I'm trying to understand what the difference is between the three provided options

- Forced browse site
- Forced browse directory
- Forced browse directory (and children)

Can someone please elaborate?

Hello,

I have a problem. Im using owasp zap latest version on a Docker image in portainer.io. While crawling the target website, it won't open firefox preconfigured browser. After changing the networksettings in my own browser, it still wont show the application. While using local OWASP ZAP, it shows the browser and it captures the username, but the password session wont be captured.

While opening the browser, I do the following -> Filling in username, after that I fill the password in a password field that comes in the session. I log in, click some things on the page and log out.

​

How can I get the password session captured?

Hi, I've been recently asked to help devs with remediation and secure coding. I have very little programming experience but do have some pentesting experience and familiar with vulnerabilities, etc. My initial thought is to learn javascript and then get to know OWASP stuff like the back of my hand.

Any ideas? Thanks!

Would anyone know?

Say I wanted to use GPL or MPL licenses on my project, would OWASP accept it?

Thanks!

My company (42Crunch) is hosting a webinar "Are You Properly Using JWTs?" Jan 30, 2020 11:00 AM in Pacific Time

This is not product-related in any way. Just a deep dive into JWT and security best practices. Here's abstract:

JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.

This session focuses on best practices and real world examples of JWT usage, where we cover:

• Typical scenarios where using JWT is a good idea
• Typical scenarios where using JWT is a bad idea!
• Principles of Zero trust architecture and why you should always validate
• Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t
• Use cases when encryption may be required for JWT

Register at https://42crunch.com/webinar-jwt/

Hey guys,

I want to someday get into the CSSLP, and specialize in Web Application Security (and become a Web Application Security Analyst). What would be a good entry level cert? I have zero certs so far.

I have a Bachelor of Science in Information Sciences and Technology (a light version of Comp Sci), and I plan on doing my Master of Science in Cyber Security.

I am not too keen on Network systems, as I am not a fan of it, that is why I want to specialize in Web Application Security.

I was thinking of doing the CEH as my first cert, but again, what would be a good entry level cert for me if I want to get the CSSLP and become a Web Application Security Analyst.

Thank you.

If learning networks is mandatory, I will have to suck it up :p

Hey guys,

After doing some research on finding an XSS scanner for our product, XSStrike seems to be the best option at this point but I know sometimes features like vulnerability scanning comes bundled up as part of other software.

What would you recommend for XSS scanning?

​

Thanks!

Hello!

Our SF Bay-based company is looking for a short-term consultant for usability testing on our RASP (Runtime Application Self Protection) product.

Ideally this candidate is local (not a dealbreaker ), should have extensive penetration testing experience, and have worked in DevSecOps paradigms. An NDA must be signed, and compensation is negotiable. Please direct message us if you’re up for the task.

Hello all,

​

I've been reading through the OWASP Top 10 guides for secure coding. I see examples for Java, .Net, PhP, etc; but I don't see good coding examples for JavaScript / Node. I've started to dig through the GitHub, but I'm not seeing anything. Does anyone have a reference for something like this, or do you know where I can locate it in the OWASP site?

​

Kind regards

Hey all, ISACA made a course that lets you work with each of the OWASP Top 10 directly for CPE credit for your certs! It's pretty fun and I liked the practical engagement part. Thought I'd pass along.

​

https://nexus.isaca.org/products/124

We spoke with Adam on the Application Security Podcast about threat modeling the humans and conflict modeling. Deep stuff that goes much further than tech, but into privacy and how to determine what should be allowed in a social world.

https://www.securityjourney.com/blog/adam-shostack-threat-modeling-layer-8-and-conflict-modeling/

https://www.securityjourney.com/blog/jon-mccoy-hacker-outreach/

Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also remembered a cautionary tale of Robert’s Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community.

https://www.securityjourney.com/blog/simon-bennetts-owasp-zap-past-present-and-future/

Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API.

Using Firefox 66.0.2 (64-bit) on Linux Mint 19.1, I've been working through the new Portswigger "Web Security Academy" (https://portswigger.net/ but you need to create an account). When you do an actual lab, their site redirects you to an URL such as https://acf92090389098d68063d3a2.web-security-academy.net/ which I assume is a just-spun-up VM.

Everything works fine if I just use Firefox. If I run ZAP D-2019-04-01 and have Firefox use the ZAP proxy, when the main site redirects to the VM, Firefox gives "Content Encoding Error".

It looks like the response from the GET of the VM URL has a header containing "Content-Encoding: gzip" but the response body just contains plain HTML (starts with "<!DOCTYPE html> <html> <head> ...").

In the zap.log I see "ERROR ProxyThread - Unable to uncompress gzip content: Not in GZIP format java.util.zip.ZipException: Not in GZIP format"

Why am I getting this error when using ZAP proxy ? Is the proxy being stricter than Firefox ? But the error page is a Mozilla-constructed page, it's not coming from the proxy. Or maybe I'm completely wrong, and something else is going on ? Thanks for any help.

[Edit: found it is the web site doing something wrong, apparently. And a default setting of ZAP was making it appear. https://groups.google.com/forum/#!topic/zaproxy-users/OoiFBGgwGTU ]

Within MSTG, local authentication, there is the following comment regarding Security.framework:

Please be aware that using either the LocalAuthentication.framework or the Security.framework, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with.

Is Security.framework actually insecure and, if so, why? I've had a look online and cannot find anything to support this claim, as the posts I have read recommend using this instead of LocalAuthentication, as Security.framework requires a passcode/biometric to unlock data in the keychain, rather than just returning a Boolean.

Is it possible to send/alter requests in the request editor, with a scripting language like python?

For example, during the WebGoat boolean SQLi task, you have to manually enumerate objects based on the response, it would be really nice if you could write a little python script to do that loop for you. I am curious if this is possible or not.

I am not sure if you can do it in python on its own, don't you need the browser context that ZAP has?