Difference between revisions of "OWASP Projects Dashboard 2.0/By Set Up Order"

From OWASP
Jump to: navigation, search
 
(6 intermediate revisions by one user not shown)
Line 85: Line 85:
 
{{:Projects/OWASP OVAL Content Project | OWASP Project About/Rows}}
 
{{:Projects/OWASP OVAL Content Project | OWASP Project About/Rows}}
 
{{:Projects/OWASP WAF Project | OWASP Project About/Rows}}
 
{{:Projects/OWASP WAF Project | OWASP Project About/Rows}}
 +
{{:Projects/OWASP ESAPI Perl Project | OWASP Project About/Rows}}
 +
{{:Projects/OWASP NAXSI Project | OWASP Project About/Rows}}
 +
{{:Projects/OWASP ESAPI for ColdFusion - CFML Project | OWASP Project About/Rows}}
 +
{{:Projects/OWASP Open Review Project  | OWASP Project About/Rows}}
 +
{{:Projects/OWASP Best Practices: Use of Web Application Firewalls | OWASP Project About/Rows}}
 +
{{:Projects/OWASP Application Security Requirements Project | OWASP Project About/Rows}}
 +
{{:Projects/OWASP Passw3rd Project | OWASP Project About/Rows}}
 
|}
 
|}

Latest revision as of 14:15, 4 October 2011

Project Leader(s) Contributor(s)
Security Ecosystem Project Jeff Williams @ This project is currently seeking volunteers. If you are interested please contact us through the mailing list.
OWASP RFP-Criteria Tom Brennan @ N/A
Owasp Esapi Ruby Paolo Perego @ Kuai Hinojosa @ Sal Scotto @ Paco Schiaffella @
OWASP Application Security Program for Manager Matteo Meucci @ Marco Morana @ Giorgio Fedon @ Stefano di Paola @
OWASP JavaScript Sandboxes Gareth Heyes @ Eduardo Vela Mario Heiderich
JSReg Gareth Heyes @ N/A
HTMLReg Gareth Heyes @ N/A
OWASP Testing Project Andrew Muller @ Matteo Meucci @ N/A
OWASP Related Commercial Services Eoin Keary @ N/A
OWASP Development Guide N/A Andrew van der Stock @ Ken Owen @
OWASP Application Security Verification Standard Project Sahba Kazerooni @ Daniel Cuthbert @ Dave Wichers @ Jeff Williams @ Mike Boberski
OWASP Code Review Project Larry Conklin @ N/A
OWASP ModSecurity Core Rule Set Project Ryan Barnett @ Breno Silva
OWASP Alchemist Project Naveen Rudrappa @ Chandrakanth Reddy Narreddy @ Bishan Singh @ N/A
OWASP Secure Coding Practices - Quick Reference Guide Keith Turpin @ Dan Kranz Walt Pietrowski Catherine Spencer Caleb McGary @ Jim Manico @ Brad Causey @ Ludovic Petit @ Michael V. Scovetta @ Jason Coleman Tarcizio Vieira Neto
OWASP Student Chapters Program Mateo Martinez @ N/A
OWASP CTF Project Steven van der Baan @ Martin Knobloch @ Brad Causey @ Ralf Allar @ Andres Riancho @ Danny Chrastil
OWASP Enterprise Application Security Project Alexander Polyakov @ Dmitriy Evdokimov @ Dmitriy Chastuhin @ Alexey Sintsov @ Michail Markevich
OWASP Browser Security Project N/A N/A


OWASP Inactive Banner.jpg
OWASP Uniform Reporting Guidelines Vlad Gostomelsky @ N/A
OWASP Secure Web Application Framework Manifesto Rohit Sethi @ Yuk Fai Chan @ Tom Aratyn @ Sahba Kazerooni @ Patrick Szeto @
OWASP Mobile Security Project Jack Mannino (Overall Project and GoatDroid Leader) @ Mike Zusman (Mobile Cheat Sheet Leader) @ Tony DeLaGrange (MobiSec Leader) @ Sarath Geethakumar (Mobile Device Management Leader) @ Tom Eston (Mobile Threat Model Leader) @ Don Williams (Mobile Testing Leader) Jason Haddix (Mobile Top Ten) @ Zach Lanier @ Jim Manico @ Ludovic Petit @ Swapnil Deshmukh @ Beau Woods @
OWASP O2 Platform Project Dinis Cruz @ N/A
OWASP Zed Attack Proxy Project Psiinon @ Axel Neumann @ N/A
OWASP AppSensor Project Michael Coates @ John Melton @ Colin Watson @ Dennis Groves @ Ryan Barnett @ Simon Bennetts August Detlefsen Randy Janida Jim Manico @ Giri Nambari Eric Sheridan Kevin Wall Dennis Groves
OWASP JBroFuzz Project Ranulf Green @ Yiannis Pavlosoglou @ Markus Miedaner @
OWASP Watcher Project Chris Weber @ N/A
OWASP X5s Project Chris Weber @ N/A
OWASP Application Security Skills Assessment Neil Smithline @ N/A
OWASP Common Numbering Project Dave Wichers (ASVS) @ Jeff Williams (ASVS) @ Vishal Garg (Development Guide) @ Eoin Keary (Code Review Guide) @ Matteo Meucci (Testing Guide) @ Keith Turpin (Secure Coding Quick Reference) @ Brad Causey (Global Projects Commitee) @ Rick Mitchell
OWASP HTTP Post Tool Tom Brenann @ N/A
OWASP Forward Exploit Tool Project Marcos Mateos Garcia @ N/A
OWASP Java XML Templates Project Jeff Ichnowski @ N/A
OWASP ASIDE Project Jun Zhu @ Bill Chu @ Jing Xie @ N/A
OWASP Secure Password Project Josh Sokol @ James Wickett @ Matt Tesauro @ Ben Broussard @ Genung Gregory @
OWASP Secure the Flag Competition Project Mark Bristow @ N/A
OWASP Security Baseline Project Marian Ventuneac @ N/A
OWASP ESAPI Objective - C Project Deepak Subramanian @ N/A
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Academy Portal Project (home page)
Purpose: Creation of a Portal to offer academic material in usable blocks, lab's, video's and forum.
License: Choose wisely
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases
OWASP Exams Project Jason Taylor @ N/A
OWASP Portuguese Language Project Carlos Serrão @ Marcio Machry @ Lucas Ferreira @
OWASP Browser Security ACID Tests Project Dave Wichers (as coproject manager) @ John Wilander (as coproject manager) @ David Lindsay (as technical lead) @ Isaac Dawson @
OWASP Web Browser Testing System Project Isaac Dawson @ N/A
OWASP Java Project Mirko Richter @ N/A
OWASP Myth Breakers Project Stefano Di Paola @ Dinis Cruz @ N/A
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP LAPSE Project (home page)
Purpose: LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project. The project's second push is being led by Pablo Martín Pérez, Evalues Lab ICT Security Researcher, developing LAPSE+, an enhanced version of LAPSE.
License: GNU General Public License v3
who is working on this project?
Project Leader(s):
  • Gregory Disney-Leugers @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Gregory Disney-Leugers @ to contribute to this project
  • Contact Gregory Disney-Leugers @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
LapsePlus 2.8.1 - March 2011 - (download)
Release description: LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities.
Rating: Yellow button.JPG Not Reviewed - Assessment Details
last reviewed release
Not Yet Reviewed


other releases
OWASP Software Security Assurance Process Mateo Martínez @ Martin Pellegrino
OWASP Enhancing Security Options Framework (ESOP Framework) Amber Marfatia @ N/A
OWASP German Language Project Matthias Rohr @ N/A
OWASP Mantra - Security Framework Abhi M BalaKrishnan @ N/A
[edit]

OWASP Project Header.jpg

OWASP Java Encoder Project

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Introduction

Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. It provides numerous encoding functions to help defend against XSS in a variety of different HTML, JavaScript, XML and CSS contexts.

Quick Overview

The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.

Please look at the javadoc for Encode to see the variety of contexts for which you can encode.

If you want to try it out or see it in action, head over to "Can You XSS This? (.com)" and hit it with your best XSS attack vectors!

Happy Encoding!

Licensing

The OWASP Java Encoder is free to use under the New BSD License.


What is this?

The OWASP Java Encoder provides:

  • Output Encoding functions to help stop XSS
  • Java 1.5+ standalone library

Code Repo

Java Encoder at Google Code

Mailing List

Java Encoder Mailing List

Project Leaders

Author: Jeff Ichnowski @
PM: Jim Manico @

Contributors

Jeremy Long

Related Projects


Quick Download

News and Events

  • [20 Mar 2014] Doc additions
  • [5 Feb 2014] New Wiki
  • [4 Feb 2014] 1.1.1 Released

In Print

We will be releasing a user guide soon!

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
New BSD License
Project Type Files CODE.jpg

The general API pattern is to utilize the Java Encoder Project in your user interface code and wrap all variables added dynamically to HTML with a proper encoding function. The encoding pattern is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" is untrusted output.

Basic HTML Context

<body><%= Encode.forHtml(textValue) %>" /></body>

HTML Content Context

<textarea name="text"><%= Encode.forHtmlContent(textAreaContent>" /></textarea>

Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).

HTML Attribute context

<input type="text" name="address" value="<%= Encode.forHtmlAttribute(addressData) %>" />

Javascript Block context

<script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); </script>

Javascript Variable context

<button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>

JavaScript Content Notes: Encode.forJavaScript is safe for the above two contexts, but encodes more characters and is less efficient.

Encode URL parameter values

<a href="/search?value=<%= Encode.forUriComponent(parameterValue) %>&order=1#top">

Encode REST URL parameters

<a href="/page/<%=Encode.forUriComponent(restUrlParameter)%>">

Handling an Full Untrusted URL

When handling a full url with the OWASP Java encoder, first verify the URL is a legal URL.

String url = validateURL(untrustedInput);

Then encode the URL as an HTML attribute when outputting to the page. Note the linkable text needs to be encoded in a different context.

<a href="<%= Encode.forHtmlAttribute(url) %>"><%= Encode.forHtmlContent(link-name) %></a>

To use in a JSP with EL

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
<html>
   <head>
       <title><e:forHtml value="${param.title}" /></title>
   </head>
   <body>
       <h1>${e:forHtml(param.data)}</h1>
   </body>
</html>

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

The OWASP Java Encoder version 1.1.1 is now available in central!

OWASP Encoder at Maven Central.

Core

Direct Download: encoder-1.1.1.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder</artifactId>
   <version>1.1.1</version>
</dependency>

JSP Tag Library

Direct Download: encoder-jsp-1.1.1.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder-jsp</artifactId>
   <version>1.1.1</version>
</dependency>

The following describes the Grave Accent XSS issue with unpatched versions of Internet Explorer. Thank you to Rafay Baloch for bringing this to our attention.

Introduction

The grave accent (`), ASCII 96, hex 60 (wikipedia) is subject to a critical flaw in unpatched Internet Explorer. There is no possible encoding of the character that can avoid the issue. For a more in depth presentation on the issue discussed herein, please see Mario Heidrech's presentation.

Background

In Internet Explorer, the grave accent is usable as an HTML attribute quotation character, equivalent to single and double quotes. Specifically, IE treats the following as equivalent:

<body><%= Encode.forHtml(textValue) %>" /></body>
<input value="this is the value">
<input value=`this is the value`>

It is an IE extension, is not in HTML specifications (HTML4, HTML5), and is probably not well supported in other browsers.

The Issue

The following HTML snippet, demonstrates the cross-site scripting vulnerability related to grave accents on unpatched Internet Explorer:

<input value="``onmouseover=alert(1)">
<script>b.innerHTML=a.innerHTML</script>

When this snippet is run in Internet Explorer the following steps happen:

  1. Two div elements are created with id's "a" and "b"
  2. The script executes "a.innerHTML" which returns:
<input value=``onmouseover=alert(1)>
  1. The script sets "b.innerHTML" to the value from (2) and is converted to the DOM equivalent of
<input value="" onmouseover="alert(1)">

The XSS issue arises from IE returning a value from innerHTML that it does not parse back into the original DOM. Patched version of IE fix this issue by returning the XSS value as a double-quoted attribute. The issue is complicated by the fact that no possible encoding of the grave accent can avoid this issue.

When...

<input value="``onmouseover=alert(1)">

...is the input, "a.innerHTML" returns the same XSS vector as it does without the encoding.

Recommend Solution

Our recommended workaround is to update any JavaScript based innerHTML read to replace the accent grave with a numeric entity encoded form: "`". As an example, the following change to the XSS vulnerable code above fixes the issue:

<script>a.innerHTML=b.innerHTML.replace(/`/g, "`");</script>

This can be done in any library code that reads the innerHTML. To follow how this addresses the issue, the innerHTML from step 2 of the issue is converted to:

<input value=``onmouseover=alert(1)>

Since the browser will no longer see the grave accents as an empty attribute, it will convert the input back to a copy of its original DOM.

Other Possible Solutions

As there is no encoding option available, the following options are available to web application authors:

  1. Do not use innerHTML copies
  2. Filter out the accent grave from any user input
  3. Clean up grave accents when using an innerHTML copy

OWASP Java Encoder Library Related Changes

The OWASP Java Encoder Library at its core is intended to be a XSS safe _encoding_ library. The grave accent is a legitimate and frequently used character, that cannot be encoded to avoid this bug in unpatched versions of IE. With enough user feedback, we may update the library to include one of the following options: (1) alternate, drop-in build that filters grave accents, with unchanged API, (2) new filtering methods.

OWASP WebScarab NG Project Daniel Brzozowski @ Rogan Dawes (Past Contributor) @
OWASP Threat Modelling Project Anurag Agarwal @ N/A
OWASP Application Security Assessment Standards Project Matteo Michelini @ N/A
OWASP Hackademic Challenges Project Konstantinos Papapanagiotou @ Spyros Gasteratos @ Andreas Venieris (Core Developer) (Founder) @ Alex Papanikolaou @ Vasileios Vlachos @ Anastasios Stasinopoulos (Founder) @
OWASP Hatkit Proxy Project Martin Holst Swende @ N/A
OWASP Hatkit Datafiddler Project Martin Holst Swende @ N/A
OWASP ESAPI Swingset Interactive Project Fabio Cerullo @ Cathal Courtney @ N/A
OWASP ESAPI Swingset Demo Project Craig Younkins @ N/A
OWASP Web Application Security Accessibility Project Petr Závodský @ Jan Meszáros Tomáš Bakos Jakub Tomšej TEREZA
OWASP Cloud ‐ 10 Project Vinay Bansal @ Shankar Babu Chebrolu @ Pankaj Telang Ken Huang Ove Hansen Ludovic Petit @
OWASP Web Testing Environment Project Matt Tesauro @ David Hughes @ Brad Causey @ Nishi Kumar @ Drew Beebe @
OWASP iGoat Project Kenneth R. van Wyk @ Jonathan Carter @
Opa Henri Binsztok @ Adam Koprowski @ N/A
OWASP Mobile Security Project - Mobile Threat Model Tom Eston @ N/A
OWASP Codes of Conduct Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @
The OWASP "Green Book" Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @ Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Blue Book" Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @ Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Yellow Book" Colin Watson @ Jeff Williams @ Dave Wichers @ Dinis Cruz @ Larry Conklin Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Purple Book" Colin Watson @ N/A Fabio Cerulo @ Sebastien Deleersnyder @
The OWASP "Red Book" Colin Watson @ Jason Taylor @ Jason Li @ Martin Knobloch @ Matthew Chalmers @ Justin Searle @ Larry Conklin Fabio Cerulo @ Sebastien Deleersnyder @

Main

OWASP Project Header.jpg

GoatDroid

The OWASP GoatDroid Project is a fully functional and self-contained environment for learning about Android security.

Introduction

GoatDroid requires minimal dependencies, and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location based social network, and Herd Financial, a mobile banking application.

Description

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.

As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.

Contributions will always be needed in order to keep this project moving at a pace that can support the seemingly endless new problems to tackle. If you are interested, please contact the project's leaders or send an email to the OWASP Mobile Security Project mailing list. We welcome code contributors, beta testers, new feature suggestions, and feedback always!

Licensing

GoatDroid is published by OWASP under the GPLv3 license. You should read and accept the LICENSE before you use, modify, and/or redistribute this software.

What is XXX?

OWASP XXX provides:

  • xxx
  • xxx


Presentation

Link to presentation



Project Leader

Jack Mannino


Related Projects


Quick Download

  • Link to page/download


News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1


In Print

This project can be purchased as a print on demand book from Lulu.com


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

FAQs

Q1
A1
Q2
A2

Acknowledgements

Volunteers

XXX is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • xxx
  • xxx

Others

  • xxx
  • xxx

Road Map and Getting Involved

As of XXX, the priorities are:

  • xxx
  • xxx
  • xxx

Involvement in the development and promotion of XXX is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • xxx
  • xxx


Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: Place your project name here.
Purpose: Project description goes here. Make sure to add a description that outlines how this project advances software security.
License: Place your license choice here: OWASP Recommended Licenses
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [This is the full link to the mailing list (e.g. https://lists.owasp.org/mailman/listinfo/owasp-example-project) Mailing List Archives]
Project Roadmap: Not Yet Created
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases
OWASP WhatTheFuzz Project Joe Basirico @ N/A
OWASP ESAPI C++ Project David Anderson @ Dan Amodio @ Kevin Wall @ Jeff Walton
OWASP ESAPI C Project Dan Amodio @ David Anderson @
OWASP Security Tools for Developers Project (STD) Mark Curphey @ John Wilander @ Psiinon @
OWASP Data Exchange Format Project Psiinon @ Dinis Cruz @ Daniel Brzozowski @ Dafydd @
OWASP Cheat Sheets Project Jim Manico @ Michael Coates Eric Sheridan Dave Wichers Jeff Williams Kevin Keenan Abraham Kang Dave Ferguson Shreeraj Shah Raul Siles Colin Watson
OWASP SIMBA Project Koen Vanderloock @ N/A
OWASP VFW (Varnish FireWall) Eduardo S. Scarpellini @ Leonardo Buonsanti @
OWASP WebScarab Project Rogan Dawes @ N/A
OWASP OVAL Content Project Gaurav Kumar @ N/A
OWASP WAF Project Juan Carlos Calderon @ N/A
OWASP ESAPI Perl Project Sterling Hanenkamp @ N/A
OWASP NAXSI Project Thibault "bui" Koechlin @ Sebastien Blot Antonin Le Faucheux Didier Conchaudron Sofian Brabez
OWASP ESAPI for ColdFusion/CFML Project Damon Miller @ Bill Shelton @ Jason Dean @
OWASP Open Review Project Dan Cornell @ N/A
OWASP Best Practices: Use of Web Application Firewalls OWASP Germany Local Chapter @ Achim Hoffmann @ Maximilian Dermann Mirko Dziadzka Boris Hemkemeier Alexander Meisel Matthias Rohr @ Thomas Schreiber
OWASP Application Security Requirements Project Luis Armando Martinez Bacha @ N/A
OWASP Passw3rd Project Neil Matatall @ N/A