/r/owasp

Photograph via snooOG

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

/r/owasp

2,906 Subscribers

4

OWASP Zap Force browse differences

I'm trying to understand what the difference is between the three provided options

- Forced browse site
- Forced browse directory
- Forced browse directory (and children)

Can someone please elaborate?

2 Comments
2020/04/21
20:08 UTC

5

OWASP ZAP Authentication Scan

Hello,

I have a problem. Im using owasp zap latest version on a Docker image in portainer.io. While crawling the target website, it won't open firefox preconfigured browser. After changing the networksettings in my own browser, it still wont show the application. While using local OWASP ZAP, it shows the browser and it captures the username, but the password session wont be captured.

While opening the browser, I do the following -> Filling in username, after that I fill the password in a password field that comes in the session. I log in, click some things on the page and log out.

How can I get the password session captured?

2 Comments
2020/04/16
09:26 UTC

5

How do you five secure coding advice when you are not a developer?

Hi, I've been recently asked to help devs with remediation and secure coding. I have very little programming experience but do have some pentesting experience and familiar with vulnerabilities, etc. My initial thought is to learn javascript and then get to know OWASP stuff like the back of my hand.

Any ideas? Thanks!

8 Comments
2020/04/01
15:56 UTC

9

Are You Properly Using JWTs? - Session recording from OWASP AppSec California 2020

0 Comments
2020/03/04
21:04 UTC

1

Can OWASP projects use copyleft licenses?

Would anyone know?

Say I wanted to use GPL or MPL licenses on my project, would OWASP accept it?

Thanks!

0 Comments
2020/03/04
20:06 UTC

2

JavaScript Injection [30] - Secure Coding

0 Comments
2020/02/14
17:44 UTC

4

XML External Entity Injection [113] - OWASP

0 Comments
2020/02/10
18:13 UTC

5

Jan 30 Webinar: Are You Properly Using JWTs?

My company (42Crunch) is hosting a webinar "Are You Properly Using JWTs?" Jan 30, 2020 11:00 AM in Pacific Time

This is not product-related in any way. Just a deep dive into JWT and security best practices. Here's abstract:

JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.

This session focuses on best practices and real world examples of JWT usage, where we cover:

  • Typical scenarios where using JWT is a good idea
  • Typical scenarios where using JWT is a bad idea!
  • Principles of Zero trust architecture and why you should always validate
  • Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t
  • Use cases when encryption may be required for JWT

Register at https://42crunch.com/webinar-jwt/

0 Comments
2020/01/15
21:09 UTC

5

Want to someday achieve the CSSLP

Hey guys,

I want to someday get into the CSSLP, and specialize in Web Application Security (and become a Web Application Security Analyst). What would be a good entry level cert? I have zero certs so far.

I have a Bachelor of Science in Information Sciences and Technology (a light version of Comp Sci), and I plan on doing my Master of Science in Cyber Security.

I am not too keen on Network systems, as I am not a fan of it, that is why I want to specialize in Web Application Security.

I was thinking of doing the CEH as my first cert, but again, what would be a good entry level cert for me if I want to get the CSSLP and become a Web Application Security Analyst.

Thank you.

If learning networks is mandatory, I will have to suck it up :p

2 Comments
2020/01/12
03:38 UTC

1

Best XSS scanner?

Hey guys,

After doing some research on finding an XSS scanner for our product, XSStrike seems to be the best option at this point but I know sometimes features like vulnerability scanning comes bundled up as part of other software.

What would you recommend for XSS scanning?

Thanks!

4 Comments
2019/10/28
14:56 UTC

2

OWASP / RASP App Consultant

Hello!

Our SF Bay-based company is looking for a short-term consultant for usability testing on our RASP (Runtime Application Self Protection) product.

Ideally this candidate is local (not a dealbreaker ), should have extensive penetration testing experience, and have worked in DevSecOps paradigms. An NDA must be signed, and compensation is negotiable. Please direct message us if you’re up for the task.

0 Comments
2019/10/02
20:49 UTC

5

OWASP Top 10 for JavaScript?

Hello all,

I've been reading through the OWASP Top 10 guides for secure coding. I see examples for Java, .Net, PhP, etc; but I don't see good coding examples for JavaScript / Node. I've started to dig through the GitHub, but I'm not seeing anything. Does anyone have a reference for something like this, or do you know where I can locate it in the OWASP site?

Kind regards

2 Comments
2019/08/21
19:01 UTC

8

Hands on OWASP Course!

Hey all, ISACA made a course that lets you work with each of the OWASP Top 10 directly for CPE credit for your certs! It's pretty fun and I liked the practical engagement part. Thought I'd pass along.

https://nexus.isaca.org/products/124

0 Comments
2019/07/17
21:18 UTC

14

"AppSec: From the OWASP Top Ten(s) to the OWASP ASVS" with Jim Manico (51min talk from GOTO Chicago 2019)

2 Comments
2019/07/16
13:37 UTC

4

Adam Shostack - Threat modeling layer 8 and conflict modeling - Security Journey

We spoke with Adam on the Application Security Podcast about threat modeling the humans and conflict modeling. Deep stuff that goes much further than tech, but into privacy and how to determine what should be allowed in a social world.

https://www.securityjourney.com/blog/adam-shostack-threat-modeling-layer-8-and-conflict-modeling/

0 Comments
2019/07/13
17:54 UTC

3

Jon McCoy — Hacker outreach

https://www.securityjourney.com/blog/jon-mccoy-hacker-outreach/

Jon McCoy is a security engineer, a developer, and a hacker; and a passionate OWASP advocate. Maybe even a hacker first. Jon has a passion to connect people and break down barriers between hackers and corporate folks. Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also remembered a cautionary tale of Robert’s Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community.

0 Comments
2019/05/08
01:55 UTC

10

Simon Bennetts — OWASP ZAP: past, present, and future

https://www.securityjourney.com/blog/simon-bennetts-owasp-zap-past-present-and-future/

Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API.

2 Comments
2019/04/16
01:58 UTC

2

Trying to do new Portswigger "Web Security Academy" through OWASP ZAP, getting "Content Encoding Error"

Using Firefox 66.0.2 (64-bit) on Linux Mint 19.1, I've been working through the new Portswigger "Web Security Academy" (https://portswigger.net/ but you need to create an account). When you do an actual lab, their site redirects you to an URL such as https://acf92090389098d68063d3a2.web-security-academy.net/ which I assume is a just-spun-up VM.

Everything works fine if I just use Firefox. If I run ZAP D-2019-04-01 and have Firefox use the ZAP proxy, when the main site redirects to the VM, Firefox gives "Content Encoding Error".

It looks like the response from the GET of the VM URL has a header containing "Content-Encoding: gzip" but the response body just contains plain HTML (starts with "<!DOCTYPE html> <html> <head> ...").

In the zap.log I see "ERROR ProxyThread - Unable to uncompress gzip content: Not in GZIP format java.util.zip.ZipException: Not in GZIP format"

Why am I getting this error when using ZAP proxy ? Is the proxy being stricter than Firefox ? But the error page is a Mozilla-constructed page, it's not coming from the proxy. Or maybe I'm completely wrong, and something else is going on ? Thanks for any help.

[Edit: found it is the web site doing something wrong, apparently. And a default setting of ZAP was making it appear. https://groups.google.com/forum/#!topic/zaproxy-users/OoiFBGgwGTU ]

0 Comments
2019/04/07
21:10 UTC

3

Mobile iOS Security: Is Security.framework secure or not?

Within MSTG, local authentication, there is the following comment regarding Security.framework:

Please be aware that using either the LocalAuthentication.framework or the Security.framework, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with.

Is Security.framework actually insecure and, if so, why? I've had a look online and cannot find anything to support this claim, as the posts I have read recommend using this instead of LocalAuthentication, as Security.framework requires a passcode/biometric to unlock data in the keychain, rather than just returning a Boolean.

0 Comments
2019/03/04
15:53 UTC

1

[ZAP] Inject Python Script in Request Editor

Is it possible to send/alter requests in the request editor, with a scripting language like python?

For example, during the WebGoat boolean SQLi task, you have to manually enumerate objects based on the response, it would be really nice if you could write a little python script to do that loop for you. I am curious if this is possible or not.

I am not sure if you can do it in python on its own, don't you need the browser context that ZAP has?

0 Comments
2019/02/26
16:51 UTC

Back To Top