67 Open Source Appsec Software Projects

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

The OWASP ZAP core project

Web path scanner

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

w3af: web application attack and audit framework, the open source web vulnerability scanner.

Next generation web scanner

Git All the Payloads! A collection of web attack payloads.

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

Some of my security stuff and vulnerabilities. Nothing advanced. More to come.

A vulnerable version of Rails that follows the OWASP Top 10

An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications

Dependency-Track is an intelligent Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components.

OWASP ZAP Add-ons

The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.

Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

Integrates Dependency-Check reports into SonarQube

OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.

Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

YAWAST ...where a pentest starts. Security Toolkit for Web-based Applications

SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). :rainbow:

🎯 RFI/LFI Payload List

Kurukshetra - A framework for teaching secure coding by means of interactive problem solving.

In progress rough solutions to bWAPP / bee-box

Version 0.2 - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB).

A simple Java command-line utility to mirror the CVE JSON data from NIST.

An application to assist in the organization and prioritization of software security activities.

OWASP SecurityRAT (version 1.x) - Tool for handling security requirements in development

This project is about creating and publishing threat model examples.

HTML5 WebSocket message fuzzer

A Bind9 server for pentesters to use for Out-of-Band vulnerabilities

A Free & Open Source DevSecOps Platform

JWT fuzzer

Intentionally Vulnerable Serverless Functions to understand the specifics of Serverless Security Vulnerabilities

Jenkins plugin for OWASP Dependency-Check. Inspects project components for known vulnerabilities (e.g. CVEs).

njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.

A Java library for parsing and programmatically using threat models

Documentation for Essential Node.js Security

All-in-one tool for managing vulnerability reports from AppSec pipelines

Some good resources for getting started with application security

Integrates OWASP Zed Attack Proxy reports into SonarQube

Detects the algorithm of input JWT Token and provide options to generate the new JWT token based on the user selected algorithm.

A Burp Suite Extension to take back your repeater tabs

An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.

A modular bug hunting and web application pentesting framework written in Go

Reapsaw is a continuous security devsecops tool, which helps in enabling security into CI/CD Pipeline. It supports coverage for multiple programming languages.

Presentations, training modules, and other education materials from Duo Security's Application Security team.

Анонси, програми та архів матеріалів українських конференцій з кібер-безпеки.

A simple PHP application to learn SQL Injection detection and exploitation techniques.

Generic SAST Library

Vendor-Neutral Security Tool Automation Controller (over REST)

Embedded AppSec Best Practices

Interactive IPython Notebook to demonstrate OWASP ZAP's API and Scripting Functions - OWASP ZAP 2.8.0

Additional Resources For Securing The Stack Tutorials

☔️A curated list of tools, articles & resources to help take your frontend security to the next level. Feel free to contribute!

Sample scan files for testing DefectDojo imports

CryptoNice is both a command line tool and library which provides the ability to scan and report on the configuration of SSL/TLS for your internet or internal facing web services. Built using the sslyze API and ssl, http-client and dns libraries, cryptonice collects data on a given domain and performs a series of tests to check TLS configuration and supporting protocols such as HTTP2 and DNS.

Web Browser Hooking Framework. Manage, execute and assess web browser vulnerabilities

Application Security Awareness Training

A simple Java command-line utility to mirror the entire contents of VulnDB.

Oversecured Vulnerable Android App

Nmap and NSE command line wrapper in the style of Metasploit

The OWASP Vulnerable Web Applications Directory (VWAD) Project - OWASP Web Site

Methodology for high-quality web application security testing - https://github.com/tprynn/web-methodology/wiki

Whitepass Bypass Whitelist/Ratelimit Implementations in Web Applications/APIs

The OWASP ZAP Heads Up Display (HUD)

Checkmarx Scan Github Action