Account Options>

  1. Sign in
OWASP Project Inventory: 2014
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

Still loading...
stBuilder, Breaker, DefenderOWASP SAMMProposed Project StatusProject NameProject TypeProject LicenseOWASP Mailman Mailing ListProject Wiki PageProject Leader(s) (if exists)Project Leader Email(s) (if exists)Project Description (if available)Contains QuotesNotesProject Short NameProject Short Name LengthSummary
1DOWASP Excess XSS ProjectToolCreative Commons Attribution ShareAlike 3.0 LicenseNone Created Jakob Kallin jakobkallin@gmail.comA comprehensive tutorial on cross-site scripting. Propagating practices in XSS prevention that OWASP wants to promote, such as terminology, libraries, and best practices. Its goal is to serve as a comprehensive introduction for developers unfamiliar with XSS, rather than as reference material like the current cheat sheets. Project Donation: Endowments
2BuilderConstructionFOWASP AntiSamy ProjectCodeBSD Licenseowasp-antisamy Dabirsiaghiarshan.dabirsiaghi@aspectsecurity.comThis is an API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacksantisamy8An API for validating rich HTML/CSS to prevent XSS/phishing attacks
3BreakerVerificationFOWASP Application Security Verification Standard ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-application-security-verification-standard Kazerooni, Daniel, daniel.cuthbert@owasp.orgThe primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard.asvs4A standard for conducting application security assessments
4BreakerVerificationFOWASP Code Review Guide ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-codereview Kearyeoin.keary@owasp.orgThe code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.codereview10A project to capture best practices for reviewing code
5OtherGovernanceFOWASP Codes of ConductDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-codes-of-conduct Watsoncolin.watson@owasp.orgThis project envisages to create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations. We set out to define a set of minimal requirements for these organizations specifying what we believe to be the most effective ways to support our mission. We call these requirements a "code of conduct" to imply that these are normative standards, they represent a minimum baseline, and that they are not difficult to achievecodesofconduct14A set of guidelines for organizations to support the OWASP mission.
6BuilderConstructionFOWASP CSRFGuard ProjectCodeBSD Licenseowasp-csrfguard Sheridaneric.sheridan@owasp.orgCross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens.csrfguard9A Java filter to add unique request tokens to mitigate CSRF attacks
7BuilderConstructionFOWASP Development Guide ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-guide Gargvishalgrg@gmail.comThe Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy developer's guide covering web application and web service security
8BuilderConstructionFOWASP Enterprise Security APICodeBSD Licenseesapi-users Williamsjeff.williams@owasp.orgESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.esapi5A collection of security methods needed to build secure applications.
9BuilderConstructionFOWASP ModSecurity Core Rule Set ProjectCodeApache License V2.0owasp-modsecurity-core-rule-set BarnettRyan.Barnett@owasp.orgModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.modsec-crs10A project to document and develop the ModSecurity Core Rule Set
10BuilderConstructionFOWASP Secure Coding Practices - Quick Reference GuideDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-secure-coding-practices Turpinkeith.turpin@owasp.orgThe Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest. secure-coding13High level, technology agnostic reference for secure coding practices
11OtherGovernanceFOWASP Software Assurance Maturity Model (SAMM)DocumentationCreative Commons Attribution ShareAlike License V3.0samm, Kuai; kuai.hinojosa@owasp.orgThis project is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.opensamm8An open framework to help create a strategy for software security
12BreakerVerificationFOWASP Testing Guide ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-testing Meuccimatteo.meucci@owasp.orgThe OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.testing-guide13A collection of application security testing procedures and checklists
13BreakerVerificationFOWASP Top Ten ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-topten Wichersdave.wichers@owasp.orgThe OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.top105Explanation of the top ten web application security vulnerabilities
14BreakerVerificationFOWASP Web Testing Environment ProjectToolGNU General Public License version 3.0 (GPLv3)web-testing-environment Tesauromatt.tesauro@owasp.orgThis CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite Verify wiki page forwards correctlywte3A collection of open source security projects in one environment
15BreakerVerificationFOWASP WebGoat ProjectToolGNU General Public License version 2.0 (GPLv2)owasp-webgoat Mayhewwebgoat@owasp.orgThe primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot. webgoat7A Java training environment for learning about application security
16BreakerVerificationFOWASP Zed Attack ProxyToolApache License V2.0NONE project provides an easy to use integrated penetration testing tool for testing web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing. zap3An easy to use integrated proxy tool for testing web applications
17BuilderConstructionIOWASP Application Security Requirements ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-appsec-requirements Martinez Bachaluismartinezbacha@owasp.orgThe intent of this project is to assemble a useful base of generic/common web application security requirements that could be used in most projects.appsec-reqs11A set of generic web application security requirements
18OtherIOWASP Common Numbering ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-common-numbering Wichersdave.wichers@owasp.orgAn exciting development, a new numbering scheme that will be common across OWASP Guides and References is being developed. The numbering is loosely based on the OWASP ASVS section and detailed requirement numbering. OWASP ASVS, Guide, and Reference project leads and contributors as well as the OWASP leadership plan to work together to develop numbering that would allow for easy mapping between OWASP Guides and References, and that would allow for a period of transition as Guides and References are updated to reflect the new numbering. This project will provide a centralized clearinghouse for mapping information.commonnumbering15A common number scheme to refer to application security topics
19BuilderConstructionIOPACodeAffero GNU Public Licenseowasp-opa-project Binsztok,
Adam Koprowski, Adam.Koprowski@mlstate.comUsher in a new generation of web development tools and methodologies.opa3A language for writing distributed web applications
20BreakerVerificationIOWASP Academy Portal ProjectToolUnknownNONE Harris, Filipe Lacerda- Danny (
- Felipe (
Creation of a Portal to offer academic material in usable blocks, lab's, video's and forum. academy-portal14A portal to offer academic material in usable blocks
21OtherGovernanceIOWASP Application Security Assessment Standards Project DocumentationCreative Commons Attribution ShareAlike License V3.0owasp-appsec-standards Michelinimatteo.michelini@owasp.orgThe Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements.appsec-stds11A process for consistent methods for application security assessments
22BuilderIOWASP Application Security Skills AssessmentDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-assa SmithlineNeil.Smithline@owasp.orgThe OWASP Application Security Skills Assessment (OWASP ASSA) is an online multiple-choice quiz built to help individuals understand their strengths and weaknesses in specific application security skills with the aim of enabling them to focus their training in the most efficient and appropriate manner.assa4A quiz to help develop application security skills
23BreakerVerificationIOWASP ASIDE ProjectToolUnknownowasp-aside-project Xie, Bill Chu, John,, john.melton@owasp.orgAssured Software Integrated Development Environment (ASIDE) is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs. ASIDE may be useful by professional developers as well.aside5An Eclipse plugin designed to help students write more secure code
24OtherIOWASP Computer Based Training Project (OWASP CBT Project)DocumentationCreative Commons Attribution ShareAlike License V3.0owasp-cbt KumarNishi.Kumar@owasp.orgThe goal of this project is to provide computer based training on OWASP security related initiatives. This project is intended to provide increased access of security training material, convenience and flexibility to learners. It will be self-paced and the learning sessions will be available 24x7. Learners will not be bound to a specific day/time to physically attend classes. They can also pause learning sessions at their convenience.cbt3Computer-based training modules about OWASP and application security
25BuilderConstructionIOWASP Enterprise Application Security ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-eas Polyakova.polyakov@dsec.ruEnterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment.eas3Guidance about procurement and design of enterprise applications
26OtherIOWASP Exams ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-exams Taylorjason.taylor@owasp.orgThe OWASP Exams project will establish the model by which the OWASP community can create and distribute CC-licensed exams for use by educators. The purpose of the exams is to improve the effectiveness of OWASP training through the use of exams as a means of measurement and student progress tracking. The project will include creation of a set of CC-licensed exams, a model for exam usage, and a roadmap for future exam creationexams5A set of exams and study aids about application security
27BreakerVerificationIOWASP GoatDroid ProjectDocumentationowasp-mobile-security-project ManninoJack@nvisiumsecurity.comThe OWASP GoatDroid Project is the Android equivalent to the iGoat Project. Inspired by WebGoat, this project will help educate Android developers on security issues they’ll encounter when writing applications.goat-droid10An Android security training environment for developer education
28BreakerVerificationIOWASP iGoat ProjectToolGNU General Public License version 3.0 (GPLv3)owasp-igoat-project R. van Wykken@krvw.comiGoat is a learning tool for iOS developers (iPhone, iPad, etc.). As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson. igoat-project13An iOS security training environment for developer education
29BuilderConstructionIOWASP Java Encoder ProjectCodeBSD Licenseowasp-java-encoder-project Ichnowskijeff.ichnowski@gmail.comThis project is a simple-to-use drop-in encoder class with little baggage. java-encoder12A drop-in high performance encoding library for Java
30BreakerVerificationIOWASP Proxy ProjectToolCreative Commons Attribution ShareAlike License V3.0owasp-proxy-project OWASP Proxy aims to provide a high quality intercepting proxy library which can be used by developers who require this functionality in their own programs, rather than having to develop it all from scratch. proxy5A library providing intercepting proxy functionality
31OtherIOWASP Request For ProposalDocumentationUnknownowasp-rfp-criteria Brennantomb@owasp.orgPurpose of this project is to simply provide an objective list and a aggregate set of questions from companies to utilize when they issue a RFPs for web application security. rfp-criteria12A guide for RFPs for security verification services
32OtherGovernanceIOWASP Security Baseline ProjectDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-security-baseline-project Ventuneacmarian.ventuneac@owasp.orgThis projects aims to benchmark the security of various enterprise security products/services against OWASP Top 10 risks. Comprehensive assessing security of enterprise products/services, the OWASP Security Baseline initiative will (eventually) lead to vendor-independent security certified solutions. sec-baseline12A benchmark security analysis of enterprise products and services
33BuilderIOWASP Software Security Assurance ProcessDocumentationCreative Commons Attribution ShareAlike License V3.0owasp-software-security-assurance-process Martinezmateo.martinez@owasp.orgTo outlines mandatory and recommended processes and practices to manage risks associated with applications. Software Security is equally dependent on people, processes and technology. The effectiveness of the OWASP Software Security Process is continuously measured and is improved through feedback, threat landscape changes, availability of new concepts and tools. Should be the framework to map Requirements, Dev and Testing guidelines for example. soft-sec8A set of recommended process and practices for software security
34BreakerVerificationIOWASP WhatTheFuzz ProjectToolBSD License/owasp-whatthefuzz-project Basiricojbasirico@securityinnovation.comAn easy to use, easy to get started fuzzer for websites.whatthefuzz11A fuzzer for websites
35OtherIOWASP Web Application Security Accessibility Project DocumentationCreative Commons Attribution ShareAlike License V3.0owasp-accessibility-project Závodský petr.zavodsky@owasp.orgThe practice points out to the fact that a seemingly secure web application does, in reality, protect interests of only a specific group of users. Interests of a great number of users are protected only partially or by no means. This project will focus extensively on the issue of web application security accessibility. accessiblity12Guidelines to increase the accessibility of web application security
36OtherIOWASP Java Projectjava-project Rohr matthias.rohr@owasp.orgThe OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently.This is an ecosystem/community0
37OtherIOWASP Data Exchange Format ProjectDocumentApache License V2.0owasp-data-exchange-format, Dinis, To define an open format for exchanging data between pentest open format for exchanging data between pentest tools
38BuilderConstructionIOWASP Cheat Sheets ProjectDocumentCreative Commons Attribution ShareAlike License V3.0owasp-cheat-sheets Koussa, Jim, jim.manico@owasp.orgThis project was created to provide a concise collection of high value information on specific security topics.cheat-sheets12A collection of cheat sheets about web application security topics
39BreakerVerificationIOWASP Security Tools for Developers ProjectToolUnknownowasp-std Develop a reference implementation of open source tools integrated in an end to end development process. This will likely include a reference architecture, guidance and a reference implementation using open source tools.sec-dev-tools13A platform to integrate security tools into the development process
40BreakerVerificationIOWASP OVAL Content ProjectToolCreative Commons Attribution ShareAlike License V3.0owasp-oval-content Kumargk@pivotalsecurity.comThe purpose of this project is to create OVAL content to enable any OVAL compatible tool find security issues which can be represented in a standard format.oval-content12A set of standardized assessment documents in OVAL XML format
41BreakerVerificationIOWASP NAXSI ProjectToolGNU General Public License version 2.0 (GPLv2)owasp-naxsi-project "bui" Koechlinbui@nbs-system.comthis is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.naxsi5A web application firewall module for Nginx
42BreakerVerificationIOWASP Passw3rd ProjectToolMIT Licenseowasp-passw3rd-project Matatallneil@owasp.orgStore passwords in encrypted files with an easy to use command line interface, and utilities to use the passwords in code. In its simplest form, the keys are generated per environment with OS access controls while the password files are stored in SCM.passw3rd8A tool to store encrypted passwords for programmatic use in code
44BreakerVerificationIOWASP WebGoat.NETToolGNU General Public License version 3.0 (GPLv3) Hoffjerry.hoff@owasp.orgWebGoat.NET is a purposefully broken ASP.NET web application. It contains many common vulnerabilities, and is intended for use in classroom environments. webgoat-dotnet14An ASP.NET training environment for learning application security
45BuilderConstructionIOWASP Proactive ControlsDocumentCreative Commons Attribution ShareAlike 3.0 Licenseowasp_proactive_controls@lists.owasp.org van der Stockvanderaj@owasp.orgA Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project. Formerly known as OWASP Top 10 Defenses
46BuilderConstructionIOWASP PassfaultCode ProjectGNU LGPL v3owasp_passfault Morriscam.morris@owasp.orgPassfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.
47BuilderConstructionIOWASP OctoMSCode ProjectCreative Commons Attribution ShareAlike 3.0 Licenseowasp_octoms Radosavlevicivalentino.radosavlevici@owasp.orgOctoMS is a free open-source PHP Framework designed on the MVC pattern that focuses on delivering useful debugging information and both offline & online documentation inside the application that is being developed through an intuitive AJAX interface.
48BreakerVerificationIOWASP OWTFToolBSD Licenseowasp_owtf ArangurenAbraham.Aranguren@owasp.orgThe Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.
Please see:
49OtherIOWASP Java/J2EE Secure Development CurriculumDocument ProjectCC-BY 3.0OWASP_Java_J2EE_Secure_Development_Curriculum A. L. Gottliebanthony.gottlieb@owasp.orgThe OWASP Java/J2EE software security curriculum is offered as prescriptive guidance for those wishing to educate themselves or others on how to secure Java/J2EE software development. Included are core education tracks based on job
description and specialization tracks based on specific areas of software security.
Course descriptions are provided as a point of reference for those wishing to know what content OWASP recommends.
50BreakerVerificationIOWASP Path TraverserToolAttribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0OWASP_Path_Traverser MelamedTal.Melamed@owasp.orgPath Traverser is a tool for security testing of web applications.
It simulates a real Path Traversal attack, only with actual existing files.

It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.

After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files.
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.

If your application could be found at: http://mysrvr:777/home
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc...

After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.

A configuration for excluding/including specific file types is available.
51BreakerVerificationIOWASP WatiqayToolGNU GPL v2OWASP_Watiqay Ganoza PlasenciaCarlos.Ganoza@owasp.orgprevents attacks of layer 7 to various websites where client service is running, will have capacity to restore the vulnerable websites and will have a continuous warning system in a personalized way.
52BreakerVerificationIOWASP Security ShepherdToolGNU GPL v3OWASP_Security_Shepherd DenihanMark.Denihan@owasp.orgSecurity Shepherd is a security aware in depth project. Designed with the aim of fostering security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills.
53BreakerVerificationIOWASP Xenotix XSS Exploit FrameworkToolCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Xenotix_XSS_Exploit_Framework AbrahamAjin.Abraham@owasp.orgXenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.
54BreakerVerificationIOWASP Mantra OSToolCreative Commons Attribution ShareAlike 3.0 LicenseOWASP_Mantra_OS DisneyGregory.Disney@owasp.orgChromium OS is a safe, fast and secure sand-boxed OS. This makes it ideal to continue on the OWASP Mantra security toolkit project by completing it as an operating system.
55BuilderConstructionIOWASP AW00tCode ProjectGNU GPL v2OWASP_AW00t AryaNitin.Arya@owasp.orgIts an implementation of binary stubs from basic to the polymorphic code that will show how viruses and malicious files get themselves undetected from the Antiviruses.

The generated stubs can be appended to any program and also a new approach of AV avoidance will be shown also special programs for hunting down the signatures and extracting them, and editing them for better use will be incorporated.
56BreakerVerificationIOWASP XSSERToolGNU GPL v3OWASP_XSSER MéridaRoberto.Merida@owasp.orgCross Site "Scripter" (XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.
57BreakerVerificationIOWASP University ChallengeDocumentationCreative Commons Attribution ShareAlike 3.0 License OWASP_University_Challenge Buetler, Mateo Martinez- Ivan (
- Mateo (
As first time organized at the OWASP AppSec-US 2011 in Minneapolis, this project is to enable "attack & defend" challenges.
First, at OWASP AppSec conferences, later also to enable this outside AppSec conferences.
58BreakerVerificationIOWASP Hacking-LabDocumentationCreative Commons Attribution ShareAlike 3.0 License OWASP_Hacking_Lab Buetler, Mateo Martinez- Ivan (
- Mateo (
The current OWASP Hacking-Lab challenge ( is a great succes!
Currently, there is one challenge, the OWASP TopTen with currently 1164 registered users and +500 solutions send in and verified by the OWASP teachers!
Goal is to provide an open and transperent process about the challenges, the teachers and continiously working on extending the available challenges.
59BuilderConstructionIOWASP JSON SanitizerCode Library ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_JSON_Sanitizer"As described at

Given JSON-like content, converts it to valid JSON.

This can be attached at either end of a data-pipeline to help satisfy Postel's principle:

be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.

Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML."
60BuilderConstructionIOWASP PHPRBAC ProjectCode Library ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_PHPRBAC Naderiabbas.naderi@owasp.orgPHPRBAC is a standard NIST Level 2 Hierarchical Role Based Access Control library implemented as a library for PHP. It allows perfectly maintainable function-level access control for enterprise and small applications or even frameworks alike.
Since implementation of NIST Level 2 Hierarchical RBAC is quite complicated, there are very few similar libraries and most of them do not adhere to standards. PHP RBAC is one of the fastest implementations (relying on a SQLite or MySQL backend) and has been tested in industry for more than three years.
61BuilderConstructionIOWASP EJSF ProjectCode Library ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_EJSF_Project web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation.
There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the
presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception.
The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP.
[JSF-ESAPI Complete Architecture]This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output
validation with escaped “true” or without this parameter, authorization. All the features are included in one framework.
(1) It requires minimal configuration to use the framework.
(2) It ensures retrofit security in the existing application.
(3) It provides the same performance as JSF framework.
(4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”.
(5) The input validation is easy and no additional coding is required.
(6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment.
(7) One framework includes the most secure features.
62BuilderConstructionIOWASP BarbarusCode Library ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Barbarus LamouchiNebrass.Lamouchi@owasp.orgMy project offers a new mechanism of authentication in web applications. This mechanism will be very easy and comfortable to use for the application's users and it will be very easy to integrate for the application developers.
63BuilderConstructionIOWASP Security Research and Development FrameworkCode ProjectGNU GPL v2OWASP_Security_Research_and_Development_Framework ThabetAmr.Thabet@owasp.orgThis is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.
64BuilderConstructionIOWASP FocusCode ProjectGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Focus Callsonjim.callson@owasp.orgCreate a new intermediate language based off of Swing and .NET but written in javascript utilizing DOM and json. Allowing JAVA and .NET programmers to use their current programming methodologies via javascript .js files.
65BuilderConstructionIOWASP 1-LinerCode ProjectCreative Commons Attribution ShareAlike 3.0 Licenseowasp_1_liner Wilanderjohn.wilander@owasp.orgOWASP 1-Liner is a deliberately vulnerable Java- and JavaScript-based chat application intended for demos (talks, tutorials, proof-of-concepts) and possibly training in application security. The application has two parts – and – to allow for demos of both attacks and countermeasures.
66IOWASP Secure Application Design ProjectDocument ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Secure_Application_Design RaoAshish.Rao@owasp.orgDesign level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually.

Design level security is crucial and must be adopted at an early stage of application development to build a robust system. Thus the aim of this project is to impart secure design guidelines to application developers. The project will highlight vulnerable areas in application designs through real world examples and scenarios and touch up on different aspects of design level security. The focus will also be to explain measures to be taken to prevent such flaws while designing applications.

The guidelines will cover core design concepts which can applicable to any application independent of the platform.

Most of the design flaws will be discussed using sample code incorporated in an insecure design application. The project will also focus on releasing a secure design checklist for reviewing application designs or threat modelling them.
67OtherGovernanceIOWASP Periodic Table of VulnerabilitiesDocumentationCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Periodic_Table_of_Vulnerabilities Landisjames.landis@owasp.orgThere are many anthologies of vulnerabilities and weaknesses (including CWE-25, TCv2, and OWASP top 10), but there is no attempt to classify these issues based on how they should best be solved. In the past, we have tried to teach developers how to avoid introducing these problems, but it appears via the lesson of Buffer Overflow that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code at all. The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible.
68OtherIOWASP Application Security Awareness Top 10 E-learning ProjectDocumentation ProjectAGPL 3.0
(prevents GPL's SaaS loophole)
OWASP_Application_Security_Awareness_Top_10_E-learning_Project MetulaErez.Metula@owasp.orgThe Application Security E-Learning project has set itself the goal of delivering intuitive, concise and precise content in the fundementals of application secure coding.
Main target audience: programmers who wish to learn/ review application security fundementals.
69DefenderVerificationIWASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)Documentation ProjectCreative Commons Attribution License 2.5 Shezafofers@owasp.orgWAFEC provides interested partied, including users, vendors and 3rd party evaluators with a tool to definel, learn about and evaluate the suitability of different WAFs for their needs.
70ConstructionIOWASP ESAPI Swingset ProjectDocumentation ProjectBSD licenseowasp-esapi-swingset CerulloFabio.Cerullo@owasp.orgThis a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library.
The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities.
71OtherConstructionIOWASP PressDocumentation ProjectCC-BY-SAowasp_press grovesdennis.groves@owasp.orgThe OWASP press is a pattern for massive community collaboration on OWASP documentation projects with just-in-time publication.
72OtherGovernanceIOWASP CISO SurveyDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_CISO_Survey Gondromtobias.gondrom@owasp.orgCISO Survey and later the CISO Report on Application and Information Security trends.
Also providing input and data for the CISO guide.
73DefenderGovernanceIOWASP Application Security Guide For CISOsDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Application_Security_Guide_For_CISOs MoranaMarco.m.morana@gmail.comThe purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide
74OtherIOWASP Scada Security ProjectDocumentation ProjectApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Scada_Security_Project"The primary aim of OWASP SCADA Security project is to gather information about different ICS/SCADA security threats related to WEB-applications and it’s environments., starting from econnaissance (“foorprinting”) stage to vulnerabilities exploitation.

Primary goals:

- to aware ICS/SCADA developers about security vulnerabilities by providing information about found WEB-application viulnerabilities in software and firmware on famous vendors;
- to create and publish freeware and open-source tools for ICS/SCADA security assessment written on scripting languages. "
75BuilderConstructionIOWASP CornucopiaDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Cornucopia WatsonColin.Watson@owasp.orgCornucopia is a card game used to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. An edition for ecommerce websites exists and alternative versions are planned.
76BreakerVerificationIOWASP SamuraiWTFToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_SamuraiWTF_Project Johnson and Justin, The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.
77OtherVerificationIO-SaftToolGNU GPL v2O-Saft Hoffmannachim@owasp.orgThis tools lists information about remote target's SSL certificate and tests the remote target's SSL connection according given list of ciphers and various SSL configurations.

----- Not part of the brief description, but to get the idea:
The tool currently combines the functionality of some existing tools (sslscan,, ssllyze, ...). It's prepared to make more intensive tests, that's where I expect
help from the community.
Builder, Defender
78BreakerVerificationIOWASP CrowdtestingToolGNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)OWASP_Crowdtesting KalamarisThomas.Kalamaris@owasp.orgThe project will try to promote the idea of crowd-testing combined with crowd-sourcing capabilities. We suggest the creation of a dynamic team of security testers specialized in application security testing that can test online web applications upon request. The web applications will be defined as projects and the team of testers will start the security testing. The team will use the tools that have been developed by the OWASP community but using custom-made tools is highly encouraged. As a result the consumer will have either a proof of concept that his application complies with the OWASP principles of secure coding or a list of potential threats due to discovered security flaws. Currently the application owners have access to this kind of security services via companies like Passbrains, utest etc.
79BreakerVerificationIOWASP OpenStack Security ProjectToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_OpenStack_Security_Project Tesauromatt.tesauro@owasp.orgThe OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base. Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack. This project provides a bridge between the OpenStack community and the OWASP community of security professionals. The project leader is also a member of OpenStack and is a member of the OpenStack Security Group. OpenStack has the desire to be the Linux of Cloud infrastructure and OWASP can be the community that ensures the security of that Cloud.
80BreakerVerificationIOWASP Desktop Goat and Top 5 ProjectToolCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Desktop_Goat_and_Top_5_Project DisneyGregory.Disney@owasp.orgOWASP Top 5: Desktop Vulnerabilities; a list of the top 5 vulnerabilities that are faced by desktop applications.
Desktop Goat; a vulnerable desktop application to demonstrate vulnerabilities for a learning environment.
81BreakerVerificationIOWASP BricksToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Bricks M Balakrishnanabhi.balakrishnan@owasp.orgBricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to 'break the bricks'.
82Builder/DefenderVerificationIOWASP Dependency CheckToolAPL 2.0OWASP_Dependency_Check Longjeremy.long@owasp.orgDependencyCheck is a utility that attempts to detect publicly disclosed
vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
83BreakerVerificationIOWASP Hive ProjectToolCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Hive_Project JohnsonJason.Johnson@owasp.orgWe have a hive network that hosts a dashboard with the attitude of the hive and the Internet by using data mined from twitter and others. maybe we can incorporate tools like ZAP or any of the others into this. The thing is we sell this not to make money but to establish a statistics and data rich network. The fact that it cost 35$ with a case that has a WASP on it maybe a bit more. With the push of global security of our assets there is not a better time. I would not ask any other group but owasp this foundation is the smarts of the net. We can make something that is both supportive of our cause and a huge data rich Internet HIVE that if its kicked we know why.
84BreakerVerificationIOWASP Droid FusionToolCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Droid_Fusion Singh BhadoriaNikhalesh.Singh@owasp.orgDroid Fusion is a platform for android mobile or any other mobile for doing Malware Analysis, Development, Application Pentesting,forensics. You can use it in any mobile security research, and if you have Droid Fusion, you don't need to worry about finding tools. There are more then 60 tools and scripts and it is free.
85BreakerVerificationIOWASP iSABEL Proxy ServerToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_iSABEL_Proxy_Server JarinaEurojee.Jarina@owasp.orgRecent research taken from leading network security solution providers shows that traditional firewalls focus their security mainly around the ports and protocols which is the packet headers and not the actual data content known as the packet payload. Packet headers only contains basic information like source and destination address which is very unreliable when it comes to identifying potential threats, attack, and malicious.

The idea of the project is to gain a deeper knowledge about securing web applications from different threats and attacks coming from external sources; this can be achieved by developing intermediary software that runs between the client and the server. This intermediary software will be based on a proxy server that will be implemented on layer 7 (Application) of the OSI model (Open Systems Interconnection), and it’s function is to accept network traffic from different client’s trying to access resources from the web server, once the client successfully established a connection, the proxy will inspect all incoming network packets coming from the clients for malicious parameter and files such as viruses, worms, trojans.
86BuilderIOWASP Top 10 Fuer EntwicklerDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Top_10_Fuer_Entwickler Giglertorsten.gigler@owasp.orgTop 10 fuer Entwickler (Top 10 Developer Edition in German) The objectives of the '''project''' is to add ''' ''Good Practices'' (like the Cheat Sheets)''' to the '''OWASP Top 10'''. Its aim is to bridge the gap between awareness, theoretical knowledge to effective know-how to build good propgrams. It is written in German to make it easier for German developers to use it. We will take care to make a migration to other languages easy.
87IOWASP Rails Goat ProjectToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_Rails_Goat JohnsonKen.Johnson@owasp.orgThis is a Rails application which is vulnerable to the OWASP Top 10. It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each.
88IOWASP Good Component Practices ProjectDocumentation ProjectCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_Good_Component_Practices_Project; mark.miller@owasp.orgGood Component Practice is one of the most over looked silver bullets in the Open Source arsenal. Because of business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development.

This project will use community input to document an industry acceptable process for the creation, maintenance and use of open source components.
89IOWASP Bywaf ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Bywaf_Project Gil Lariosrafael.gillarios@owasp.orgDesarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.
90IOWASP S.T.I.N.G ProjectToolMIT LicenseOWASP_S.T.I.N.G_Project; Lutz.Wischmann@owasp.orgThe OWASP =S.T.I.N.G= is a tool used for creating project specific security/privacy requirement catalogues by selecting from a huge set of potential requirements, policies or best practices. It acts as a kind of questionnaire and will generate a list of requirements and/or policies which are relevant for the project's context.

Security Requirements Management Questionaire Repository
Filter Set & Rules for Policies, Standards, Guidelines, Procedures
Context : Tool within an Information Security Policy Framework
91IOWASP Web Application Security Quick Reference Guide ProjectDocumentationGNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)OWASP_Web_Application_Security_Quick_Reference_Guide_Project Zmyslowskimarek.zmyslowski@owasp.orgThis will be simple checklist for Web Application. The unique feature of this project is that all check will be simple and can be check by particular testcase. It is simple but from my experience can be very informative and useful for testers and coders
92IOWASP Application Fuzzing Framework ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Application_Fuzzing_Framework_Project Zmyslowskimarek.zmyslowski@owasp.orgThe framework will be used to fuzz applications in the Windows environment. It will have couple of modules. Two main modules will be for file fuzzing and dll fuzzing. Very wide configuration to allow lots of fuzzing possibilities.
93IOWASP iMAS - iOS Mobile Application Security ProjectCodeApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_iMAS_iOS_Mobile_Application_Security_Project, Gregg.Ganley@owasp.orgiMAS – iOS secure application framework to reduce iOS application vulnerabilities and information loss

iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!

iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.
94IOWASP VaultDB ProjectToolModified BSD, 3-clause License (we recommend you consider Apache 2.0 instead of this licnese. It is more up-to-date and provides a little more protection from software patent lawsuits)OWASP_VaultDB_Project, maxime_labelle@hotmail.comNoSQL crypto proxy for modern DBMS and web applications.
Supports multi-recipient and group encryption. Loaded
with a strong RSA/AES cryptosystem.

Scytale sits between your web application and your
favorite DBMS and performs encryption and decryption
of your web application data. Scytale stores the
encrypted data inside your prefered DBMS for storage.

It's design is secure, well planned and made to provide
developers with a solid method for integrating strong
cryptography inside web applications using NoSQL-like
95IOWASP WS-Amplification DoS ProjectToolApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_WS_Amplification_DoS_Project VissersThomas.Vissers@owasp.orgThe project aims to explore the threat of an Amplification DoS attack that utilises webservices.
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. Read more about it in this article:
It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse. (
The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale.
If necessary, a publication involving awareness and countermeasures will follow.
96IOWASP Mutillidae 2 ProjectToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Mutillidae_2_Project DruinJeremy.Druin@owasp.orgNOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a webserver. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on pre-installed platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
97IOWASP Skanda - SSRF Exploitation FrameworkToolGNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)OWASP_Skanda_SSRF_Exploitation_Framework Singh ChauhanJayesh.Singh@owasp.orgSkanda is a SSRF Vulnerability Exploitation Framework. Current version performs Cross Site Port Attack on a vulnerable application and discovers open ports.Future versions will perform advanced attacks like network host discovery, service discovery and service level vulnerability detection and exploitation through SSRF.
98IOWASP RBAC ProjectCodeApache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)OWASP_RBAC_Project Naderiabiusx@owasp.orgThe RBAC project aims to port and promote standard NIST Level 2 RBAC implementations, currently the PHP version is available as a separate project.
99IOWASP PHP Security ProjectCodeCreative Commons Attribution ShareAlike 3.0 License (best for documentation projects)OWASP_PHP_Security_Project NaderiAbbas.Naderi@owasp.orgOWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.
Active Projects
Archived Projects
Merged Projects
MISC Projects
Full Projects List
GPCWS Jun11 Export
Dashboard Paste
Mailing Lists