OWASP Community Pages
OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.
To contribute, go to the repository for this site.
Go into the pages folder and create a new file. Save and commit the file.
Include the following front matter and include in your file (for example, see: pages/password-special-characters.md in this repository):
---
layout: col-sidebar
title: [title of page]
author: [author name]
contributors: [contributors]
permalink: [direct link to page, removes /pages] (this is optional and requires some care)
tags: [attack, XSS, etc]
---
{% include writers.html %}
Please ensure your content contribution is based on original work/thought and not plagiarised. Also, please ensure that contributions are vendor/product neutral.
Content Listing
Client the triangle (or other control/character) to the left of the following headings to access an expanded list of community content pages.
Controls
- Blocking Brute Force Attacks by Esheridan
- Bytecode Obfuscation by Pierre Parrend
- Certificate and Public Key Pinning by Jeffery Walton, JohnSteven, Jim Manico, Kevin Wall, Ricardo Iramar
- Content Security Policy by Dominique RIGHETTO
- Detect Profiling Phase by Dominique RIGHETTO
- Intrusion Detection
- Secure Cookie Attribute by MichaelCoates
- Session Fixation Protection by RoganDawes
- Static Code Analysis by Ryan Dewhurst
Attacks
- Binary Planting
- Blind SQL Injection
- Blind XPath Injection
- Brute Force Attack
- Buffer Overflow Attack
- Buffer Overflow via Environment Variables
- CORS OriginHeaderScrutiny
- CORS RequestPreflightScrutiny by Dominique RIGHETTO
- CSV Injection by Timo Goosen, Albinowax
- Cache Poisoning by Weilin Zhong, Rezos
- Cash Overflow by psiinon
- Clickjacking by Gustav Rydstedt
- Code Injection by Weilin Zhong, Rezos
- Command Injection by Weilin Zhong
- Comment Injection Attack by Weilin Zhong, Rezos
- Content Spoofing by Andrew Smith
- Credential stuffing by Neal Mueller
- Cross Frame Scripting by Rezos, Justin Ludwig
- Cross Site History Manipulation (XSHM) by Adar Weidman
- Cross Site Request Forgery (CSRF) by KirstenS
- Cross Site Scripting (XSS) by KirstenS
- Cross Site Tracing
- Cross-User Defacement
- Cryptanalysis
- Custom Special Character Injection by Rezos
- DOM Based XSS
- Denial of Service by Nsrav
- Direct Dynamic Code Evaluation - Eval Injection
- Embedding Null Code by Nsrav
- Execution After Redirect (EAR) by Robert Gilbert (amroot)
- Forced browsing
- Form action hijacking by Robert Gilbert (amroot)
- Format string attack
- Full Path Disclosure
- Function Injection
- HTTP Response Splitting
- LDAP Injection
- Log Injection
- Man-in-the-browser attack
- Manipulator-in-the-middle attack
- Mobile code invoking untrusted mobile code
- Mobile code non-final public field
- Mobile code object hijack
- Parameter Delimiter
- Password Spraying Attack by Rishu Ranjan
- Path Traversal
- Qrljacking
- Reflected DOM Injection
- Regular expression Denial of Service - ReDoS by Adar Weidman
- Repudiation Attack
- Resource Injection
- Reverse Tabnabbing
- SQL Injection
- SQL Injection Bypassing WAF
- Server Side Request Forgery
- Server-Side Includes (SSI) Injection by Weilin Zhong, Nsrav
- Session Prediction
- Session fixation
- Session hijacking attack
- Setting Manipulation
- Special Element Injection
- Spyware
- Traffic flood
- Trojan Horse
- Unicode Encoding
- Web Parameter Tampering
- Web Service Amplification Attack by Thomas Vissers
- Windows ::DATA Alternate Data Stream
- XPATH Injection
- XSRF
- XSS in subtitle by Mohammad MortazaviZade
Vulnerabilities
- Allowing Domains or Accounts to Expire
- Buffer Overflow
- Business logic vulnerability
- CRLF Injection
- Catch NullPointerException
- Covert storage channel
- Deserialization of untrusted data
- Directory Restriction Error
- Doubly freeing memory
- Empty String Password
- Expression Language Injection
- Full Trust CLR Verification issue Exploiting Passing Reference Types by Reference
- Heartbleed Bug
- Improper Data Validation
- Improper pointer subtraction
- Information exposure through query strings in url by Robert Gilbert (amroot)
- Injection problem
- Insecure Compiler Optimization
- Insecure Randomness
- Insecure Temporary File
- Insecure Third Party Domain Access
- Insecure Transport
- Insufficient Entropy
- Insufficient Session-ID Length
- Least Privilege Violation
- Memory leak
- Missing Error Handling
- Missing XML Validation
- Multiple admin levels
- Null Dereference
- OWASP .NET Vulnerability Research
- Overly Permissive Regular Expression
- PHP File Inclusion
- PHP Object Injection by Egidio Romano
- PRNG Seed Error
- Password Management Hardcoded Password
- Password Plaintext Storage
- Poor Logging Practice
- Portability Flaw
- Privacy Violation
- Process Control
- Return Inside Finally Block
- Session Variable Overloading
- String Termination Error
- Unchecked Error Condition
- Unchecked Return Value Missing Check against Null
- Undefined Behavior
- Unreleased Resource
- Unrestricted File Upload
- Unsafe JNI
- Unsafe Mobile Code
- Unsafe function call from a signal handler
- Unsafe use of Reflection
- Use of Obsolete Methods
- Use of hard-coded password
- Using a broken or risky cryptographic algorithm
- Using freed memory
- Vulnerability template
- XML External Entity (XXE) Processing
Other
- ASP.NET Request Validation
- Access Control
- Anti CSRF Tokens ASP.NET
- Automated Audit using WAPITI
- Broken Access Control
- Code Sprint 2017
- Component Analysis by Steve Springett
- Double Encoding
- Fail Securely
- Free for Open Source Application Security Tools by Dave Wichers
- Fuzzing
- GSoC 2012 Ideas
- GSoC 2013 - ZAP SAML Support Status Updates
- GSoC 2013 Ideas
- GSoC 2014 Ideas
- GSoC 2015 Ideas
- GSoC 2016 Ideas
- GSoC 2017 Ideas
- GSoC 2018 Ideas
- GSoC 2019
- GSoC 2019
- GSoC 2019 Ideas
- GSoC 2020
- GSoC 2020 Ideas
- GSoC 2021
- GSoC 2021 Ideas
- GSoC SAT
- Google Season of Docs 2019
- Google Season of Docs 2020
- Google Season of Docs 2021
- Hibernate
- How to Write Insecure Code
- HttpOnly
- Improper Error Handling
- Injection Flaws
- Injection Theory by Jeff Williams
- OWASP Application Security FAQ by Weilin Zhong
- OWASP Bug Bounty
- OWASP Community Meetings
- OWASP Risk Rating Methodology by Jeff Williams
- OWASP Risk Rating Methodology - Debate (Historic) by kingthorin
- OWASP Validation Regex Repository
- Password Special Characters by Pawel Krawczyk
- SameSite by Riramar, Pawel Krawczyk
- Secure Software Contract Annex by Jeff Williams
- Security Headers
- Session Timeout
- Slow Down Online Guessing Attacks with Device Cookies by Anton Dedov
- Source Code Analysis Tools
- Threat Modeling by Victoria Drake
- Threat Modeling Process by Larry Conklin
- Types of XSS
- Using the Java Cryptographic Extensions
- Virtual Patching Best Practices
- Vulnerability Scanning Tools
- Web Application Firewall
- Winter Code Sprint 2014
- XSS Filter Evasion Cheat Sheet - Redirect
OWASP Initiatives
Google Summer of Code
Information related to OWASP’s participation in Google Summer of Code (GSoC) since 2012 can be found here.
Google Season of Docs
Information related to OWASP’s participation in Google Season of Docs (GSoD) since 2019 can be found here.
Code Sprints
At various points in OWASP’s history the organization has run Code Sprints similar to GSoC in order to give students and the community “real-life” development experience, and as a mechanism by which code projects can grow and be enhanced.
Information related to OWASP Code Sprints can be found here.
OWASP Bug Bounty
Information related to OWASP’s BugCrowd programs can be found here.