Difference between revisions of "OWASP Projects Dashboard 2.0"

From OWASP
Jump to: navigation, search
m (Protected "OWASP Projects Dashboard 2.0" ([edit=sysop] (indefinite) [move=sysop] (indefinite)))
 
(10 intermediate revisions by one user not shown)
Line 1: Line 1:
==== Projects  ====
+
==== Main ====
{{:Template:OWASP_Project_About/Columns}}
+
{{:OWASP PROJECTS MISCELLANY}}
{{:Projects/Security Ecosystem Project | OWASP Project About/Rows}}
+
{{:Projects/RFP-Criteria | OWASP Project About/Rows}}
+
{{:Projects/Owasp Esapi Ruby | OWASP Project About/Rows}}
+
{{:Projects/OWASP Application Security Program for Managers | OWASP Project About/Rows}}
+
{{:Projects/JavaScript_Sandboxes | OWASP Project About/Rows}}
+
{{:Projects/JSReg | OWASP Project About/Rows}}
+
{{:Projects/HTMLReg | OWASP Project About/Rows}}
+
{{:Projects/OWASP_Testing_Project | OWASP Project About/Rows}}
+
{{:Projects/OWASP_Related_Commercial_Services | OWASP Project About/Rows}}
+
{{:Projects/OWASP_Development_Guide | OWASP Project About/Rows}}
+
{{:Projects/OWASP Application Security Verification Standard Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Code Review Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP ModSecurity Core Rule Set Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Alchemist Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Secure Coding Practices - Quick Reference Guide  | OWASP Project About/Rows}}
+
{{:Projects/OWASP_Student_Chapters_Program  | OWASP Project About/Rows}}
+
{{:Projects/OWASP CTF Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Enterprise Application Security Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP_Browser_Security_Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Uniform Reporting Guidelines  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Secure Web Application Framework Manifesto  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Mobile Security Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP O2 Platform Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Zed Attack Proxy Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP AppSensor Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP JBroFuzz Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Watcher Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP X5s Project | OWASP Project About/Rows}}
+
{{:Projects/OWASP Application Security Skills Assessment  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Common Numbering Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP HTTP Post Tool  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Forward Exploit Tool Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Java XML Templates Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP ASIDE Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Secure Password Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Secure the Flag Competition Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Security Baseline Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP ESAPI Objective - C Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Academy Portal Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Exams Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Portuguese Language Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Browser Security ACID Tests Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Web Browser Testing System Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Java Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Myth Breakers Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP LAPSE Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Software Security Assurance Process  | OWASP Project About/Rows}}
+
{{:Projects/OWASP ESOP Framework  | OWASP Project About/Rows}}
+
{{:Projects/OWASP German Language Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Mantra - Security Framework  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Java HTML Sanitizer Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Java Encoder Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP WebScarab NG Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Threat Modelling Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Application Security Assessment Standards Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Hackademic Challenges Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Hatkit Proxy Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Hatkit Datafiddler Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP ESAPI Swingset Interactive Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP ESAPI Swingset Demo Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Web Application Security Accessibility Project  | OWASP Project About/Rows}}
+
{{:Projects/OWASP Cloud ‐ 10 Project  | OWASP Project About/Rows}}
+
|}
+
  
==== Projects Alphabetic Order ====
+
==== Projects 2.0/By Set Up Date Order [Contributors]  ====
 +
{{:OWASP Projects Dashboard 2.0/By Set Up Order}}
 +
 
 +
==== Projects 2.0/By Alphabetic Order [Purpose] ====
 +
{{:OWASP Projects Dashboard 2.0/By Alphabetical Order}}
  
 
__NOTOC__ <headertabs />
 
__NOTOC__ <headertabs />

Latest revision as of 13:25, 20 April 2011

Main

Projects Using Template 2.0 Templates 2.0 Project Reviews' Dashboard 2.0 Project Reviewers' Database Assessment Criteria v2.0


Projects Modules & Training


Projects Main Page
Orphaned Projects Inactives
OWASP Project Inventory


OWASP Global Projects Committee's Blog


OWASP Project Manager Activity Reports


Projects Still Using Template 1.0 Templates 1.0 Assessment Criteria v1.0

Projects 2.0/By Set Up Date Order [Contributors]

Project Leader(s) Contributor(s)
Security Ecosystem Project Jeff Williams @ This project is currently seeking volunteers. If you are interested please contact us through the mailing list.
OWASP RFP-Criteria Tom Brennan @ N/A
Owasp Esapi Ruby Paolo Perego @ Kuai Hinojosa @ Sal Scotto @ Paco Schiaffella @
OWASP Application Security Program for Manager Matteo Meucci @ Marco Morana @ Giorgio Fedon @ Stefano di Paola @
OWASP JavaScript Sandboxes Gareth Heyes @ Eduardo Vela Mario Heiderich
JSReg Gareth Heyes @ N/A
HTMLReg Gareth Heyes @ N/A
OWASP Testing Project Andrew Muller @ Matteo Meucci @ N/A
OWASP Related Commercial Services Eoin Keary @ N/A
OWASP Development Guide N/A Andrew van der Stock @ Ken Owen @
OWASP Application Security Verification Standard Project Sahba Kazerooni @ Daniel Cuthbert @ Dave Wichers @ Jeff Williams @ Mike Boberski
OWASP Code Review Project Larry Conklin @ N/A
OWASP ModSecurity Core Rule Set Project Ryan Barnett @ Breno Silva
OWASP Alchemist Project Naveen Rudrappa @ Chandrakanth Reddy Narreddy @ Bishan Singh @ N/A
OWASP Secure Coding Practices - Quick Reference Guide Keith Turpin @ Dan Kranz Walt Pietrowski Catherine Spencer Caleb McGary @ Jim Manico @ Brad Causey @ Ludovic Petit @ Michael V. Scovetta @ Jason Coleman Tarcizio Vieira Neto
OWASP Student Chapters Program Mateo Martinez @ N/A
OWASP CTF Project Steven van der Baan @ Martin Knobloch @ Brad Causey @ Ralf Allar @ Andres Riancho @ Danny Chrastil
OWASP Enterprise Application Security Project Alexander Polyakov @ Dmitriy Evdokimov @ Dmitriy Chastuhin @ Alexey Sintsov @ Michail Markevich
OWASP Browser Security Project N/A N/A


OWASP Inactive Banner.jpg
OWASP Uniform Reporting Guidelines Vlad Gostomelsky @ N/A
OWASP Secure Web Application Framework Manifesto Rohit Sethi @ Yuk Fai Chan @ Tom Aratyn @ Sahba Kazerooni @ Patrick Szeto @
OWASP Mobile Security Project Jack Mannino (Overall Project and GoatDroid Leader) @ Mike Zusman (Mobile Cheat Sheet Leader) @ Tony DeLaGrange (MobiSec Leader) @ Sarath Geethakumar (Mobile Device Management Leader) @ Tom Eston (Mobile Threat Model Leader) @ Don Williams (Mobile Testing Leader) Jason Haddix (Mobile Top Ten) @ Zach Lanier @ Jim Manico @ Ludovic Petit @ Swapnil Deshmukh @ Beau Woods @
OWASP O2 Platform Project Dinis Cruz @ N/A
OWASP Zed Attack Proxy Project Psiinon @ N/A
OWASP AppSensor Project Michael Coates @ John Melton @ Colin Watson @ Dennis Groves @ Ryan Barnett @ Simon Bennetts August Detlefsen Randy Janida Jim Manico @ Giri Nambari Eric Sheridan Kevin Wall Dennis Groves
OWASP JBroFuzz Project Ranulf Green @ Yiannis Pavlosoglou @ Markus Miedaner @
OWASP Watcher Project Chris Weber @ N/A
OWASP X5s Project Chris Weber @ N/A
OWASP Application Security Skills Assessment Neil Smithline @ N/A
OWASP Common Numbering Project Dave Wichers (ASVS) @ Jeff Williams (ASVS) @ Vishal Garg (Development Guide) @ Eoin Keary (Code Review Guide) @ Matteo Meucci (Testing Guide) @ Keith Turpin (Secure Coding Quick Reference) @ Brad Causey (Global Projects Commitee) @ Rick Mitchell
OWASP HTTP Post Tool Tom Brenann @ N/A
OWASP Forward Exploit Tool Project Marcos Mateos Garcia @ N/A
OWASP Java XML Templates Project Jeff Ichnowski @ N/A
OWASP ASIDE Project Jun Zhu @ Bill Chu @ Jing Xie @ N/A
OWASP Secure Password Project Josh Sokol @ James Wickett @ Matt Tesauro @ Ben Broussard @ Genung Gregory @
OWASP Secure the Flag Competition Project Mark Bristow @ N/A
OWASP Security Baseline Project Marian Ventuneac @ N/A
OWASP ESAPI Objective - C Project Deepak Subramanian @ N/A
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Academy Portal Project (home page)
Purpose: Creation of a Portal to offer academic material in usable blocks, lab's, video's and forum.
License: Choose wisely
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases
OWASP Exams Project Jason Taylor @ N/A
OWASP Portuguese Language Project Carlos Serrão @ Marcio Machry @ Lucas Ferreira @
OWASP Browser Security ACID Tests Project Dave Wichers (as coproject manager) @ John Wilander (as coproject manager) @ David Lindsay (as technical lead) @ Isaac Dawson @
OWASP Web Browser Testing System Project Isaac Dawson @ N/A
OWASP Java Project Mirko Richter @ N/A
OWASP Myth Breakers Project Stefano Di Paola @ Dinis Cruz @ N/A
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP LAPSE Project (home page)
Purpose: LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project. The project's second push is being led by Pablo Martín Pérez, Evalues Lab ICT Security Researcher, developing LAPSE+, an enhanced version of LAPSE.
License: GNU General Public License v3
who is working on this project?
Project Leader(s):
  • Gregory Disney-Leugers @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Gregory Disney-Leugers @ to contribute to this project
  • Contact Gregory Disney-Leugers @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
LapsePlus 2.8.1 - March 2011 - (download)
Release description: LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities.
Rating: Yellow button.JPG Not Reviewed - Assessment Details
last reviewed release
Not Yet Reviewed


other releases
OWASP Software Security Assurance Process Mateo Martínez @ Martin Pellegrino
OWASP Enhancing Security Options Framework (ESOP Framework) Amber Marfatia @ N/A
OWASP German Language Project Matthias Rohr @ N/A
OWASP Mantra - Security Framework Abhi M BalaKrishnan @ N/A
[edit]

OWASP Project Header.jpg

OWASP Java Encoder Project

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Introduction

Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. It provides numerous encoding functions to help defend against XSS in a variety of different HTML, JavaScript, XML and CSS contexts.

Quick Overview

The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.

Please look at the javadoc for Encode to see the variety of contexts for which you can encode. Tag libraries and JSP EL functions can be found in the encoder-jsp-1.1.1.jar.

If you want to try it out or see it in action, head over to "Can You XSS This? (.com)" and hit it with your best XSS attack vectors!

Happy Encoding!

Licensing

The OWASP Java Encoder is free to use under the New BSD License.


What is this?

The OWASP Java Encoder provides:

  • Output Encoding functions to help stop XSS
  • Java 1.5+ standalone library

Code Repo

Java Encoder at Google Code

Mailing List

Java Encoder Mailing List

Project Leaders

Author: Jeff Ichnowski @
PM: Jim Manico @

Contributors

Jeremy Long

Related Projects


Quick Download

News and Events

  • [20 Mar 2014] Doc additions
  • [5 Feb 2014] New Wiki
  • [4 Feb 2014] 1.1.1 Released

In Print

We will be releasing a user guide soon!

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
New BSD License
Project Type Files CODE.jpg

The general API pattern is to utilize the Java Encoder Project in your user interface code and wrap all variables added dynamically to HTML with a proper encoding function. The encoding pattern is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" is untrusted output.

Basic HTML Context

<body><%= Encode.forHtml(UNTRUSTED) %></body>

HTML Content Context

<textarea name="text"><%= Encode.forHtmlContent(UNTRUSTED) %></textarea>

HTML Attribute context

<input type="text" name="address" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />

Generally Encode.forHtml(UNTRUSTED) is also safe but slightly less efficient for the above two contexts (for textarea content and input value text) since it encodes more characters than necessary but might be easier for developers to use.

CSS contexts

<div style="width:<= Encode.forCssString(UNTRUSTED) %>">
<div style="background:<= Encode.forCssUrl(UNTRUSTED) %>">

Javascript Block context

 <script type="text/javascript">
 var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>";
 alert(msg);
 </script>

Javascript Variable context

 <button 
 onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">
 click me</button>

JavaScript Content Notes: Encode.forJavaScript(UNTRUSTED) is safe for the above two contexts, but encodes more characters and is less efficient.

Encode URL parameter values

<a href="/search?value=<%= Encode.forUriComponent(UNTRUSTED) %>&order=1#top">

Encode REST URL parameters

<a href="/page/<%= Encode.forUriComponent(UNTRUSTED) %>">

Handling an Full Untrusted URL

When handling a full url with the OWASP Java encoder, first verify the URL is a legal URL.

String url = validateURL(untrustedInput);

Then encode the URL as an HTML attribute when outputting to the page. Note the linkable text needs to be encoded in a different context.

 <a href="<%= Encode.forHtmlAttribute(untrustedUrl) %>">
 <%= Encode.forHtmlContent(untrustedLinkName) %>
 </a>

To use in a JSP with EL

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
<html>
   <head>
       <title><e:forHtml value="${param.title}" /></title>
   </head>
   <body>
       <h1>${e:forHtml(param.data)}</h1>
   </body>
</html>

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

The OWASP Java Encoder version 1.1.1 is now available in central!

OWASP Encoder at Maven Central.

Core

Direct Download: encoder-1.1.1.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder</artifactId>
   <version>1.1.1</version>
</dependency>

JSP Tag Library

Direct Download: encoder-jsp-1.1.1.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder-jsp</artifactId>
   <version>1.1.1</version>
</dependency>

The following describes the Grave Accent XSS issue with unpatched versions of Internet Explorer. Thank you to Rafay Baloch for bringing this to our attention and to Jeff Ichnowski for the workaround.

Introduction

The grave accent (`), ASCII 96, hex 60 (wikipedia) is subject to a critical flaw in unpatched Internet Explorer. There is no possible encoding of the character that can avoid the issue. For a more in depth presentation on the issue discussed herein, please see Mario Heidrech's presentation.

Background

In Internet Explorer, the grave accent is usable as an HTML attribute quotation character, equivalent to single and double quotes. Specifically, IE treats the following as equivalent:

<body><%= Encode.forHtml(textValue) %>" /></body>
<input value="this is the value">
<input value=`this is the value`>

It is an IE extension, is not in HTML specifications (HTML4, HTML5), and is probably not well supported in other browsers.

The Issue

The following HTML snippet, demonstrates the cross-site scripting vulnerability related to grave accents on unpatched Internet Explorer:

<input value="``onmouseover=alert(1)">
<script>b.innerHTML=a.innerHTML</script>

When this snippet is run in Internet Explorer the following steps happen:

  1. Two div elements are created with id's "a" and "b"
  2. The script executes "a.innerHTML" which returns:
<input value=``onmouseover=alert(1)>
  1. The script sets "b.innerHTML" to the value from (2) and is converted to the DOM equivalent of
<input value="" onmouseover="alert(1)">

The XSS issue arises from IE returning a value from innerHTML that it does not parse back into the original DOM. Patched version of IE fix this issue by returning the XSS value as a double-quoted attribute. The issue is complicated by the fact that no possible encoding of the grave accent can avoid this issue.

When...

<input value="``onmouseover=alert(1)">

...is the input, "a.innerHTML" returns the same XSS vector as it does without the encoding.

Recommend Solution

Our recommended workaround is to update any JavaScript based innerHTML read to replace the accent grave with a numeric entity encoded form: "`". As an example, the following change to the XSS vulnerable code above fixes the issue:

<script>a.innerHTML=b.innerHTML.replace(/`/g, "`");</script>

This can be done in any library code that reads the innerHTML. To follow how this addresses the issue, the innerHTML from step 2 of the issue is converted to:

<input value=&#96;&#96;onmouseover=alert(1)>

Since the browser will no longer see the grave accents as an empty attribute, it will convert the input back to a copy of its original DOM.

Other Possible Solutions

As there is no encoding option available, the following options are available to web application authors:

  1. Do not use innerHTML copies
  2. Filter out the accent grave from any user input
  3. Clean up grave accents when using an innerHTML copy

OWASP Java Encoder Library Related Changes

The OWASP Java Encoder Library at its core is intended to be a XSS safe _encoding_ library. The grave accent is a legitimate and frequently used character, that cannot be encoded to avoid this bug in unpatched versions of IE. With enough user feedback, we may update the library to include one of the following options: (1) alternate, drop-in build that filters grave accents, with unchanged API, (2) new filtering methods.

OWASP WebScarab NG Project Daniel Brzozowski @ Rogan Dawes (Past Contributor) @
OWASP Threat Modelling Project Anurag Agarwal @ N/A
OWASP Application Security Assessment Standards Project Matteo Michelini @ N/A
OWASP Hackademic Challenges Project Konstantinos Papapanagiotou @ Spyros Gasteratos @ Andreas Venieris (Core Developer) (Founder) @ Alex Papanikolaou @ Vasileios Vlachos @ Anastasios Stasinopoulos (Founder) @
OWASP Hatkit Proxy Project Martin Holst Swende @ N/A
OWASP Hatkit Datafiddler Project Martin Holst Swende @ N/A
OWASP ESAPI Swingset Interactive Project Fabio Cerullo @ Cathal Courtney @ N/A
OWASP ESAPI Swingset Demo Project Craig Younkins @ N/A
OWASP Web Application Security Accessibility Project Petr Závodský @ Jan Meszáros Tomáš Bakos Jakub Tomšej TEREZA
OWASP Cloud ‐ 10 Project Vinay Bansal @ Shankar Babu Chebrolu @ Pankaj Telang Ken Huang Ove Hansen Ludovic Petit @
OWASP Web Testing Environment Project Matt Tesauro @ David Hughes @ Brad Causey @ Nishi Kumar @ Drew Beebe @
OWASP iGoat Project Kenneth R. van Wyk @ Jonathan Carter @
Opa Henri Binsztok @ Adam Koprowski @ N/A
OWASP Mobile Security Project - Mobile Threat Model Tom Eston @ N/A
OWASP Codes of Conduct Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @
The OWASP "Green Book" Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @ Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Blue Book" Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @ Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Yellow Book" Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @ Larry Conklin Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Purple Book" Colin Watson @ N/A Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Red Book" Colin Watson @ Jason Taylor @ Jason Li @ Martin Knobloch @ Matthew Chalmers @ Justin Searle @ Larry Conklin Fabio Cerulo @ Sebastien Deleersnyder @

Main

OWASP Project Header.jpg

GoatDroid

The OWASP GoatDroid Project is a fully functional and self-contained environment for learning about Android security.

Introduction

GoatDroid requires minimal dependencies, and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location based social network, and Herd Financial, a mobile banking application.

Description

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.

As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.

Contributions will always be needed in order to keep this project moving at a pace that can support the seemingly endless new problems to tackle. If you are interested, please contact the project's leaders or send an email to the OWASP Mobile Security Project mailing list. We welcome code contributors, beta testers, new feature suggestions, and feedback always!

Licensing

GoatDroid is published by OWASP under the GPLv3 license. You should read and accept the LICENSE before you use, modify, and/or redistribute this software.

What is XXX?

OWASP XXX provides:

  • xxx
  • xxx


Presentation

Link to presentation


Project Leader

Jack Mannino


Related Projects

Ohloh

Quick Download

  • Link to page/download


News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1


In Print

This project can be purchased as a print on demand book from Lulu.com


Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

FAQs

Q1
A1
Q2
A2

Acknowledgements

Volunteers

XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • xxx
  • xxx

Others

  • xxx
  • xxx

Road Map and Getting Involved

As of XXX, the priorities are:

  • xxx
  • xxx
  • xxx

Involvement in the development and promotion of XXX is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • xxx
  • xxx



OWASP WhatTheFuzz Project Joe Basirico @ N/A
OWASP ESAPI C++ Project David Anderson @ Dan Amodio @ Kevin Wall @ Jeff Walton
OWASP ESAPI C Project Dan Amodio @ David Anderson @
OWASP Security Tools for Developers Project (STD) Mark Curphey @ John Wilander @ Psiinon @
OWASP Data Exchange Format Project Psiinon @ Dinis Cruz @ Daniel Brzozowski @ Dafydd @
OWASP Cheat Sheets Project Jim Manico @ Michael Coates Eric Sheridan Dave Wichers Jeff Williams Kevin Keenan Abraham Kang Dave Ferguson Shreeraj Shah Raul Siles Colin Watson
OWASP SIMBA Project Koen Vanderloock @ N/A
OWASP VFW (Varnish FireWall) Eduardo S. Scarpellini @ Leonardo Buonsanti @
OWASP WebScarab Project Rogan Dawes @ N/A
OWASP OVAL Content Project Gaurav Kumar @ N/A
OWASP WAF Project Juan Carlos Calderon @ N/A
OWASP ESAPI Perl Project Sterling Hanenkamp @ N/A
OWASP NAXSI Project Thibault "bui" Koechlin @ Sebastien Blot Antonin Le Faucheux Didier Conchaudron Sofian Brabez
OWASP ESAPI for ColdFusion/CFML Project Damon Miller @ Bill Shelton @ Jason Dean @
OWASP Open Review Project Dan Cornell @ N/A
OWASP Best Practices: Use of Web Application Firewalls OWASP Germany Local Chapter @ Achim Hoffmann @ Maximilian Dermann Mirko Dziadzka Boris Hemkemeier Alexander Meisel Matthias Rohr @ Thomas Schreiber
OWASP Application Security Requirements Project Luis Armando Martinez Bacha @ N/A
OWASP Passw3rd Project Neil Matatall @ N/A

Projects 2.0/By Alphabetic Order [Purpose]

Project Purpose
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Academy Portal Project (home page)
Purpose: Creation of a Portal to offer academic material in usable blocks, lab's, video's and forum.
License: Choose wisely
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases
OWASP Alchemist Project Alchemist enables a software development team in realization of highly secure and defensible application with built-in defenses/controls against security‐related design, coding and implementation flaws.

Alchemist is focused to present this solution by architecting a real-life high stakes application with security built into it right from the inception, step-by-step as it falls under an SDLC. The current exercise is targeted at demonstrating this on a J2EE based web application that is developed using Spring framework. Spring framework was chosen due to its widespread adoption in the financial products. However, it is important note that Alchemist is not limited to J2EE or more specifically Spring framework. The idea is to demonstrate the upper spectrum of security practices that are often neglected or are done in bits and pieces by picking a well known widely adopted technology. Since the emphasis is on security architecture and defensibility, the future road-map is to demonstrate the same for applications built using other leading programming languages and frameworks.

Although this project is more than useful for existing/already developed applications, Alchemist is not the ideal solution to retrofit security into existing applications. It is aimed at offering more to applications that are at least in development, most in design phase. Allowing for language-specific differences, Alchemist builds this application with a strong foundation of security architecture that covers following main practices:

  • Security Requirements
  • Threat Risk Modeling
  • Use and Abuse Cases
  • Secure Coding Guideline
OWASP Application Security Assessment Standards Project *The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed and what level of assessment is appropriate based on business requirement.
  • The final goal is to integrate a set of OWASP projects into an Application Security Assessment process in order to define a model which can be used by an organization to provide application security through OWASP standards.
OWASP Application Security Program for Manager *Create an OWASP Roadmap for the world wide Companies Type
  • In 9 years of activities OWASP has become the standard for Web Application Security. We are full of projects that are fantastic resources for developers and testers.
  • OWASP SAMM and ASVS address many security management issues.
  • What I see is missing now is a kind of guideline the managers should follow to adhere to the OWASP standards. I see that every security manager has different idea about the secure dev and testing (when and how to perform it).
  • This project wants to address the Security Manager point of view and tell him what he should do to implement an efficient Application Security Program.
  • In this project we will show all the OWASP Guides and tools and will tell why,how and when to use that. We can do that in function of the size of the organization, management roles and objectives. The idea is for example for a Bank Company,OWASP says to perform a OWASP SAMM assessment every year, to per perform Code Review and WAPT to all critical new software, testing every 3 months, etc.. Every activities is linked to an OWASP resource to use.
OWASP Application Security Skills Assessment The OWASP Application Security Skills Assessment (OWASP ASSA) is an online multiple-choice quiz built to help individuals understand their strengths and weaknesses in specific application security skills with the aim of enabling them to focus their training in the most efficient and appropriate manner.

Upon completion of the quiz, for each question, it will tell the quiz taker whether they had the correct or incorrect answer, a discussion of the question, the specific application security areas the question focused on, a discussion about the correct an incorrect answers, and links to further references.

OWASP Application Security Verification Standard Project The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:
  • Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
  • Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
  • Use during procurement - Provide a basis for specifying application security verification requirements in contracts.
OWASP Application Security Requirements Project To assemble a useful base of generic security requirements that could be used in most applications.
OWASP AppSensor Project Real Time Application Attack Detection and Response

Overview The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.
Detection AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
Response AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
Defending the Application An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

OWASP ASIDE Project ASIDE is an abbreviation for Application Security Integrated Development Environment. It is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs. ASIDE may be useful by professional developers as well.
OWASP Best Practices: Use of Web Application Firewalls Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself - and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems.
OWASP Browser Security ACID Tests Project
OWASP Browser Security Project
OWASP Cheat Sheets Project This project was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.
OWASP Cloud ‐ 10 Project Goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.
OWASP Codes of Conduct To create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations. We set out to define a set of minimal requirements for these organizations specifying what we believe to be the most effective ways to support our mission. We call these requirements a “code of conduct” to imply that these are normative standards, they represent a minimum baseline, and that they are not difficult to achieve.
The OWASP "Green Book" This effort envisages to create and maintain The OWASP Application Security Code of Conduct for Government Bodies/The OWASP "Green Book".
The OWASP "Blue Book" This effort envisages to create and maintain The OWASP Application Security Code of Conduct for Educational Institutions/The OWASP "Blue Book".
The OWASP "Yellow Book" This effort envisages to create and maintain The OWASP Application Security Code of Conduct for Standards Groups/The OWASP "Yellow Book".
The OWASP "Purple Book" This effort envisages to create and maintain The OWASP Application Security Code of Conduct for Trade Organizations/The OWASP "Purple Book".
The OWASP "Red Book" This effort envisages to create and maintain The OWASP Application Security Code of Conduct for Certifying Bodies/The OWASP "Red Book".
OWASP Code Review Project The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information. The combination of a book on secure code review and tools to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

Going forward I hope to further integrate with the ASVS and other guides such as the testing and ASDR guides shall be perfromed for version 2.0.

OWASP Common Numbering Project An exciting development, a new numbering scheme that will be common across OWASP Guides and References is being developed. The numbering is loosely based on the OWASP ASVS section and detailed requirement numbering. OWASP ASVS, Guide, and Reference project leads and contributors as well as the OWASP leadership plan to work together to develop numbering that would allow for easy mapping between OWASP Guides and References, and that would allow for a period of transition as Guides and References are updated to reflect the new numbering. This project will provide a centralized clearinghouse for mapping information.
OWASP CTF Project The purpose of this Project is to create a competitive environment which can be used at conferences and to have fun and teach in a playful way the various mistakes which are made in regards to web applications.
OWASP Data Exchange Format Project To define an open format for exchanging data between pentest tools.
OWASP Development Guide The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
OWASP Enterprise Application Security Project Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment.
OWASP ESAPI Objective - C Project The OWASP ESAPI Objective-C is the Objective-C (Cocoa) implementation of ESAPI.
  • The current release of this project is not suitable for production use
OWASP ESAPI C++ Project This is the C++ language version of the OWASP ESAPI.
  • ESAPI for C++ is sponsored by the United States Government
  • An API for helping programmers develop more secure business applications in C++.
  • Provides easy to use functions for proper auditing, simple wrappers for cryptographic functions, and more.
  • The current release of this project is not suitable for production use
OWASP ESAPI C Project This is the C language version of the OWASP ESAPI.
  • ESAPI for C is sponsored by the United States Government
  • An API for helping programmers develop more secure business applications in C.
  • Provides easy to use functions for proper auditing, simple wrappers for cryptographic functions, and more.
OWASP ESAPI for ColdFusion/CFML Project This is the ColdFusion/CFML language version of OWASP ESAPI.
  • The current release of this project is not suitable for production use
OWASP ESAPI Perl Project Provides a Perl implementation of the OWASP Enterprise Security API. Once the major components have been written, this will be released on CPAN.
Owasp Esapi Ruby The Owasp Esapi Ruby is a port for outstanding release quality Owasp Esapi project to the Ruby programming language. The idea is to build a Ruby gem (the standard ruby library archive format) containing the Esapi concepts implemented in Ruby classes so people using Ruby in their Rails application can have security into them.
OWASP ESAPI Swingset Demo Project The ESAPI Swingset DEMO is a web application which demonstrates the many uses of the Enterprise Security API (ESAPI)
OWASP ESAPI Swingset Interactive Project *This a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library.
  • The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities.
OWASP Enhancing Security Options Framework (ESOP Framework) Purpose of the framework is to provide a security layer to a given web application / web site via web service which can use the functions / modules to protect the site from following vulnerabilities:
  1. Remote code execution
  2. SQL injection
  3. Format string vulnerabilities
  4. Cross Site Scripting (XSS)
  5. Session hacking
  6. Denial of service (DoS) attacks
  7. Eavesdropping /Sniffing/ Phishing
  8. Identity Spoofing
  9. Man-in-the-Middle Attacks
  10. Username enumeration
    1. Instrumentation & Audits for:
    2. Critical Business Areas
    3. User Management
    4. Un-usual activities
    5. Interfaces Integrations
  11. IIS Tweaks
  12. Password Policy
OWASP Exams Project The OWASP Exams project will establish the model by which the OWASP community can create and distribute CC-licensed exams for use by educators. The purpose of the exams is to improve the effectiveness of OWASP training through the use of exams as a means of measurement and student progress tracking. The project will include creation of a set of CC-licensed exams, a model for exam usage, and a roadmap for future exam creation.

The exams may be distributed either in text format as well as in Moodle (an open source LMS) format so that they can be re-purposed for use in any system or an educator can use them directly in Moodle to administer exams to students. Ideally the exams will be tied to OWASP Academies learning blocks so that there is good learning and training content that can be used to motivate the usage of the exams.

OWASP Forward Exploit Tool Project This projects aims to develop a tool to exploit Top 10 2010 - A10 - Unvalidated Forward vulnerability to bypass access control to protected Java application files (config, binary -source code, etc.). It aims also to automate the download of known files in Java Web applications.
OWASP German Language Project

Main

OWASP Project Header.jpg

GoatDroid

The OWASP GoatDroid Project is a fully functional and self-contained environment for learning about Android security.

Introduction

GoatDroid requires minimal dependencies, and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location based social network, and Herd Financial, a mobile banking application.

Description

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.

As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.

Contributions will always be needed in order to keep this project moving at a pace that can support the seemingly endless new problems to tackle. If you are interested, please contact the project's leaders or send an email to the OWASP Mobile Security Project mailing list. We welcome code contributors, beta testers, new feature suggestions, and feedback always!

Licensing

GoatDroid is published by OWASP under the GPLv3 license. You should read and accept the LICENSE before you use, modify, and/or redistribute this software.

What is XXX?

OWASP XXX provides:

  • xxx
  • xxx


Presentation

Link to presentation


Project Leader

Jack Mannino


Related Projects

Ohloh

Quick Download

  • Link to page/download


News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1


In Print

This project can be purchased as a print on demand book from Lulu.com


Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

FAQs

Q1
A1
Q2
A2

Acknowledgements

Volunteers

XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • xxx
  • xxx

Others

  • xxx
  • xxx

Road Map and Getting Involved

As of XXX, the priorities are:

  • xxx
  • xxx
  • xxx

Involvement in the development and promotion of XXX is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • xxx
  • xxx



OWASP Hackademic Challenges Project *The Hackademic Challenges is an open source project that can be used to test and improve one's knowledge of web application security.
  • The Hackademic Challenges project implements realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.
  • They have been especially designed for use in a classroom environment where they have been proved a valuable educational tool. Using hackademic challenges students have the chance to experience application security in a realistic environment, something that triggers their interest and provokes a lot of interesting discussions.
  • The Hackademic Challenges are currently used in several Universities and have received very positive feedback from both professors and students.
OWASP Hatkit Datafiddler Project *The Datafiddler is a tool for performing advanced analysis of http traffic. It currently consists of two main views, one table-based and one tree-based. These views allow the user to study different aspects of the http traffic, with very high degree of configurability. The tool is also meant to be a framework which can utilize existing tools to analyze traffic post mortem (or real-time).
  • Built in Python/Qt + MongoDB.
OWASP Hatkit Proxy Project *The Hatkit Proxy is an intercepting http/tcp proxy based on the Owasp Proxy, but with several additions. These additions are:
    • Swing-based UI,
    • Interception capabilities with manual edit,
    • Syntax highlightning (html/form-data/http) based on JFlex,
    • Storage of http traffic into MongoDB database,
    • Interception capabilities of tcp-traffic,
    • Possibilities to intercept in Fully Qualified mode (like all other http-proxies) OR Non-fully qualified mode. The latter means that interception is performed *after* the host has been parsed, thereby enabling the user to submit non-valid http content.
  • The primary purpose of the Hatkit Proxy is to create a minimal, lightweight proxy which stores traffic into an offline storage where further analysis can be performed, e.g. all kinds of analysis which is currently implemented by the proxies themselves (webscarab/burp/paros etc).
  • Also, since the http traffic is stored in a MongoDB, the traffic is stored at an object-level, retaining the structure of the parsed traffic, which enables a user to perform advanced queries later.
  • The proxy should also be a good choice for 'defenders' who wants to (temporarily?) monitor traffic. The proxy itself is, as stated, very lightweight, and the backend MongoDB storage scales very well and should be able to handle extreme amounts of data. This would allow defenders to perform advanced post-mortem or real-time analysis of incoming traffic.
  • Built in Java/Swing + MongoDB.
HTMLReg Converts malicious HTML/CSS into a safe form of HTML.
OWASP HTTP Post Tool A tool for the purpose of performing web application security assessment around the availability concerns.
OWASP iGoat Project The iGoat project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.

Similar to WebGoat (developer), the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.

Further, iGoat is designed and implemented modularly, similar conceptually to WebGoat's modular Java EE servlet model. It is intended to provide a foundational framework to build lessons on top of, starting with a core set of lessons provided in the first release.

iGoat can be downloaded here: http://code.google.com/p/owasp-igoat/

OWASP JavaScript Sandboxes To produce a simplified version of Javascript by using regular expressions to remove dangerous functionality and then use Javascript itself to evaluate the results. The goal is to allow normal web users to safely code javascript on a site without exposing sensitive information. This project has three 'sub'-projects: OWSP JSReg + OWASP HTMLReg + OWASP CSSReg.

Main

OWASP Project Header.jpg

OWASP Java Encoder Project

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Introduction

Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. It provides numerous encoding functions to help defend against XSS in a variety of different HTML, JavaScript, XML and CSS contexts.

Quick Overview

The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.

Please look at the javadoc for Encode to see the variety of contexts for which you can encode. Tag libraries and JSP EL functions can be found in the encoder-jsp-1.1.1.jar.

If you want to try it out or see it in action, head over to "Can You XSS This? (.com)" and hit it with your best XSS attack vectors!

Happy Encoding!

Licensing

The OWASP Java Encoder is free to use under the New BSD License.


What is this?

The OWASP Java Encoder provides:

  • Output Encoding functions to help stop XSS
  • Java 1.5+ standalone library

Code Repo

Java Encoder at Google Code

Mailing List

Java Encoder Mailing List

Project Leaders

Author: Jeff Ichnowski @
PM: Jim Manico @

Contributors

Jeremy Long

Related Projects


Quick Download

News and Events

  • [20 Mar 2014] Doc additions
  • [5 Feb 2014] New Wiki
  • [4 Feb 2014] 1.1.1 Released

In Print

We will be releasing a user guide soon!

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
New BSD License
Project Type Files CODE.jpg

Use the Java Encoder Project

The general API pattern is to utilize the Java Encoder Project in your user interface code and wrap all variables added dynamically to HTML with a proper encoding function. The encoding pattern is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" is untrusted output.

Basic HTML Context

<body><%= Encode.forHtml(UNTRUSTED) %></body>

HTML Content Context

<textarea name="text"><%= Encode.forHtmlContent(UNTRUSTED) %></textarea>

HTML Attribute context

<input type="text" name="address" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />

Generally Encode.forHtml(UNTRUSTED) is also safe but slightly less efficient for the above two contexts (for textarea content and input value text) since it encodes more characters than necessary but might be easier for developers to use.

CSS contexts

<div style="width:<= Encode.forCssString(UNTRUSTED) %>">
<div style="background:<= Encode.forCssUrl(UNTRUSTED) %>">

Javascript Block context

 <script type="text/javascript">
 var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>";
 alert(msg);
 </script>

Javascript Variable context

 <button 
 onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">
 click me</button>

JavaScript Content Notes: Encode.forJavaScript(UNTRUSTED) is safe for the above two contexts, but encodes more characters and is less efficient.

Encode URL parameter values

<a href="/search?value=<%= Encode.forUriComponent(UNTRUSTED) %>&order=1#top">

Encode REST URL parameters

<a href="/page/<%= Encode.forUriComponent(UNTRUSTED) %>">

Handling an Full Untrusted URL

When handling a full url with the OWASP Java encoder, first verify the URL is a legal URL.

String url = validateURL(untrustedInput);

Then encode the URL as an HTML attribute when outputting to the page. Note the linkable text needs to be encoded in a different context.

 <a href="<%= Encode.forHtmlAttribute(untrustedUrl) %>">
 <%= Encode.forHtmlContent(untrustedLinkName) %>
 </a>

To use in a JSP with EL

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
<html>
   <head>
       <title><e:forHtml value="${param.title}" /></title>
   </head>
   <body>
       <h1>${e:forHtml(param.data)}</h1>
   </body>
</html>

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

Deploy the Java Encoder Project

The OWASP Java Encoder version 1.1.1 is now available in central!

OWASP Encoder at Maven Central.

Core

Direct Download: encoder-1.1.1.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder</artifactId>
   <version>1.1.1</version>
</dependency>

JSP Tag Library

Direct Download: encoder-jsp-1.1.1.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder-jsp</artifactId>
   <version>1.1.1</version>
</dependency>

Grave Accent Issue

The following describes the Grave Accent XSS issue with unpatched versions of Internet Explorer. Thank you to Rafay Baloch for bringing this to our attention and to Jeff Ichnowski for the workaround.

Introduction

The grave accent (`), ASCII 96, hex 60 (wikipedia) is subject to a critical flaw in unpatched Internet Explorer. There is no possible encoding of the character that can avoid the issue. For a more in depth presentation on the issue discussed herein, please see Mario Heidrech's presentation.

Background

In Internet Explorer, the grave accent is usable as an HTML attribute quotation character, equivalent to single and double quotes. Specifically, IE treats the following as equivalent:

<body><%= Encode.forHtml(textValue) %>" /></body>
<input value="this is the value">
<input value=`this is the value`>

It is an IE extension, is not in HTML specifications (HTML4, HTML5), and is probably not well supported in other browsers.

The Issue

The following HTML snippet, demonstrates the cross-site scripting vulnerability related to grave accents on unpatched Internet Explorer:

<input value="``onmouseover=alert(1)">
<script>b.innerHTML=a.innerHTML</script>

When this snippet is run in Internet Explorer the following steps happen:

  1. Two div elements are created with id's "a" and "b"
  2. The script executes "a.innerHTML" which returns:
<input value=``onmouseover=alert(1)>
  1. The script sets "b.innerHTML" to the value from (2) and is converted to the DOM equivalent of
<input value="" onmouseover="alert(1)">

The XSS issue arises from IE returning a value from innerHTML that it does not parse back into the original DOM. Patched version of IE fix this issue by returning the XSS value as a double-quoted attribute. The issue is complicated by the fact that no possible encoding of the grave accent can avoid this issue.

When...

<input value="``onmouseover=alert(1)">

...is the input, "a.innerHTML" returns the same XSS vector as it does without the encoding.

Recommend Solution

Our recommended workaround is to update any JavaScript based innerHTML read to replace the accent grave with a numeric entity encoded form: "`". As an example, the following change to the XSS vulnerable code above fixes the issue:

<script>a.innerHTML=b.innerHTML.replace(/`/g, "`");</script>

This can be done in any library code that reads the innerHTML. To follow how this addresses the issue, the innerHTML from step 2 of the issue is converted to:

<input value=&#96;&#96;onmouseover=alert(1)>

Since the browser will no longer see the grave accents as an empty attribute, it will convert the input back to a copy of its original DOM.

Other Possible Solutions

As there is no encoding option available, the following options are available to web application authors:

  1. Do not use innerHTML copies
  2. Filter out the accent grave from any user input
  3. Clean up grave accents when using an innerHTML copy

OWASP Java Encoder Library Related Changes

The OWASP Java Encoder Library at its core is intended to be a XSS safe _encoding_ library. The grave accent is a legitimate and frequently used character, that cannot be encoded to avoid this bug in unpatched versions of IE. With enough user feedback, we may update the library to include one of the following options: (1) alternate, drop-in build that filters grave accents, with unchanged API, (2) new filtering methods.

OWASP Java Project The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently.
OWASP Java XML Templates Project JXT is a fast and secure XHTML-compliant template language that runs on a model similar to JSP. JXT provides automatic context-aware encoding of data to make it easy to avoid OWASP Top Ten Project #2 web-application security risks Cross-site Scripting.

By providing automatic context aware escaping, JXT relieves the developer of having to think through the various contexts and appropriate escaping method required--allowing them to focus on coding the application. It also helps make the application more robust--it is easy to forget an escape after late night coding sessions after long hours. An additional benefit, perhaps not obvious at first, is that the automatic escaping provides for shorter syntax, and thus more readable code.

OWASP JBroFuzz Project JBroFuzz is a stateless web application fuzzer for requests being made over HTTP and/or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities. As a tool, it emerged from the needs of penetration testing.
JSReg JSReg is a Javascript sandbox which converts code using regular expressions.
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP LAPSE Project (home page)
Purpose: LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project. The project's second push is being led by Pablo Martín Pérez, Evalues Lab ICT Security Researcher, developing LAPSE+, an enhanced version of LAPSE.
License: GNU General Public License v3
who is working on this project?
Project Leader(s):
  • Gregory Disney-Leugers @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Gregory Disney-Leugers @ to contribute to this project
  • Contact Gregory Disney-Leugers @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
LapsePlus 2.8.1 - March 2011 - (download)
Release description: LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities.
Rating: Yellow button.JPG Not Reviewed - Assessment Details
last reviewed release
Not Yet Reviewed


other releases
OWASP Mantra - Security Framework Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges,maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.
OWASP Mobile Security Project Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.
OWASP Mobile Security Project - Mobile Threat Model
OWASP ModSecurity Core Rule Set Project ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.

Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.

OWASP Myth Breakers Project Similar to http://dsc.discovery.com/tv/mythbusters but for appsec, urban legends and assumptions regarding appsec will be tested and there'll be a set of examples that will prove the correctness/incorrectness of a statement related to the question. Every question will be answered in the mailing list and further, a page on the OWASP site will be created to report the results. Also anyone will be able to use the contents of the page/ml in OWASP conferences to spread the verb about what's an urban legend and what's not”.
OWASP NAXSI Project *Naxsi (Nginx Anti Xss Sql Injection) is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.
  • Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.
  • The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect "known" attacks, it detects unexpected characters in the HTTP requests/arguments.
  • Each kind of unusual character will increase the score of the request. If the request reaches a score considered "too high", the request will be denied, and the user will be redirected to a "forbidden" page. Yes, it works somewhat like a spam system.
Opa Usher in a new generation of web development tools and methodologies.
OWASP Open Review Project *The OWASP Open Review Project (ORPRO) is a project to openly check open source libraries and software that are vital to most commercial and non-commercial apps around.
  • We are surrounded by open source software. Not only the open source software all of us use, also many of the commercial applications contain open source libraries. Think of server and desktop software, but don't forget routers, cars, phones. Open source is everywhere.
  • The OWASP Open Review Project (ORPRO) exists to act as a resource providing automated static analysis of OWASP projects.
  • Fortify Software has made their Fortify on Demand (FoD) technology available to OWASP projects at owasp.fortifyondemand.com.

OWASP OVAL Content Project *The purpose of this project is to create OVAL content to enable any OVAL compatible tool find security issues which can be represented in a standard format.
  • More about OVAL from MITRE website:
  • Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.
    • This project will strive to create OVAL content (which are simply XML files) for common security mis-configurations. For example, refer to http://www.codeproject.com/KB/web-security/web-based-applications.aspx for list of top 10 Application Security Vulnerabilities in Web.config Files which may impact any ASP.NET web application. Each of these security settings can be tested easily by writing corresponding OVAL checks. In this particular case, xmlfilecontent_item can be used.
    • There are already free tools (OVAL Interpreters) available which can be readily used to check content conforming to OVAL standard.
    • OVAL community is quite active and there is fast amount of content available in OVAL repository maintained at MITRE website.
    • By providing standard OWASP reviewed OVAL content to general public, this project goal is to make it easier for anyone involved in finding configuration related vulnerabilities in any web application platform
OWASP O2 Platform Project Collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.

NOTE: most of the O2 Platform content is still on the external website
www.o2platform.com

OWASP Passw3rd Project Store passwords in encrypted files with an easy to use command line interface, and utilities to use the passwords in code. In its simplest form, the keys are generated per environment with OS access controls while the password files are stored in SCM.
OWASP Portuguese Language Project This project aims to coordinate and push foward the iniciatives developed to translate OWASP materials to Portuguese.
OWASP Related Commercial Services *Controlled environment for commercial providers of ‘OWASP Related’ services to be exposed to the OWASP community Promote the development of professional services around OWASP,
  • Allow buyers to find the best providers for their needs.
OWASP RFP-Criteria Purpose of this project is to simply provide an objective list and a aggregate set of questions from companies to utilize when they issue a RFPs for web application security.
OWASP Secure Coding Practices - Quick Reference Guide This document provides a quick high level reference for secure coding practices. It is technology agnostic and defines a set of general software security coding practices, in a checklist format, that can be integrated into the development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities.
OWASP Secure Password Project The majority of the world's authentication systems rely on a single-factor authentication mechanism: the password. A simple internet search yields thousands of pages dedicated to the topic of creating a secure password, but almost all of them are inherently flawed in that they recommend using either joining pieces of known information to compile a secure password or variations of character conversion schemes on commonly known words and phrases. The inherent problem with this approach is that if the pieces are known, then it is fairly trivial to compute the variations that compile the whole password.

This project will have a two pronged approach designed to put more nails in the single-factor method of authentication.

  • First, we will create an interactive portal where penetration testers are able to enter known information about the target. This known information can then be broken down and converted to create a large downloadable dictionary list that has been customized to the target. This list will be added to a comprehensive standard dictionary with the character conversions performed on that as well. The result would be a large list of commonly used passwords, dictionary words, target specific passwords, and various derivitives of each which should cover the vast majority of passwords used today.
  • The second prong of our approach will be to capture the results of all data collected into a large database. This data will be hashed with common hashing methods to create what will become the world's largest rainbow tables. A user can provide us with a hash and we can do a lookup against these tables to search for matching entries. The goal here is to put a stop to unsalted password hashes for authentication.
OWASP Secure the Flag Competition Project This project aims to create a different type of competition that encourages secure coding rather than hacking skills.

We've all heard of capture the flag competitions, Secure The Flag (STF) is different. STF is a developer focused competition where teams compete to develop the most secure application based on a series of software requirements. Some requirements are just there to set boundaries and standardize the game, some requirements are critical elements and MUST be implemented, other elements are optional and can get you bonus points, but be careful, bonus features are more risky! Teams will receive the requirements, along with a pre-configured VM (LAMP) several days before the competition to allow ample time to design and implement their systems.

OWASP Secure Web Application Framework Manifesto The Secure Web Application Framework Manifesto is a document detailing a specific set of security requirements for developers of web application frameworks to adhere to. The goal is to help develop more secure applications from the start. The manifesto centers around the following beliefs:
  • Frameworks that are ‘secure by default’ will yield a dramatic reduction in the number of common web application security vulnerabilities.
  • Application security experts should provide, on a regularly basis, updated guidance to framework developers on how to incorporate mechanisms to avoid newly discovered vulnerabilities.
OWASP Security Baseline Project This projects aims to benchmark the security of various enterprise security products/services against OWASP Top 10 risks. Comprehensive assessing security of enterprise products/services, the OWASP Security Baseline initiative will (eventually) lead to vendor-independent security certified solutions.
Security Ecosystem Project Nobody (and no company) can build secure software by themselves. We have seen that vulnerability research can help to drive security forward in companies, but it’s a painful process. We envision a partnership between technology platform vendors and a thriving ecosystem focused on the security of their technology. The ecosystem will include researchers (both builders and breakers), tools, libraries, guidelines, awareness materials, standards, education, conferences, forums, feeds, announcements, and probably more.
OWASP Security Tools for Developers Project (STD) Develop a reference implementation of open source tools integrated in an end to end development process. This will likely include a reference architecture, guidance and a reference implementation using open source tools. We will likely extend current open source tools or develop new tools where gaps exist.
OWASP SIMBA Project SIMBA (Security Integration Module for Business Applications) is a User Access Management system that can be integrated with any business application. The purpose of the project is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. A separate Flex manager application is available to manage the data, view the audit logs and configure parameters.

With the support of the OWASP (Open Web Application Security Project) community SIMBA is constantly improved so current security vulnerabilities are better supported and proactive work is done against future vulnerabilities. SIMBA is not vendor specific, developed in an international community and is supported by all major platforms.

OWASP Software Security Assurance Process To outlines mandatory and recommended processes and practices to manage risks associated with applications. Software Security is equally dependent on people, processes and technology. The effectiveness of the OWASP Software Security Process is continuously measured and is improved through feedback, threat landscape changes, availability of new concepts and tools. Should be the framework to map Requirements, Dev and Testing guidelines for example.
OWASP Student Chapters Program
OWASP Testing Project *The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
OWASP Threat Modelling Project


OWASP Inactive Banner.jpg
OWASP Uniform Reporting Guidelines This project will complement the OWASP Testing Guide as well as the OWASP RFP Template. This is going to be a reporting template for vulnerability findings which will be free, base on industry best practices and hopefully will become the defacto standard.
OWASP VFW (Varnish FireWall) The purpose of this project is to mitigate web applications threats using Varnish. Varnish (https://www.varnish-cache.org/) is a modern, very flexible and scalable reverse-proxy system which supports VCL, a wonderful domain-specific language to deal with HTTP (to handle headers, routing, rewrite and block requests, etc). Nowadays, many big Internet services are behind Varnish and we can bring some security policies to it.

In another words: Varnish as a Web Application Firewall; A kind of mod_security for Varnish; Varnish security filters.

OWASP WAF Project The OWASP Web Application Firewall (WAF) Project is a ModSecurity endorsed Port of their Language Specification (Level 1) for Java and .NET based on the contribution to ESAPI-Java by Arshan Dabirsiaghi.
OWASP Watcher Project Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won't damage production systems, it's completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Major Features:

  • Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer);
  • Works seamlessly with complex Web 2.0 applications while you drive the Web browser;
  • Non-intrusive, will not raise alarms or damage production sites;
  • Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS);
  • Configurable domains with wildcard support;
  • Extensible framework for adding new checks.
OWASP WhatTheFuzz Project An easy to use, easy to get started fuzzer for websites.
OWASP Web Application Security Accessibility Project The practice points out to the fact that a seemingly secure web application does, in reality, protect interests of only a specific group of users. Interests of a great number of users are protected only partially or by no means. This project will focus extensively on the issue of web application security accessibility.
OWASP Web Browser Testing System Project WBTS was built to quickly automate and test various browser and user-agents for security issues. It contains all the necessary services required for testing a browser. The following services are included: DNS, HTTP(S), Logging Services and support for VirtualHosts.
OWASP Web Testing Environment Project
OWASP WebScarab NG Project *WebScarab NG is a robust tool that assists the user in penetration test. This is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly.
OWASP WebScarab Project WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.

You may also be interested in testing the Next Generation of WebScarab.

OWASP X5s Project Active XSS testing and input/output encoding detection

x5s is a Fiddleraddon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. This is not a point and shoot tool, it requires some understanding of how encoding issues lead to XSS, and it requires manual driving.

It's main goal is to help you identify the hotspots where XSS might occur by:

  • Detecting where safe encodings were not applied to emitted user-inputs
  • Detecting where Unicode character transformations might bypass security filters
  • Detecting where non-shortest UTF-8 encodings might bypass security filters
OWASP Zed Attack Proxy Project This project, OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.