The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
-
Updated
Nov 17, 2020 - Python
#
owasp
Here are 355 public repositories matching this topic...
A collection of hacking / penetration testing resources to make you better!
exploit
reverse-engineering
malware
mitm
hacking
owasp
penetration-testing
ctf
privilege-escalation
buffer-overflow
windows-privilege-escalation
privilege-escalation-linux
-
Updated
Nov 11, 2020
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
python
rest
static-analysis
apk
owasp
dynamic-analysis
web-security
ipa
malware-analysis
mobsf
android-security
mobile-security
windows-mobile-security
ios-security
mobile-security-framework
api-testing
cwe
devsecops
cvssv2
runtime-security
-
Updated
Nov 23, 2020 - Python
In-depth Attack Surface Mapping and Asset Discovery
-
Updated
Nov 17, 2020 - Go
A curated list of resources for learning about application security
-
Updated
Jun 17, 2020 - PHP
cnotin
commented
Oct 25, 2020
⭐ Challenge idea
Description
I notice that the Cards API returns the full credit card number, while the UI only shows the last digits
Underlying vulnerabilities
- entire card storage -> PCI/DSS
- returning more info than what's displayed
Expected difficulty
|
|:------------------------
Next generation web scanner
ruby
security
web
scanner
hacking
owasp
penetration-testing
application-security
pentesting
recon
pentest
kali-linux
appsec
network-security
web-hacking
security-tools
penetration-test
hacking-tools
pentesting-tools
penetration-testing-tools
-
Updated
Nov 4, 2020 - Ruby
ThunderSon
commented
Sep 12, 2020
What's the issue?
Overwritten test scenario, can be summarized and link to payload lists from other repos
How do we solve it?
Chop down the content to the required and needed information, link to payload lists instead of enumerating all possible usernames and passwords, provide further guidance on how to test.
If no one is up to handle it, I can take care of it
bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
go
html
sanitization
security
whitelist
risk
xss
data-uri
owasp
html-element
scenario
turns
nofollow
bluemonday
-
Updated
Aug 13, 2020 - Go
Automated Security Testing For REST API's
python
security
owasp
ci-cd
penetration-testing
postman-collection
sdlc
security-automation
penetration-testing-framework
restapiautomation
-
Updated
Aug 19, 2019 - Python
h3xstream
commented
Oct 5, 2020
Description
BeanUtils is a library that is doing automatic mapping to Java object.
It can cause arm when the attack controls part of the list of properties being sets. BeanUtils does not blacklist properties like class, classloader or other objects that are likely to load arbitrary classes and possibly run code.
Code
import org.apache.commons.beanutils.BeanUtils;
public
valentijnscholten
commented
Oct 14, 2020
The component_name and component_version fields were added recently. Some scanners already populate these fields, but lots of them don't. For some scanners these fields cannot be set, i.e. for scanners that try xss on web pages etc. But probably there are some scanners that can/should be updated.
Offensive Web Testing Framework (OWTF), is a framework which tries to unite great tools and make pen testing more efficient http://owtf.org https://twitter.com/owtfp
python
linux
security
nist
framework
passive
mozilla
traffic
owasp
pentest
impact
kali-linux
owtf
semi-passive
web-application-security
-
Updated
Nov 21, 2020 - Python
Awesome Node.js Security resources
-
Updated
Nov 19, 2020 - JavaScript
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
javascript
ruby
python
java
swift
rust
golang
php
security
ios
cryptography
encryption
authentication
objective-c
owasp
cryptography-library
secure-messenger
asymmetric-cryptography
symmetric-cryptography
secure-storage
-
Updated
Nov 23, 2020 - C
Automated Penetration Testing Framework
python
automation
bruteforce
owasp
penetration-testing
network-analysis
vulnerability-scanners
information-gathering
portscanner
penetration-testing-framework
-
Updated
Nov 23, 2020 - Python
hackers
hacking
resources
owasp
penetration-testing
exploitation
youtube-channel
web-hacking
vulnerable-applications
learning-hacking
-
Updated
Oct 1, 2020
Dependency-Track is an intelligent Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components.
security
owasp
bom
vulnerabilities
vulndb
appsec
component-analysis
nvd
vulnerability-detection
sca
software-security
security-automation
devsecops
software-composition-analysis
bill-of-materials
ossindex
purl
package-url
sbom
cyclonedx
-
Updated
Nov 22, 2020 - Java
OWASP Joomla Vulnerability Scanner Project
-
Updated
May 20, 2020 - Perl 6
OWASP WEB Directory Scanner
proxy
scanner
bruteforce
proxies
dirscanner
owasp
dir-scanner
dir-search
pentest
directories-scanner
blackarch
dirsearch
-
Updated
May 9, 2020 - Python
OWASP ZAP Add-ons
-
Updated
Nov 23, 2020 - Java
Damn Vulnerable NodeJS Application
-
Updated
Aug 24, 2020 - CSS
The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
-
Updated
Nov 17, 2020
Open
Document ZAP
1
omerlh
opened
May 9, 2018
Improve this page
Add a description, image, and links to the owasp topic page so that developers can more easily learn about it.
Add this topic to your repo
To associate your repository with the owasp topic, visit your repo's landing page and select "manage topics."
Background:
This is logged on the back of the discussion with the ZAP team about the current behaviour of XML External Entity Attack scanner. There were two concerns raised in this discussion. I am creating seperate tickets for them as they can be addressed independent of each other. F