ModSecurity - Cross platform Web Application Firewall (WAF)

•    C

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.

awesome-appsec - A curated list of resources for learning about application security

•    PHP

A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes. Maintained by Paragon Initiative Enterprises with contributions from the application security and developer communities. We also have other community projects which might be useful for tomorrow's application security experts.

amass - In-depth subdomain enumeration written in Go

•    Go

Amass is now an OWASP project and the OWASP GitHub organization repository is where all further development and releases will take place.

Astra - Automated Security Testing For REST API's

•    Python

REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.

juice-shop - OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws

•    Javascript

OWASP Juice Shop is an intentionally insecure web application written entirely in JavaScript which encompasses the entire range of OWASP Top Ten and other severe security flaws. Each packaged distribution includes some binaries for SQLite bound to the OS and node.js version which npm install was executed on.

Bluemonday - A fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

•    Go

bluemonday is a HTML sanitizer implemented in Go. It is fast and highly configurable.bluemonday takes untrusted user generated content as an input, and will return HTML that has been sanitised against a whitelist of approved HTML elements and attributes so that you can safely include the content in your web page.

django-DefectDojo - DefectDojo is an open-source application vulnerability correlation and security orchestration tool

•    Python

DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo. Try out DefectDojo in our testing environment.

HTML Purifier - Standards compliant HTML filter written in PHP

•    PHP

HTML Purifier is an HTML filtering solution that uses a unique combination of robust whitelists and agressive parsing to ensure that not only are XSS attacks thwarted, but the resulting HTML is standards compliant.

BlackWidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website

•    Python

BlackWidow is a python based web application spider to gather subdomains, URL's, dynamic parameters, email addresses and phone numbers from a target website. This project also includes Inject-X fuzzer to scan dynamic URL's for common OWASP vulnerabilities. This software is released under the GNU General Public License v3.0. See LICENSE.md for details.

OWASP .NET Shield

Code to protect .NET Web applications and services against sql injection and cross site scripting attacks.

vbscan - OWASP VBScan is a Black Box vBulletin Vulnerability Scanner

•    Perl

OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analysis them . If you want to do a penetration test on a vBulletin Forum, OWASP VBScan is Your best shot ever! This Project is being faster than ever and updated with the latest VBulletin vulnerabilities.

OpenDoor - OWASP WEB Directory Scanner

•    Python

OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers. Software is written for informational purposes and is open source product under the GPL license.

glue - Application Security Automation

•    Ruby

Glue is a framework for running a series of tools. Generally, it is intended as a backbone for automating a security analysis pipeline of tools. Checkout the Playground to get a better understanding of Glue's features and how you can use them.

OwaspHeaders

•    CSharp

A .NET Core middleware for injecting the Owasp recommended HTTP Headers for increased security. ClacksMiddleware has a Code of Conduct which all contributors, maintainers and forkers must adhere to. When contributing, maintaining, forking or in any other way changing the code presented in this repository, all users must agree to this Code of Conduct.

dependency-check-plugin - Jenkins plugin for OWASP Dependency-Check

•    Java

Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2013: A9 - Using Components with Known Vulnerabilities. This plug-in can independently execute a Dependency-Check analysis and visualize results.

Ukraine-infosec-conferences - Анонси, програми та архів матеріалів українських конференцій з кібер-безпеки

Анонси, програми та архів матеріалів українських подій з кібер-безпеки. Дані збираються з офіційних ресурсів подій, а також з архівів учасників конференцій, archive.org та інших відкритих джерел. Події з кібер-безпеки, які не зберігають архіви матеріалів зустрічей.

dependency-check-sonar-plugin - Integrates Dependency-Check reports into SonarQube

•    Java

Integrates Dependency-Check reports into SonarQube

dependency-track - Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components

•    Javascript

Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components.

dependency-check-py - :closed_lock_with_key: Shim to easily install OWASP dependency-check-cli into Python projects

•    Python

Shim to easily install the OWASP dependency-check-cli tool into Python projects. dependency-check scans application dependencies and checks whether they contain any published vulnerabilities (based on the NIST NVD). It runs in the JVM, so you need some form of java available in your PATH. The script should work on Linux, Mac OSX and Windows, but right now is only tested on Linux.

owasp-aasvs - OWASP Annotated Application Verfication Standard

•    Javascript

This repository aims to host the versioned and authoritative source data for the OWASP ASVS project. In order to build on top of this data a strict and normalized format was required ( unlike say storing everything in MarkDown or HTML) as it's much easier to remove strictness then to add it. There are many data serialization formats, those with broad support include: XML, CSV and YAML.