The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
-
Updated
Nov 25, 2020 - Python
#
appsec
Here are 130 public repositories matching this topic...
Web path scanner
python
security
hacking
bruteforce
wordlist
penetration-testing
brute-force
bug-bounty
fuzzing
infosec
pentesting
fuzzer
brute
appsec
hacking-tool
dirsearch
dirbuster
scanner-web
bruteforcer
-
Updated
Nov 25, 2020 - Python
cnotin
commented
Oct 25, 2020
⭐ Challenge idea
Description
I notice that the Cards API returns the full credit card number, while the UI only shows the last digits
Underlying vulnerabilities
- entire card storage -> PCI/DSS
- returning more info than what's displayed
Expected difficulty
|
|:------------------------
w3af: web application attack and audit framework, the open source web vulnerability scanner.
-
Updated
Oct 6, 2020 - Python
Next generation web scanner
ruby
security
web
scanner
hacking
owasp
penetration-testing
application-security
pentesting
recon
pentest
kali-linux
appsec
network-security
web-hacking
security-tools
penetration-test
hacking-tools
pentesting-tools
penetration-testing-tools
-
Updated
Nov 25, 2020 - Ruby
Git All the Payloads! A collection of web attack payloads.
-
Updated
Jul 19, 2020 - Shell
ThunderSon
commented
Sep 12, 2020
What's the issue?
Overwritten test scenario, can be summarized and link to payload lists from other repos
How do we solve it?
Chop down the content to the required and needed information, link to payload lists instead of enumerating all possible usernames and passwords, provide further guidance on how to test.
If no one is up to handle it, I can take care of it
Some of my security stuff and vulnerabilities. Nothing advanced. More to come.
-
Updated
Jun 11, 2019
A vulnerable version of Rails that follows the OWASP Top 10
-
Updated
Jul 28, 2020 - HTML
psiservices-tonywaters
commented
Nov 1, 2020
General remarks
There appears to be no way of adding labels or annotations to the Secret object created by KamusSecret
Is your feature request related to a problem? Please describe.
My Secret objects sometimes need annotations and/or labels - for example when using Helm version of Jenkins for Gitops, the Jenkins secret needs labels and annotations:
labels:
"jenkins.io/credenti
1
stevespringett
commented
Nov 18, 2020
The current swagger definition is autogenerated. The automatically generated definitions rely on reflection and annotations to create the documentation. The reflection capabilities are poor at best and lead to missing API parameters. Annotations can help in some cases, but the only fix for Swagger is to create individual POJOs for every possible request. This will lead to unnecessary large number
OWASP ZAP Add-ons
-
Updated
Nov 26, 2020 - Java
The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
-
Updated
Nov 17, 2020
Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
-
Updated
Oct 16, 2019 - Go
Integrates Dependency-Check reports into SonarQube
security
sonarqube
owasp
visibility
vulnerabilities
appsec
component-analysis
nvd
sonar-plugin
software-security
vulnerable-components
-
Updated
Nov 25, 2020 - HTML
kingthorin
commented
Nov 9, 2020
https://github.com/OWASP/www-community/blob/master/pages/CRV2_AppThreatModeling.md
Contains a bunch of HTML based tables that need attention. They did not auto-migrate well and at a certain point break the rendering of the majority of the page.
A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.
awesome
awesome-list
threat-modeling
appsec
devsecops
security-review
practical-devsecops
devsecops-university
-
Updated
Nov 7, 2020 - Dockerfile
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer
xss
vulnerability
infosec
application-security
interview-questions
appsec
webappsec
sdlc
websecurity
devsecops
websec
websecurity-reference
security-team
security-engineer-interview
-
Updated
Aug 7, 2020
psiinon
commented
May 22, 2020
If HTTP sites (is not HTTPS ones) use the Access-Control-Allow-Origin header then the site will typically not work.
ZAP should automatically fix this header.
https://stackoverflow.com/questions/61940616/how-do-i-work-with-http-sites-using-the-hud-in-owasps-zap-proxy
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈
security
devops
security-audit
scala
sbt
static-analysis
owasp
sbt-plugin
infosec
vulnerabilities
cve
appsec
nvd
software-security
owasp-dependencycheck
vulnerability-scanners
security-automation
devsecops
software-composition-analysis
-
Updated
Nov 23, 2020 - Scala
YAWAST ...where a pentest starts. Security Toolkit for Web-based Applications
-
Updated
Nov 12, 2020 - Python
security
bug-bounty
application-security
bugbounty
appsec
payload
payloads
lfi
rfi
web-hacking
websecurity
web-application-security
security-research
security-researcher
lfi-exploitation
payload-list
lfi-vulnerability
security-researchers
rfi-exploiton
rfi-vulnerabillity
-
Updated
Oct 1, 2020
prabhu
commented
Jul 9, 2020
It will be a fun exercise to make scan work for mono repos such as https://github.com/swapnil-linux/spring-boot-examples
In theory, this can be achieved using a bit of bash with the new scan AppImage.
This project is about creating and publishing threat model examples.
-
Updated
Oct 4, 2020 - Python
Methodology for high-quality web application security testing - https://github.com/tprynn/web-methodology/wiki
security
documentation
web
web-application
application-security
appsec
web-application-security
security-testing
-
Updated
Sep 23, 2020
Kurukshetra - A framework for teaching secure coding by means of interactive problem solving.
-
Updated
Jun 11, 2019 - PHP
A simple Java command-line utility to mirror the CVE JSON data from NIST.
-
Updated
Nov 19, 2020 - Java
In progress rough solutions to bWAPP / bee-box
-
Updated
Jan 7, 2020 - HTML
Version 0.2 - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB).
sql
sql-injection
exploitation
appsec
blind-sql-injection
sql-payloads
database-security
blisqy
john-ombagi
-
Updated
Mar 24, 2019 - Python
Improve this page
Add a description, image, and links to the appsec topic page so that developers can more easily learn about it.
Add this topic to your repo
To associate your repository with the appsec topic, visit your repo's landing page and select "manage topics."
Background:
This is logged on the back of the discussion with the ZAP team about the current behaviour of XML External Entity Attack scanner. There were two concerns raised in this discussion. I am creating seperate tickets for them as they can be addressed independent of each other. F