The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
-
Updated
Jul 21, 2021 - Python
#
appsec
Here are 149 public repositories matching this topic...
Web path scanner
python
security
scanner
hacking
bruteforce
wordlist
penetration-testing
brute-force
bug-bounty
fuzzing
infosec
pentesting
fuzzer
brute
appsec
hacking-tool
dirsearch
dirbuster
scanner-web
bruteforcer
-
Updated
Jul 19, 2021 - Python
snowbear
commented
Jun 11, 2021
⭐ Challenge idea
Description
Several users originally missing security question answers - most notably bjoern.k
w3af: web application attack and audit framework, the open source web vulnerability scanner.
-
Updated
Jun 8, 2021 - Python
jespunya
commented
Jun 29, 2020
What would you like to happen?
The sections 4.7.11.1 Testing for Local File Inclusion & 4.7.11.2 Testing for Remote File Inclusion address two attack vectors that are very similar one to the other. Given this situation and the few documentation on the Remote injection one, my proposal would be to merge both in a single section called Testing for File Injection.
Next generation web scanner
ruby
security
web
scanner
hacking
owasp
penetration-testing
application-security
pentesting
recon
pentest
kali-linux
appsec
network-security
web-hacking
security-tools
penetration-test
hacking-tools
pentesting-tools
penetration-testing-tools
-
Updated
Jun 30, 2021 - Ruby
Git All the Payloads! A collection of web attack payloads.
-
Updated
Apr 22, 2021 - Shell
Some of my security stuff and vulnerabilities. Nothing advanced. More to come.
-
Updated
Jun 11, 2019
stephenjohnwilliams
commented
Feb 23, 2021
Current Behavior:
When viewing vulns in the Audit Vulnerabilities tab. the Analysis column appears to contain code (enum?) names, e.g. NOT_SET, FALSE_POSITIVE. This problem also occurs in Policy Violations tab.
Steps to Reproduce:
Open the Audit Vulnerabilities tab.
Expected Behavior:
The Analysis column contains language specific analysis values, e.g. Not Set, False Positive
1
herveleclerc
commented
Mar 9, 2020
Authentication via Azure/aad-pod-identity for keyvault access could be a good feature to avoid use of clientId/ clientSecret in chart values. Don't you think ?
A vulnerable version of Rails that follows the OWASP Top 10
-
Updated
Jul 13, 2021 - HTML
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
-
Updated
Jul 23, 2021 - Open Policy Agent
OWASP ZAP Add-ons
-
Updated
Jul 22, 2021 - Java
The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
-
Updated
Jul 18, 2021
kingthorin
commented
Nov 9, 2020
https://github.com/OWASP/www-community/blob/master/pages/CRV2_AppThreatModeling.md
Contains a bunch of HTML based tables that need attention. They did not auto-migrate well and at a certain point break the rendering of the majority of the page.
Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
-
Updated
Oct 16, 2019 - Go
A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.
awesome
awesome-list
threat-modeling
appsec
devsecops
security-review
practical-devsecops
devsecops-university
-
Updated
Jun 19, 2021 - Dockerfile
Integrates Dependency-Check reports into SonarQube
security
sonarqube
owasp
visibility
vulnerabilities
appsec
component-analysis
nvd
sonar-plugin
software-security
vulnerable-components
-
Updated
Jul 21, 2021 - HTML
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer
xss
vulnerability
infosec
application-security
interview-questions
appsec
webappsec
sdlc
websecurity
devsecops
security-engineering
websec
websecurity-reference
security-team
security-engineer-interview
-
Updated
Aug 7, 2020
Open
rush.js build errors
prabhu
commented
Apr 20, 2021
Seeing the below error while installing rush.js. Probably might need a package in the base image. Any help would be appreciated.
#21 516.9 > [email protected] install /usr/local/lib/node_modules/@microsoft/rush/node_modules/keytar
#21 516.9 > prebuild-install || npm run build
#21 516.9
#21 521.6 prebuild-install WARN install No prebuilt binaries found (target=14.16.0 runtime=node arch=arm64
security
bug-bounty
application-security
bugbounty
appsec
payload
payloads
lfi
rfi
web-hacking
websecurity
web-application-security
security-research
security-researcher
lfi-exploitation
payload-list
lfi-vulnerability
security-researchers
rfi-exploiton
rfi-vulnerabillity
-
Updated
Jun 9, 2021
psiinon
commented
May 22, 2020
If HTTP sites (is not HTTPS ones) use the Access-Control-Allow-Origin header then the site will typically not work.
ZAP should automatically fix this header.
https://stackoverflow.com/questions/61940616/how-do-i-work-with-http-sites-using-the-hud-in-owasps-zap-proxy
Oversecured Vulnerable Android App
-
Updated
May 31, 2021 - Java
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈
security
devops
security-audit
scala
sbt
static-analysis
owasp
sbt-plugin
infosec
vulnerabilities
cve
appsec
nvd
software-security
owasp-dependencycheck
vulnerability-scanners
security-automation
devsecops
software-composition-analysis
-
Updated
Jul 20, 2021 - Scala
Version 0.2 - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB).
sql
sql-injection
exploitation
appsec
blind-sql-injection
sql-payloads
database-security
blisqy
john-ombagi
-
Updated
Mar 24, 2019 - Python
This project is about creating and publishing threat model examples.
-
Updated
Mar 6, 2021 - Python
YAWAST ...where a pentest starts. Security Toolkit for Web-based Applications
-
Updated
Jul 14, 2021 - Python
njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.
nodejs
lint
python
security
semantic
linter
static-analysis
expressjs
jslint
static-analyzer
codereview
appsec
staticanalysis
security-tools
devsecops
sast
nodesecurity
nodejsscan
codescanner
njsscan
-
Updated
Jul 22, 2021 - JavaScript
Methodology for high-quality web application security testing - https://github.com/tprynn/web-methodology/wiki
security
documentation
web
web-application
application-security
appsec
web-application-security
security-testing
-
Updated
Sep 23, 2020
Improve this page
Add a description, image, and links to the appsec topic page so that developers can more easily learn about it.
Add this topic to your repo
To associate your repository with the appsec topic, visit your repo's landing page and select "manage topics."
Decimal numbers like
52.5702100309281,trigger the PII scan rule, and they shouldnt.Example page: https://www.discoverireland.ie/limerick/glin-heritage-trails-knight-s-walk
They could be excluded using a similar check to https://github.com/zaproxy/zap-extensions/blob/master/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PiiScanRule.java#L118-L139
cc @HugoBar