWASP in the project name for following reason:
I was trying over a period of time to find a proper name for the tool. As we all know
the name should best match properly the tool's purpose and most people like sexy
Having this in mind, my first approach was: OWASP yeast - yet another ssl tool -
but I discarded it 'cause yeast may have cultural impacts and the acronym sounds a
bit negative (yet another ...).
Finally I found: O-Saft - OWASP SSL audit for testers
Auditing is what the tools does, and it will be used by pen-testers.
O-Saft is the common German term for orange juice. It has (hopefully) no cultural
impact (like yeast, or alcoholic drinks;-) and already contains OWASP.

So please omit the OWASP prefix to avoid tautology ;-)

I'm used to OWASP's project pages and will update the projekt template myself adding
proper informations about downloads, docs, descriptions, roadmap, etc., etc. ...
achim@owasp.orgProject Successfully Set up. December 27, 2012
12/21/2012 10:55:15demoCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)abhishek ametaabhishekameta278@gmail.coma PDF document, an executable binary, a printable worksheet, a DLL or JAR library, a packaged VM, an ISO file, etc.This description will be used to summarize your project on the OWASP Projects Portal. This description is meant to be a very quick overview (250 character limit) of your project that let's a consumer walk away with a "sense" of your project. Short concise descriptions are easily processed and skimmed by OWASP consumers and help generate genuine interest in a project. A more thorough explanation of your project can be provided in the Additional Comments field below.The purpose of the roadmap is to help others understand what your vision for the project is and where the project is going. It gives the community a chance to understand the context and the goal of the project. Additionally, if a project becomes inactive or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership. Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Therefore, the GPC encourages projects to take the project roadmap seriously. Some details that leaders may consider placing in the roadmap include envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc.
1/3/2013 13:27:04CrowdtestingTool ProjectGNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)Thomas Kalamaristomkalam@gmail.comA list of participants for project allocationThe project will try to promote the idea of crowd-testing combined with crowd-sourcing capabilities. We suggest the creation of a dynamic team of security testers specialized in application security testing that can test online web applications upon request. The web applications will be defined as projects and the team of testers will start the security testing. The team will use the tools that have been developed by the OWASP community but using custom-made tools is highly encouraged. As a result the consumer will have either a proof of concept that his application complies with the OWASP principles of secure coding or a list of potential threats due to discovered security flaws. Currently the application owners have access to this kind of security services via companies like Passbrains, utest etc.The milestones of the project could be as follows:
1. Deliverable definition by the end of February
2. First deliverable for test by the end of June
3. Project demonstration by the end of September 2013
4. Project end at the end of 2013.
Project Successfully Set up. January 11, 2013
1/9/2013 13:17:35OWASP Security ToolsCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Aleksaleks.a.kozlov@gmail.comOWASP Security ToolsOWASP Security ToolsOWASP Security Tools
1/9/2013 19:51:54focusCode Library ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Jimjmccallson@gmail.com4066990jarCreate a new intermediate language based off of Swing and .NET but written in javascript utilizing DOM and json. Allowing JAVA and .NET programmers to use their current programming methodologies via javascript .js files.This language will not use traditional methods of web base UI programming but will be utilizing languages and notations like javascript, DOM and json. This language will avoiding such things like using html pages, forms, hidden form fields and other known methods of hacking. Each page within the web application will be built on the fly utilizing calls made within sudo class and methods within this new language.focus (future of computer user systems)12380Project Successfully Set up. January 11, 2013
1/15/2013 20:34:09Embedded Application SecurityDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Aaron Weaveraaron.weaver2@gmail.comTop 10 List of Embedded RisksEach year more consumer devices are wifi capable with many devices containing an embedded web server. The Internet of "Things" will push the number of internet capable devices into the billions. Research has shown most devices have little to none in the way of secure programming.
There are many challenges in the embedded field including limited memory, a small stack and the challenge of pushing firmware updates.
The goal of this project is to identify the risks in embedded hardware applications, create a list of best practices and draw on the resources OWASP already has and bring that to the embedded world.
1. Reach out to embedded developers and build a community to start talking about security challenges in embedded development.
2. Create a list of the top risks in embedded hardware. (Similar to the mobile risks lists.)
3. Create cheat sheets or best practice guides.
4. Guide for testing embedded applications.
aaron.weaver2Project Successfully Set up. January 26, 2013
1/17/2013 16:22:37OpenStack Security ProjectTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Matt Tesauromatt.tesauro@owasp.orgmtesauroTesting methods and tools for assessming OpenStack source and installationsThe OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base. Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack. This project provides a bridge between the OpenStack community and the OWASP community of security professionals. The project leader is also a member of OpenStack and is a member of the OpenStack Security Group. OpenStack has the desire to be the Linux of Cloud infrastructure and OWASP can be the community that ensures the security of that Cloud* Gather interested community members
* Determine best approach to testing OpenStack
* Determine best environment to test OpenStack
* Develope tools/techniques to test OpenStack and document them
* Start testing and reporting any issues to OpenStack

This is an multifaceted project - I expect its a combination of documentation, tools, possibly security libraries for OpenStack testing as its a completely green field. There's very little or not community members in OpenStack that have a security background and it occurs to me that joining OWASP & OpenStack is a no brainer.

Feel free to ping me if you have questions.
mtesauroProject Successfully Set up. January 24, 2013
1/23/2013 6:48:29Leave ManagerTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) appicationThis applications helps employees of an organisation to apply for future leaves.
Admin can add or delete accounts using the application.
super User can allow for disallow requested leaves.
milestones: developing demo UI layout , developing database schema, implementing project,testing

duration : 6 months
Project Successfully Set up. February 05, 2013
1/24/2013 19:11:41Desktop Goat and OWASP Top 5Tool ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)DigitalBodyGuardgregory.disney@owasp.orgMantra OSOWASP Top 5 Desktop and Desktop GoatOWASP Top 5: Desktop Vulnerabilities; a list of the top 5 vulnerabilities that are faced by desktop applications.
Desktop Goat; a vulnerable desktop application to demonstrate vulnerabilities for a learning environment.
1. A synchornist development of OWASP Top 5 list and Desktop Goat.
2. Create a bi-annual life cycle of version control.
3. Use OWASP leaders and OWASP community to perpetuate goals.
4. Used both for education and training to further propagate OWASP and OWASP projects. Develop training materials to associate the OWASP Top 5 with Desktop Goat.
5. Create a product that is marketable to enterprise security and security enthusiasts.
6. Presenting at conferences and release to the community.
The SourceForge ID is just for filing, there will be different ones for the project.
This will have a heavy focus towards .NET, but will not be limited to .NET.
Mantra OSProject Successfully Set up. February 05, 2013
1/27/2013 16:38:46BricksTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Abhi M Balakrishnanabhi.balakrishnan@owasp.orgabhi1299PHP webpagesBricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to 'break the bricks'.1. Demonstrate maximum variations of most common vulnerabilities
2. Help people to learn the need of secure codding practices and SSDLC
3. Attract people to design more bricks
4. Become a test bed for analyzing the performance of web application security scanners.
5. Help people learn the manual method of testing the applications
6. Demonstrate the possibilities of various security tools and techniques
7. Become a platform to teach web application security in a class room/lab environment.
Bricks will have CTF-like levels (but not enforced) and each level adds complexity by applying new filter mechanisms. The mission is to break each bricks.Abhi_M_BalakrishnanProject Successfully Set up. February 05, 2013
2/7/2013 5:23:09MyTestCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Danishmirza.danish.baig@hotmail.comDLLThis is my first test owasp project.This is my first test owasp project.
2/12/2013 21:14:53DependencyCheckTool ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Jeremy Longjeremy.long@owasp.orgJAR file, Maven Plugin, etc.DependencyCheck is a utility that attempts to detect publicly disclosed
vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
Improve identification of Common Platform Enumeration (CPE) entries to JAR files. The creation of additional Analyzers to scan .NET DLLs and possibly Ruby gemspec files.

Create a Maven 3 reporting plugin and a Jenkins CI plugin.
The application is currently out on Github:

I'd like to move this to an OWASP project to 1) increase awareness of the tool and 2) hopefully find others to contribute new analyzers to the project.
jeremy.longProject Successfully Set up. February 27, 2013
2/21/2013 15:35:58SCADA Security ProjectDocumentation ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Andrey Komarovkomarov@group-ib.comPDF, tar.gz, rarThe primary aim of OWASP SCADA Security project is to gather information about different ICS/SCADA security threats related to WEB-applications and it’s environments., starting from econnaissance (“foorprinting”) stage to vulnerabilities exploitation.

Primary goals:

- to aware ICS/SCADA developers about security vulnerabilities by providing information about found WEB-application viulnerabilities in software and firmware on famous vendors;
- to create and publish freeware and open-source tools for ICS/SCADA security assessment written on scripting languages.

03.2013 – to create a “SCADA footprinting” cheetsheat;
05.2013 – to create a “RTU & ICS telemetry devices footprinting” cheetsheat;
07.2013 – to create open-source footprinting library or tool;
09.2013 – to create a prototype of IDS/IPS system on WEB-application threats related to ICS/SCADA, to formalize attack patterns;
10.2013 – to create a library of IDS/IPS or honeypot system for WEB-environments acting as honeypot on standart WEB-servers for malicious activities detection and prevention.
12.2013 – to create Hardering Guide for the most popular WEB-applications front-ends and server-side applications written on scripting languages used in ICS/SCADA of famous technological vendors.
01.2014 – to create cyber intelligence module for ICS/SCADA/RTUs WEB-applications detection, to improve “SCADA footprinting” and “RTU & ICS telemetry devices footprinting” cheetsheats.
12837Project Successfully Set up. March 01, 2013
2/23/2013 17:51:08PHPRBACCode Library ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Abbas Naderiabbas.naderi@owasp.orgabiusxA PHP library check phprbac.netcheck phprbac.netAbbas NaderiNot a complete application. (March 01, 2013), Abbas has given me the infromation I need to proceed with his application. Project Successfully Set up. March 06, 2013.
2/25/2013 11:36:28CornucopiaDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Colin Watsoncolin.watson@owasp.orgTomorrowCornucopia is a card game used to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. An edition for ecommerce websites exists and alternative versions are planned.1. Issue v1.0 (ASAP because the document is referenced by the PCI SSC)
2. Create a document with numbering for SCP
3. Create framework-specific card deck guidance
4. Apply for design/printing support
5. Create non e-commerce versions (e.g. mobile, SCADA)
The current version of the ecommerce website edition is a file here:

This is just one flavour of Cornucopia - there will be others.
clerkendwellerProject Successfully Set up. March 05, 2013
2/26/2013 14:37:48Development of security framework based on Owasp Esapi for JSF2.0Code Library ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) fileModern web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge
of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation.
There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the
presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception.
The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP.
[JSF-ESAPI Complete Architecture]This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output
validation with escaped “true” or without this parameter, authorization. All the features are included in one framework.
(1) It requires minimal configuration to use the framework.
(2) It ensures retrofit security in the existing application.
(3) It provides the same performance as JSF framework.
(4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”.
(5) The input validation is easy and no additional coding is required.
(6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment.
(7) One framework includes the most secure features.

I have already presented this work in OWASP Appsec 2012 in Athens,Greece. I would like to continue work in this area. Actually, this topic had really inspired to many security expert.

Thank you so much and looking forward to get response.
rakeshh1b@gmail.comNeed more information. Waiting on Rakesh to reply (March 7, 2013), Successfully set up (March 11, 2013)
2/28/2013 17:53:51Secure Application DesignDocumentation ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Ashish Raorao.ashish20@gmail.comPresentations, Videos, Checklist and Insecure Demo ApplicationDesign level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually.

Design level security is crucial and must be adopted at an early stage of application development to build a robust system. Thus the aim of this project is to impart secure design guidelines to application developers. The project will highlight vulnerable areas in application designs through real world examples and scenarios and touch up on different aspects of design level security. The focus will also be to explain measures to be taken to prevent such flaws while designing applications.

The guidelines will cover core design concepts which can applicable to any application independent of the platform.

Most of the design flaws will be discussed using sample code incorporated in an insecure design application. The project will also focus on releasing a secure design checklist for reviewing application designs or threat modelling them.
1. To discuss and uncover different aspects of design level security and release a comprehensive guide on secure design (independent of the platform)
2. Incorporate all the flaws in the existing insecure design application
3. Gradually discover and build secure design guidelines for different known design frameworks like Spring etc.
4. Build a secure design guideline for different types of applications like thick clients, mobile applications.
This project will release a sample web application code along with the documents. So it is a mix of documentation and code library project.

We can also look at releasing the Insecure design application as a model to learn secure design concepts.
Project Successfully Set up. March 07, 2013
3/1/2013 17:24:13Owasp HiveTool ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Jason Johnsonjason.johnson@p7n.netcptplastic2mo OWASP HIVE
We have a hive network that hosts a dashboard with the attitude of the hive and the Internet by using data mined from twitter and others. maybe we can incorporate tools like ZAP or any of the others into this. The thing is we sell this not to make money but to establish a statistics and data rich network. The fact that it cost 35$ with a case that has a WASP on it maybe a bit more. With the push of global security of our assets there is not a better time. I would not ask any other group but owasp this foundation is the smarts of the net. We can make something that is both supportive of our cause and a huge data rich Internet HIVE that if its kicked we know why.
Test PI with different config (auto)
Test Twitter API
Test other applications
Jason JohnsonProject Successfully Set up. March 07, 2013
3/2/2013 11:02:42BarbarusCode Library ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Nebrass Lamouchilnibrass@gmail.comAn Enterprise Java Applicarion (EAR)My project offers a new mechanism of authentication in web applications. This mechanism will be very easy and comfortable to use for the application's users and it will be very easy to integrate for the application developers.Phase 1: Modelling and specification - 2 Weeks
Phase 2: Java Implementation : JPA/EJB/REST/JSF - 1 Month
Phase 3: RealWorld Test - 1 Week
Phase 4: Validation - 1 Week
Project Successfully Set up. March 12, 2013
3/5/2013 16:23:59Droid fusionTool ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Nikhalesh singh bhadorianikhaleshsingh@gmail.comnikhaleshsinghISO droidfusion is a platform for android mobile or any other mobile for doing , Malware Analysis,Development,Application Pentesting,forensics,you can use it in any mobile security research, and . if you have droidfusion you don't need to worry about finding tools ,there are more then 60 tools and script and its free my plan about this project is to increased make forum for supporting user to help and also provide documents andnscreencast video so they learn more and more even one noob can do mobile security research. many more plan will inhance in it .Project Successfully Set up. March 19, 2013
3/8/2013 21:46:11iSABEL Proxy ServerTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Eurojee Jarinab00033264@student.itb.ieexecutable JAR fileRecent research taken from leading network security solution providers shows that traditional firewalls focus their security mainly around the ports and protocols which is the packet headers and not the actual data content known as the packet payload. Packet headers only contains basic information like source and destination address which is very unreliable when it comes to identifying potential threats, attack, and malicious.

The idea of the project is to gain a deeper knowledge about securing web applications from different threats and attacks coming from external sources; this can be achieved by developing intermediary software that runs between the client and the server. This intermediary software will be based on a proxy server that will be implemented on layer 7 (Application) of the OSI model (Open Systems Interconnection), and it’s function is to accept network traffic from different client’s trying to access resources from the web server, once the client successfully established a connection, the proxy will inspect all incoming network packets coming from the clients for malicious parameter and files such as viruses, worms, trojans.

> The proposed project should be able to work under the Seventh layer of the OSI model (Open System Interconnection).
> The proposed project should be able to function with the application protocol such as HTTP, SMTP and SOCKS.
> The proposed project should be able to establish secure connection between the client and the server.
> The proposed project should be able to analyse inbound and outbound traffic once successfully connected.
> The proposed project should be able to allow and block request sent to the web application which involves thorough HTTP requests inspection.
> The proposed project should be able to filter URL such as the parameters detecting any malicious parameters that a user entered for instance a cross-site scripting xss attack is implemented by changing parameters in the URL.
> The proposed project should have the ability to log, monitor, report suspicious and malicious requests.
> The proposed project should be able to integrate Deep Packet Inspection (DPI) for a deeper inspection of the packets payload.
> The proposed project should be easy to use and user friendly in which it will include a robust and stable on-box visualization.
Eurojee JarinaProject Successfully Set up. March 19, 2013
3/15/2013 16:57:19Top 10 fuer EntwicklerDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Torsten Giglertorsten.gigler@owasp.orgWiki ==Top 10 fuer Entwickler (Top 10 Developer Edition in German)==
The objectives of the '''project''' is to add ''' ''Good Practices'' (like the Cheat Sheets)''' to the '''OWASP Top 10'''. Its aim is to bridge the gap between awareness, theoretical knowledge to effective know-how to build good propgrams. It is written in German to make it easier for German developers to use it. We will take care to make a migration to other languages easy.
In process: Start with the wiki on base of OWASP Top 10 - 2010 and existing Cheat Sheets.
2013-Aug-20: To have at least a beta version ready.
When there will ba a German translation of the OWASP Top 10 - 2013, it will be integrated.

We already started the Wiki.
- You find the Project Details here (most of it in German language):
- The Wiki starts here:
T.GiglerProject Successfully Set up. March 25, 2013
3/26/2013 12:12:58RailsGoatTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Ken Johnsonken.johnson@nvisiumsecurity.comDon't use SourceForge. GitHub is: cktrickyGitHub Repo - Master BranchThis is a Rails application which is vulnerable to the OWASP Top 10. It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each.Initial Release - April 8th
Documentation - April 8th
Call for review - April 9th
Open to improvements from that point forward
NoneProject Successfully Set up. April 01, 2013
4/3/2013 0:55:32Projeto EmersonCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Emerson Shigueo Sugimotoripador0@hotmail.comsurfxsurfxsurfx surfx surfx surfx surfx surfx surfx surfx surfx surfx surfx(April 05, 2012: Not a real application)
4/4/2013 22:23:31Good Component PracticesDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Mark Miller, @euspmark.miller@endusersharepoint.comDocumentation for a series of best practices when creating and using open source componentsGood Component Practice is one of the most over looked silver bullets in the Open Source arsenal. Because of business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development.

This project will use community input to document an industry acceptable process for the creation, maintenance and use of open source components.
I am still working on the roadmap, but will include it as part of the documentation.Project Successfully Set up. April 17, 2013
4/10/2013 17:26:41BywafTool ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Rafael Gil Lariosrafael.gillarios@owasp.org binaryDesarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.Beta version October 2013
4/10/2013 17:26:41BywafTool ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Rafael Gil Lariosrafael.gillarios@owasp.org binaryDesarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.Beta version October 2013Project Successfully Set up. April 17, 2013
4/11/2013 13:42:29 =S.T.I.N.G= ProjectTool ProjectMIT LicenseLutz Wischmannlutz.wischmann@software-architects.delwischmannWAR (Web Application Archive)The OWASP =S.T.I.N.G= is a tool used for creating project specific security/privacy requirement catalogues by selecting from a huge set of potential requirements, policies or best practices. It acts as a kind of questionnaire and will generate a list of requirements and/or policies which are relevant for the project's context.

Security Requirements Management Questionaire Repository
Filter Set & Rules for Policies, Standards, Guidelines, Procedures
Context : Tool within an Information Security Policy Framework

M1 : Light-weight web application for creation, managing and filtering within a security requirement database. Includes Questionnaire and Rule-Engine.

M2 : Import/Export modules for standard or commonly used security requirement catalogues as PCI/DSS, NIST, BSI Grundschutz, BDSG etc.


V1 : Central repository of security requirements managed by an open source community.
Each (web-)application operates within its specific security context. Normally, there are dozens or hundreds of potential requirements, policies, guidelines or best practices available - e.g. classified within a policy framework. As the number of potential requirements grows, it will be a complex task for a specific project to identify only the relevant requirements.

=S.T.I.N.G.= acts upon a configurable policy and requirement database of all potential requirements. It allows the configuration of questionaires or templates and uses a rule engine to identify only the relevant requirements to generate a project specific checklist.
Lutz WischmannProject Successfully Set up. April 17, 2013
4/15/2013 20:15:51Web Application Security Quick Reference GuideDocumentation ProjectGNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)Marek Zmysłowskimarek.zmyslowski@owasp.orgpdfThis will be simple checklist for Web Application. The unique feature of this project is that all check will be simple and can be check by particular testcase. It is simple but from my experience can be very informative and useful for testers and codersProvide ASAP first version of the checklist. I've already have a draft version. Then it will be modified by users (I hope)Project Successfully Set up. April 22, 2013
4/15/2013 20:35:40Application Fuzzing FrameworkTool ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Marek Zmysłowskimarek.zmyslowski@owasp.orgPython ScriptsThe framework will be used to fuzz applications in the Windows environment. It will have couple of modules. Two main modules will be for file fuzzing and dll fuzzing. Very wide configuration to allow lots of fuzzing possibilities.First release will be dll fuzzing module.
Another module will be file module that will run simple test
Another release will be with more advanced file module.
There are no good fuzzing, free framework for dll files.
The fuzzing framework for file doesn't have appropriate options to suite all needs.
Project Successfully Set up. April 22, 2013
4/16/2013 16:10:36Security JDIsDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)Edwin Aldridgeedwin.aldridge@googlemail.comWorksheetsA project to build a library of concise, actionable, technology specific instructions detailing good practice on avoiding or closing specific vulnerabilities.

Security HOWTOs for people who may not have time to study a problem in depth but need to secure their application.
Setup (April 2013)
Establish a wiki (April 2013)
Define a format for JDIs
Define editorial and review process
Start a technology and vulnerability tags list
Draft JDIs in three or more fields and solicit review
Feedback pages for requests, comments

OWASP engagement (May 2013 onwards)
Outreach to other OWASP projects, especially AntiSamy, ESAPI, CSRFGuard, HOWTOs
solicit collaboration: contributions and review

External engagement (May 2013 onwards)
Outreach to industry contacts for requests and feedback
solicit requests and collaboration/feedback in testing

Stock Take Review (August 2013)
Assess take up - way forwards

Experience shows that, although there is much, high quality advice available on the subject of secure development, development teams often need much more specific help, partly because of time and resource pressure, and partly because security is an area characterised by pitfalls for the unwary where hasty fixes can be ill advised.

Producing standardised, actionable and testable documentation would provide 'customer focus' for Defender projects and help their promulgation.
Edwin AldridgeProject Successfully Set up. April 22, 2013
4/16/2013 16:40:34ScytaleTool ProjectModified BSD, 3-clause License (we recommend you consider Apache 2.0 instead of this licnese. It is more up-to-date and provides a little more protection from software patent lawsuits)Maxime Labellemaxime_labelle@hotmail.comit is already releasedNoSQL crypto proxy for modern DBMS and web applications.
Supports multi-recipient and group encryption. Loaded
with a strong RSA/AES cryptosystem.

Scytale sits between your web application and your
favorite DBMS and performs encryption and decryption
of your web application data. Scytale stores the
encrypted data inside your prefered DBMS for storage.

It's design is secure, well planned and made to provide
developers with a solid method for integrating strong
cryptography inside web applications using NoSQL-like
Roadmap includes; new DBMS support, performance, fine tuningIt takles real-world encryption and web application
security problems such as :

1) Admin accounts that need to have access to another
encrypted user's data without both user's knowing
each other's passwords (multi-recipient encryption)

2) Changing a user's password without having to
re-encrypt all the data.

3) Not using a global key that could be compromised

4) No need to store any passwords or any encryption
key that could compromise the encrypted data in
plain-text inside the web application's code or
anywhere in the database, not even hashes.

5) Provide a method to reset a user's private
key password without having to re-encrypt or loose
the data, in case of a lost password, and without
keeping any copy of that user's password anywhere inside
the database.

6) Provide a secure database even if the DBMS login
is compromised (ie; PHP script client password). If
the database connection password, which is in the web
application source code, is compromised, it does not
compromise the encrypted data because that password
is not used for data encryption.

7) Provide a method to safely authenticate web
application users without having to store the
user password or password hash in a cookie and
still be able to maintain an authenticated session.

8) Provide built-in easy PKI management for your
web application.
Project Successfully Set up. April 30, 2013
4/19/2013 15:43:15iMAS - iOS Mobile Application SecurityCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Gregg Ganleygganley@mitre.orgdowloadable security controls from GithubiMAS – iOS secure application framework to reduce iOS application vulnerabilities and information loss

iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!

iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.
We plan to continue researching iOS application level security controls until a considerable amount of the OWASP mobile top 10, OWASP top 10 criteria/risks along with other known iOS application vulnerabilities are mitigated.Project Successfully Set up. April 30, 2013
4/25/2013 10:23:10TestdemoTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project) a web site that I am testing for my learninglearningNeha Gupta(April 30, 2012: Not a real application)
4/30/2013 20:24:02WS-Amplification DoSTool ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)Thomas Vissersthomasvissers@gmail.comthomfishExecutable binary; PDF documentThe project aims to explore the threat of an Amplification DoS attack that utilises webservices.
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. Read more about it in this article:
It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse. (
The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale.
If necessary, a publication involving awareness and countermeasures will follow.
A - Setting up a tool that can detect this vulnerabilty
- Finding a way to crawl the net looking for open webservices and test them with the above tool

B - Looking into the different WS implementations and finding out their default WS-Addressing behaviour
* .NET, Axis, Axis2, CXF,...

A - Analyse the results and determine the global threat magnitude
* Average amplification factor, number of vulnerable open webservices,...

B - Determine what adjustments and countermeasures must be taken in order to mitigate the threat
* In the frameworks, external tool?,...

- Bundle all the results and possible countermeasures into a document/article to create awareness
Thomas VissersProject Successfully Set up. May 21, 2013
5/1/2013 18:01:36Mutillidae 2 (Codename: NOWASP)Tool ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)Jeremy Druinjdruin@gmail.comjdruinPHP web applicationNOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a webserver. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on pre-installed platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.Mutillidae 2 is currently having enhanced, dynamic user hint systems installed and upgraded. The vision for the hint system is to automatically provide hints on each page based on the vulnerabilities in the page. As browser support for HTML 5 and other features increases, new vulnerabilities will be added.The current version of Mutillidae, code named "NOWASP Mutillidae 2.x", was developed by Jeremy Druin aka webpwnized. Mutillidae 2.x is based on Adrian "Irongeek" Crenshaw's Mutillidae project which is now refered to as Mutillidae 1.x or Mutillidae classic. Mutillidae 1.x is still available on Sourceforge along side the current project. Thanks to Adrian for introducing the original Mutillidae.Project Successfully Set up. May 21, 2013
Project Requests