The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
-
Updated
Jun 30, 2022 - Python
#
appsec
Here are 206 public repositories matching this topic...
enhancement
IdealFirstBug
An issue ideal for new contributors. Same as label "good first issue", kept for legacy reasons.
add-on
good first issue
An issue ideal for new contributors.
Web path scanner
python
security
scanner
hacking
wordlist
enumeration
penetration-testing
bug-bounty
fuzzing
infosec
pentesting
bugbounty
fuzzer
brute
appsec
hacking-tool
dirsearch
pentest-tool
-
Updated
Jul 1, 2022 - Python
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
javascript
security
hacking
owasp
application-security
pentesting
ctf
vulnerable
appsec
hacktoberfest
owasp-top-10
owasp-top-ten
24pullrequests
vulnapp
-
Updated
Jul 6, 2022 - TypeScript
A list of web application security
security
scanner
hacking
owasp
penetration-testing
vulnerability
web-security
pentesting
vulnerabilities
appsec
metasploit
web-hacking
hacking-tools
-
Updated
Jun 14, 2022
w3af: web application attack and audit framework, the open source web vulnerability scanner.
-
Updated
Mar 11, 2022 - Python
Next generation web scanner
ruby
security
web
scanner
hacking
owasp
penetration-testing
application-security
pentesting
recon
pentest
kali-linux
appsec
network-security
web-hacking
security-tools
penetration-test
hacking-tools
pentesting-tools
penetration-testing-tools
-
Updated
Feb 5, 2022 - Ruby
Git All the Payloads! A collection of web attack payloads.
-
Updated
Apr 22, 2021 - Shell
DefectDojo is a DevSecOps and vulnerability management tool.
python
kubernetes
security
automation
django
analytics
owasp
vulnerability-databases
appsec
vulnerability-management
hacktoberfest
security-orchestration
security-automation
devsecops
vulnerability-correlation
-
Updated
Jul 8, 2022 - HTML
nscuro
commented
Jun 20, 2022
Current Behavior:
As identified in #1727, there may be multiple fields of CycloneDX BOMs that we currently don't ingest or display.
Proposed Behavior:
Assess DT's coverage of CycloneDX v1.4 fields and add support for ingesting and displaying missing fields.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
-
Updated
Jul 8, 2022 - Open Policy Agent
-
Updated
Apr 18, 2022
Some of my security stuff and vulnerabilities. Nothing advanced. More to come.
-
Updated
Jun 11, 2019
herveleclerc
commented
Mar 9, 2020
Authentication via Azure/aad-pod-identity for keyvault access could be a good feature to avoid use of clientId/ clientSecret in chart values. Don't you think ?
enhancement
New feature or request
help wanted
Extra attention is needed
good first issue
Good for newcomers
OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software. A containerized version of the application is available as a companion project.
training
security
application
web
owasp
cybersecurity
penetration-testing
top
appsec
10
owasp-top-10
-
Updated
May 10, 2022 - PHP
A vulnerable version of Rails that follows the OWASP Top 10
-
Updated
Jul 6, 2022 - HTML
9
kingthorin
commented
Nov 9, 2020
I just finished dealing with auto-migrated issues for this article, it could definitely use some content updates:
https://github.com/OWASP/www-community/blob/master/pages/HttpOnly.md it still talks about old versions of IE and Opera.
This article includes an extensive table that needs re-working after the auto-migration as well (which I did not tackle).
Is Opera even relevant in 2020? Do
Open
sim swapping
3
A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.
awesome
awesome-list
threat-modeling
appsec
devsecops
security-review
practical-devsecops
devsecops-university
-
Updated
Jul 7, 2022 - Dockerfile
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
api
docker
php
cors
owasp
postman
exercises
bugbounty
appsec
hacktoberfest
vulnerable-application
owasp-top-10
owasp-top-ten
appsec-tutorials
apitop10
hacktoberfest-accepted
-
Updated
Apr 30, 2022 - HTML
OWASP ZAP Add-ons
-
Updated
Jul 7, 2022 - Java
The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
-
Updated
Apr 23, 2022
Open Source Security Guide
security
best-practices
owasp
cybersecurity
penetration-testing
pentesting
compliance
vulnerabilities
security-hardening
appsec
vulnerability-detection
cve-scanning
vulnerability-scanners
security-automation
security-tools
devsecops
privacy-protection
pentesting-tools
awesome-opensource
awesome-security
-
Updated
Jul 6, 2022 - Go
Open
rush.js build errors
prabhu
commented
Apr 20, 2021
Seeing the below error while installing rush.js. Probably might need a package in the base image. Any help would be appreciated.
#21 516.9 > [email protected] install /usr/local/lib/node_modules/@microsoft/rush/node_modules/keytar
#21 516.9 > prebuild-install || npm run build
#21 516.9
#21 521.6 prebuild-install WARN install No prebuilt binaries found (target=14.16.0 runtime=node arch=arm64
bug
Something isn't working
good first issue
Good for newcomers
help wanted
Extra attention is needed
Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
-
Updated
Mar 18, 2022 - Go
Integrates Dependency-Check reports into SonarQube
security
sonarqube
owasp
visibility
vulnerabilities
appsec
component-analysis
nvd
sonar-plugin
software-security
vulnerable-components
-
Updated
Jul 4, 2022 - HTML
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer
xss
vulnerability
infosec
application-security
interview-questions
appsec
webappsec
sdlc
websecurity
devsecops
security-engineering
websec
websecurity-reference
security-team
security-engineer-interview
-
Updated
Aug 7, 2020
Oversecured Vulnerable Android App
-
Updated
May 20, 2022 - Java
security
bug-bounty
application-security
bugbounty
appsec
payload
payloads
lfi
rfi
web-hacking
websecurity
web-application-security
security-research
security-researcher
lfi-exploitation
payload-list
lfi-vulnerability
security-researchers
rfi-exploiton
rfi-vulnerabillity
-
Updated
Jun 9, 2021
Improve this page
Add a description, image, and links to the appsec topic page so that developers can more easily learn about it.
Add this topic to your repo
To associate your repository with the appsec topic, visit your repo's landing page and select "manage topics."
Is your feature request related to a problem?
The Traditional and Traditional Plus JSON reports treat "Other Info" as consistent between alerts which is not always the case. A new JSON report should be added which treats "Other Info" as potentially unique per alert instance.
As per the original issue a perfect way to test/experience this need is the Retire.JS passive scan alerts which i