NodeGoat - The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node

  •        199

Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them. Tutorial Guide explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.

https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project
https://github.com/OWASP/NodeGoat

Dependencies:

bcrypt-nodejs : 0.0.3
body-parser : ^1.15.1
consolidate : ^0.14.1
csurf : ^1.8.3
dont-sniff-mimetype : ^1.0.0
express : ^4.13.4
express-session : ^1.13.0
forever : ^0.15.1
helmet : ^2.0.0
marked : 0.3.9
mongodb : ^2.1.18
node-esapi : 0.0.1
serve-favicon : ^2.3.0
swig : ^1.4.2
underscore : ^1.8.3

Tags
Implementation
License
Platform

   




Related Projects

OWASP Juice Shop - Probably the most modern and sophisticated insecure web application

  •    Javascript

OWASP Juice Shop is an intentionally insecure web application written entirely in JavaScript which encompasses the entire range of OWASP Top Ten and other severe security flaws. Each packaged distribution includes some binaries for SQLite bound to the OS and node.js version which npm install was executed on.

zap-hud - The OWASP ZAP Heads Up Display (HUD)

  •    Java

The HUD is an interface that provides the functionality of ZAP directly in the browser. In all cases you will need Java 8+ installed.

vbscan - OWASP VBScan is a Black Box vBulletin Vulnerability Scanner

  •    Perl

OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analysis them . If you want to do a penetration test on a vBulletin Forum, OWASP VBScan is Your best shot ever! This Project is being faster than ever and updated with the latest VBulletin vulnerabilities.

joomscan - OWASP Joomla Vulnerability Scanner Project

  •    Perl

OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system. Furthermore, OWASP JoomScan provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads. OWASP JoomScan is included in Kali Linux distributions.

BlackWidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website

  •    Python

BlackWidow is a python based web application spider to gather subdomains, URL's, dynamic parameters, email addresses and phone numbers from a target website. This project also includes Inject-X fuzzer to scan dynamic URL's for common OWASP vulnerabilities. This software is released under the GNU General Public License v3.0. See LICENSE.md for details.


zap-extensions - OWASP ZAP Add-ons

  •    HTML

This project contains extensions for the OWASP Zed Attack Proxy (ZAP). You can also import add-ons you have downloaded manually from https://github.com/zaproxy/zap-extensions/releases via the "File / Load Add-on file..." menu option.

retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities

  •    Javascript

There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities. A Grunt task for running Retire.js as part of your application's build routine, or some other automated workflow.

DevGuide - The OWASP Guide

  •    

Thank you for your interest in the OWASP Developer Guide, the first major Open Web Application Security Project (OWASP) Document. This is the development version of the OWASP Developer Guide, and will be converted into PDF & MediaWiki for publishing when complete.

Top10 - Official OWASP Top 10 Document Repository

  •    HTML

If you have comments, we encourage you to log issues. Please feel free to browse the issues, comment on them, or file a new one. There are currently four co-leaders for the OWASP Top 10. We meet every Friday at 1 pm US PDT to discuss the project. If you want to join that call, please contact us. It's really not that exciting.

owasp-modsecurity-crs - OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

  •    Lua

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

OWASP Security LinkUp

  •    

OWASP security linkup is a web application allowing for security professionals to connect. It is also an example of a well built web application following the OWASP guidelines.

owasp-mstg - The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering

  •    HTML

This is the official GitHub Repository of the OWASP Mobile Security Testing Guide (MSTG). The MSTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). You can also read the MSTG on Gitbook or download it as an e-book. The MSTG is not complete yet. You can however get intermediate builds in multiple formats.

OWASP-Xenotix-XSS-Exploit-Framework - OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework

  •    Python

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Antivirus Solutions may detect it as a threat. However it is due to the features in the exploitation framework.

amass - In-depth subdomain enumeration written in Go

  •    Go

Amass is now an OWASP project and the OWASP GitHub organization repository is where all further development and releases will take place.

OpenDoor - OWASP WEB Directory Scanner

  •    Python

OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers. Software is written for informational purposes and is open source product under the GPL license.

owasp-pysec - OWASP Python Security Project

  •    Python

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

owasp-threat-dragon - An open source, online threat modelling tool from OWASP

  •    Javascript

Threat Dragon is a free, open-source, cross-platform threat modelling application including system diagramming and a threat rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project. The focus of the project is on great UX, a powerful rule engine and integration with other development lifecycle tools. A web application (this repo): For the web application, models files are stored in GitHub (other storage will become available). We are currently maintaining a working protoype in synch with the master code branch.

owasp-threat-dragon-desktop - An installable desktop variant of OWASP Threat Dragon

  •    CSS

Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project. The focus of the project is on great UX, a powerful rule engine and integration with other development lifecycle tools. A web application: For the web application, models files are stored in GitHub (other storage will become available). We are currently maintaining a working protoype in synch with the master code branch.

aws-waf-sample - This repository contains example scripts and sets of rules for the AWS WAF service

  •    Python

Examples of sets of rules for the AWS WAF service and scripts to automate the management and configuration of AWS WAF rule sets. These examples include SDK usage, AWS CloudFormation templates and automations using AWS Lambda functions.This example AWS CloudFormation template contains an AWS WAF web access control list (ACL) and condition types and rules that illustrate various mitigations against application flaws described in the OWASP Top 10. However, note that this template is designed only as a starting point and may not provide sufficient protection to every workload. You should customize the template’s rules for each workload. For more information, please review the Use AWS WAF to Mitigate OWASP's Top 10 Web Application Vulnerabilities whitepaper.

aws-waf-sample - This repository contains example scripts and sets of rules for the AWS WAF service

  •    Python

Examples of sets of rules for the AWS WAF service and scripts to automate the management and configuration of AWS WAF rule sets. These examples include SDK usage, AWS CloudFormation templates and automations using AWS Lambda functions. This example AWS CloudFormation template contains an AWS WAF web access control list (ACL) and condition types and rules that illustrate various mitigations against application flaws described in the OWASP Top 10. However, note that this template is designed only as a starting point and may not provide sufficient protection to every workload. You should customize the template’s rules for each workload. For more information, please review the Use AWS WAF to Mitigate OWASP's Top 10 Web Application Vulnerabilities whitepaper.






We have large collection of open source products. Follow the tags from Tag Cloud >>


Open source products are scattered around the web. Please provide information about the open source projects you own / you use. Add Projects.