GPC/Projects Inventory3

Jump to: navigation, search
Project Leader(s) (if exist) Project Description
OWASP Germany Local Chapter Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself - and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems.
Achim Hoffmann Encoder, Decoder, Converter, Transformer, Calculator, for various codings used in the wild wide web. Collection of functions (herein called actions) for various codings, encodings, decodings and convertions. The aim is/was mainly driven by the requirements for HTTP/HTML-based functionality.
Christian Heinrich "Download Indexed Cache" is a Proof of Concept (PoC) which implements the Google SOAP Search API to retrieve content indexed within the Google Cache and supports the "Search Engine Reconnaissance" section of the OWASP Testing Guide v3.
Yiannis Pavlosoglou JBroFuzz is a stateless web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities. As a tool, it emerged from the needs of penetration testing.
Ryan Barnett ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.

Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.

Paolo Perego Owasp Orizon is a code review tool intended to be used from security specialist to perform white box assessement. Orizon exposes also a set of APIs that can be used within a security tool to provide code review services
Mordecai Kraushar A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.
Dave Wichers The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
Mark Roxberry The purpose of the OWASP .NET Project is to provide a central repository of information and tools for software professionals that use the Microsoft .NET Framework for web applications and services. The project will try to include resources from Microsoft and from the Open Source community, the Alt.NET community and other related security resources.
Chris Schmidt ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:
  • There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.
  • There is a reference implementation for each security control. The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.
  • There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.
Jeff Williams This is the Java EE language version of OWASP ESAPI. The ESAPI for Java EE is the baseline ESAPI design.
Chris Schmidt This is the JavaScript language version of OWASP ESAPI.
  • The current release of this project is not suitable for production use
None This is the .NET language version of OWASP ESAPI.
Juan Carlos Calderon This is the Microsoft Classic ASP 3.x language version of OWASP ESAPI.
  • The current release of this project is not suitable for production use
Andrew van der Stock This is the PHP language version of OWASP ESAPI.
  • The current release of this project is not suitable for production use
Jason Dean This is the ColdFusion/CFML language version of OWASP ESAPI.
Craig Younkins This is the Python language version of OWASP ESAPI.
  • The current release of this project is not suitable for production use
Sigbjorn Finne This is the Haskell language version of OWASP ESAPI.
Andrew Petukhov Web application business logic vulnerabilities will be under increasing attention in near future. Although input validation vulnerabilities (XSS, SQLI) are in overwhelming majority nowadays, many automated approaches have emerged that deal with them. On the contrary, there are no known approaches (and methodologies for security experts) to classify or even detect business logic vulnerabilities. Besides, business logic flaws usually expose web application to great risks (according to OWASP Testing Guide). The proposal is to make an attempt to create a systematic approach that addresses business logic vulnerabilities. To begin with, access control flaws are surveyed.
Peleus Uhley OWASP's AIR Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of AIR application security.
Giorgio Fedon This project is about describing common flaws in security designs that have been adopted for protecting banking websites against malware, as well as a series of best practices that should be considered for evaluating and building better anti-malware solutions. The project will be constantly updated with information taken from Owasp Community, Malware Analysis, Forensic Activities, as well as from any other validated source.
Arshan Dabirsiaghi Technically this project is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.
Jerry Hoff This project is API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
Matthew Chalmers 1. The intent of this project is to assemble a useful base of generic/common web application security requirements that could be used in most projects. 2. The product of this project is intended to help all involved in web application security, whether it is project management, risk assessment, software development, testing, etc. 3. The reason d'etre of this project is that, whilst security requirements are sometimes well captured and clearly defined, there are other times when they are not, for any number of reasons.
Dmitry Kozlov This project's idea is to split destination web application technology from the three reusable libraries: library of navigational elements, library of vulnerabilities and library of language constructs.
Michael Coates The AppSensor project defines a conceptual framework that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.
Leonardo Cavallari Militelli This project is helpful as basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics. We intend to encourage understanding and consistency when discussing these basic foundational elements of application security. Security only works if people can make informed decisions about risk.
Dave Wichers The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:
  • Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
  • Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
  • Use during procurement - Provide a basis for specifying application security verification requirements in contracts.
Carlo Pelliccioni This project aims to improve and to collect the existent information about the backend security. The project is composed by three sections (security development, security hardening and security testing). The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.
Matthew Chalmers The need for certification in this space is immense. The lack of accountability or at least a way to tell qualified security professionals from those that aren't is difficult. We understand that for traditional software development, applications better compile or they don't go live, developers don't get their bonus and some may even see their employment terminated. In security, there is generally no bar to clear.
Juan Carlos Calderon This project aims to create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries.
Alessio Marziali A tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. It's a Microsoft .NET 3.5 Windows Form application which supports the OWASP Code Review Project. It provides automatic STRIDE classification a very simple DREAD calculator and few minor utilities. Direct links to WAST 2.0 Threat Classification, Secure Java Development Guidelines and OWASP Tools are also part of the package.
Eoin Keary The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.
Eric Sheridan Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens.
Eric Sheridan The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws.
TO DO The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
James Fisher DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
Martin Knobloch TO DO
Arturo 'Buanzo' Busleiman The goal of this project is to focus on mod_openpgp and Secure Session Management, presenting a working web-site using this new authentication methodology in such a way that it will attract security professionals and web-developers to this new mix of two good'ol protocols: HTTP and OpenPGP.
Phil Potisk TO DO
Juan Carlos Calderon OWASP, while open to translations, do not have clear guidelines on how to translate OWASP contents and (AFAIK) there is no multi-language support in site. This is understandable as there is no formal project for internationalization so far.
Jason Li an easy to use, freely available tool that can be used to quickly ascertain the level of protection that each component of a JSP tag library offers.
Federico Casani This is a project that aims to educate developers, systems analysts or anyone who writes code regarding the knowledge of proper use of Charset and Canonicalization. The project will seek to give a comprehensive response by crossing one another most scenarios highlighting the roles of key players.
Jeff Williams The goal of the OWASP Legal Project is to ensure, at each stage of the life cycle, that appropriate attention has been paid to security. The cornerstone of the Legal Project is its Secure Software Development Contract Annex. The Contract Annex helps software developers and their clients negotiate and capture important contractual terms and conditions related to the security of the software to be developed or delivered.
Matt Tesauro This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite
Ferruh Mavituna This project is secure by default centralised input/output validation library which combines security rules and business rules as well as escaping in the output level.
Mario de Boer This is a project to openly check open source libraries and software that are vital to most commercial and non-commercial apps around.
Serg Belokamen TO DO
Rogan Dawes This project aims to provide a high quality intercepting proxy library which can be used by developers who require this functionality in their own programs, rather than having to develop it all from scratch. The library is developed in Java, making it most attractive to Java developers obviously, but also accessible to Python (Jython) and Ruby (JRuby) developers as well.
Eduardo Neves This project will be developed in a partnership with the OWASP Corporate Application Security Rating Guide where the initial information about how companies are dealing with application security will be gathered and several inputs from the Positive Security Project deliverables will be provided.
Georgy Klimov During 2007 Dmitry Kozlov, Igor Konnov and Georgy Klimov prototyped taint-style static analysis for Python web applications. This tool is based on Pixy project.
Heiko Webers The Ruby on Rails Security Project is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites
Arshan Dabirsiaghi Scrubbr is a BSD-licensed database scanning tool that checks numerous database technologies for the presence of possible stored cross-site scripting attacks. The tool was partially inspired by "Scrawlr", a trimmed-down version of HP's WebInspect which was released for free after the so-called "asprox" mass-SQL injection bot exploited hundreds of thousands of insecure ASP sites.
Stephen Craig Evans The purpose of this project is to create custom Modsecurity rulesets that, in addition to the Core Set, will protect WebGoat 5.1 from as many of its vulnerabilities as possible (the goal is 90%) without changing one line of source code.
Martin Knobloch TO DO
Boaz Gelbord TO DO
Matthias Rohr Skavenger is a web application security assessment toolkit that passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure).
Pravir Chandra This project is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.
Paolo Perego This project is about giving a taxonomy to describe the categories of the most dangerous security flaws you can find during a code review. For dynamic code review (web based application ethical hacking) the original Owasp Top 10 is the must have over each desk, in order to manage all the findings during the reporting phase.
Juan Carlos Calderon The start of OWASP Internationalization project is great opportunity to make Spanish the first language on which the OWASP site and documentation is fully translated and at the same time share the experience with other people interested in the same objective, Bring OWASP to the world.
Dan Cornell Sprajax is an FLOSS black box security scanner used to assess the security of AJAX-enabled applications. By detecting the specific AJAX frameworks in use, Sprajax is able to better formulate test requests and identify potential vulnerabilities.
Bedirhan Urgun SQLiBENCH is a benchmarking project of automatic sql injectors related to dumping databases.
Wesley West TO DO
Dmitry Kozlov Workbench prototype will be Java-based Eclipse plug-in which aim is to help security analyst/code reviewer validation of web application. At prototype step we suggest to analyze J2EE Web tier applications build on Java Servlets, JSP (without business logic in it) and one MVC framework (Apache Struts).
Matteo Meucci The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
Nicolas Surribas This project to audit the security of web applications in an easy way. It performs a "black-box" scans acting like a fuzzer, injecting payloads to see if an application is vulnerable.
Bünyamin Demir TO DO
Bruce Mayhew WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons.
Rogan Dawes WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms.
Andres Andreu TO DO
Michael V. Scovetta Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code.
Nishi Kumar The goal of this project is to provide computer based training on OWASP security related initiatives. This project is intended to provide increased access of security training material, convenience and flexibility to learners. It will be self-paced and the learning sessions will be available 24x7. Learners will not be bound to a specific day/time to physically attend classes. They can also pause learning sessions at their convenience.
Vinay Bansal Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.
Dag Hovland We wish to explore the use of Java annotations for object validation, specifically for content validation. The result will be a framework which should be easy to use with an existing application. The existing approaches are either part of a large framework (e.g. JSR-303), which makes certain assumptions about the application, or restrict the developer in extending and/or customizing the validation framework. We have an initial implementation of a flexible framework which can be deployed with any Java application. We have also submitted a paper on our approach to an international security conference to be held later this year.
Gareth Heyes To produce a simplified version of Javascript by using regular expressions to remove dangerous functionality and then use Javascript itself to evaluate the results. The goal is to allow normal web users to safely code javascript on a site without exposing sensitive information.
Rick Zhong Create a security testing framework specific to Virtual World related applications (MMORGs) and environments. The targeted audiences of this testing framework are the developers, end-users (individual players or companies) and third-party assessors.
Chuck Willis a collection of vulnerable web applications that is distributed on a Virtual Machine.
Gergely Trifonov We plan to translate OWASP material that we consider fundamental (ASVS, Bulding Guide, Testing Guide, Top 10) first, and move on later.
Tom Brennan This project is to implement the framework to manage the backoffice of owasp foundation including membership, events, inquiries
Mark Roxberry Cryttr is a set of client tools to enable encrypted syndication and provide a front end to protect user's content. The proof of concept uses Twitter and the Twitter API to post encrypted "tweets" and decrypt "tweets" using a shared passkey. Cryttr uses the "encrypted syndication protocol" to connect to open internet resources via published APIs to encrypt and decrypt syndicated content.
Steven van der Baan Waiting for definition.
Mark Roxberry Waiting for definition
Vlatko Kosturjak Software enumeration via favicon.ico
Aung Khant A regularly-updated signature-based scanner that can detect file inclusion, sql injection, command execution, XSS, DOS, directory traversal vulnerabilities of a target Joomla! web site.
Adrian Crenshaw TO DO
Dinis Cruz Collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.
Rohit Sethi To analyze popular design and architectural patterns for potential security issues, including advice on common pitfalls to avoid and where in a pattern to implement common security controls.
Corey LeBleu TO DO
Raja Krovi TO DO
Pete Niner TO DO
Peleus Uhley OWASP Flash Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of Flash applications security.
Wagner Elias This database is a collection of several statements used in code injection software.
Mark Roxberry The ORG (OWASP Report Generator) is a tool for Security Consultants that supports the documentation and reporting of security vulnerabilities discovered during security audits.
Abraham Kang The goal of the OWASP AJAX Security project is to dentify and document security issues encountered by AJAX applications and document ways to secure these applications.
Marc Chisinevski Provide tools for software developers in order to help them define and provide meaningful logs.
Subu Ramanathan This project is designed to serve as a comprehensive starting point for any web services related inquiries on the web.
TO DO This project has been created to provide unbiased, practical information and guidance about application security tools that are used to detect vulnerabilities or to protect against vulnerabilities.
Jeff Barto This Project will first identify and provide the OWASP community a set of application security metrics that have been found by contributors to be effective in measuring application security.
Chris Bush Waiting for definition