owasp-top-10

Open-source projects categorized as owasp-top-10
Edit details
Language: + HTML + TypeScript + Java + PHP + SCSS
Topics: Owasp Security HacktoberFest Appsec Hacking
Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured

Top 12 owasp-top-10 Open-Source Projects

  • juice-shop

    OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

    • Project mention: Launch HN: Corgea (YC S23) – Auto fix vulnerable code | news.ycombinator.com | 2024-01-09

    Hi HN, I’m the founder of Corgea (https://corgea.com). We help companies fix their vulnerable source code using AI.

    Originally, we started with a data security product that would detect data leaks at companies. Despite initial successes and customer acquisitions, we frequently heard that highlighting issues wasn't enough; customers wanted proactive fixes. They had hundreds (yes hundreds!) of security tools alerting them about vulnerabilities, but couldn’t afford a dedicated team to go through them all and fix them. One prospect we spoke to had tens of thousands of reported vulnerabilities in their SAST tool. With the rise of AI code generation, we saw an opportunity to give customers what they really wanted.

    Having Corgea is like having a security engineer on staff focused on making your code more secure. We want security to be an enabler of engineering rather than a blocker to it, and the reverse to be true. To accomplish this, we built it on top of existing LLMs to issue code fixes.

    To show Corgea’s capabilities, we took some popular vulnerable-by-design applications like Juice Shop (https://github.com/juice-shop/juice-shop), scanned them and issued fixes for their vulnerabilities. You can see some of them here: https://demo.corgea.com. Some examples of vulnerabilities it solves are like SQL injection, Path Traversal and XSS.

    What makes this tough is that currently LLMs struggle at generalist coding tasks because it has to understand your whole code base, the domain you’re in, and the user’s request to do something. This can lead to a lot of unintended behavior where it codes things incorrectly because it’s giving a best guess at what you want. Adam, one of the founding engineers on the team coined it well: LLMs don’t reason, they fuzz.

    We made several decisions that helped the LLM become more deterministic. First, what we’re doing is extremely domain specific: vulnerable code fixes in a limited number of programming languages. There are roughly 900 security vulnerabilities in code, called CWE’s (https://cwe.mitre.org/), that we’ve built into Corgea. An SQL injection vulnerability in a Javascript app is the same regardless if you’re a payments company or a travel booking website. Second, we have no user generated input going into the LLM, because SAST scanners everything needed to issue a fix. This makes it much more predictable and reproducible for us and customers. We can also create robust QA processes and checks.

    To illustrate the point, let’s put some of this to the test using some napkin math. Assume you’re serving 5,000 enterprises that ship on average 300 domain specific features a year in 5 different programming languages that each require 30 lines of code changes across multiple files. You’ll have about 300m permutations the product needs to support. What a nightmare!

    Using the same napkin math, Corgea needs to support the ~900 vulnerabilities (CWE’s). Most of them require 1 - 2 line changes. It doesn’t need to understand the whole codebase since the problem is usually isolated to a few lines. We want to support the 5 most popular programming languages. If we have 5,000 customers, we have to support ~4,500 permutations (900 issues x 5 different languages). This leads to a massive difference in accuracy. Obviously, this is an oversimplification of the whole thing but it illustrates the point.

    What makes this different from Copilot and other code-gen tools is that they do not specialize in security and we’ve seen them inadvertently introduce security issues unbeknownst to the engineer. Additionally, they do not integrate into existing scanning tools that companies are using to resolve those issues. So unless a developer is working on every part of the product, they’re unable to clear security backlogs, which can be in the thousands of tickets.

    As for security scanners, the current market is flooded with tools that report and overwhelm security teams and are not effective at fixing what they’re reporting. Most vulnerability scanners do not remediate issues, and if they do they’re mostly limited to upgrading packages from one version to another to reduce a CVSS. If they do offer CWE remediation capabilities their success rates are very low because they’re often based on traditional AI methodologies. Additionally, they do not integrate with each other because they want to only serve their own findings. Enterprises use multiple tools like Snyk, Semgrep, Checkmarx, but also have a penetration testing program, and a bug bounty program. They need a solution that consolidates across their existing tools. They also use Github, Gitlab and Bitbucket for their code repository.

    We’re offering a free tier for smaller teams and priced tiers. We believe we can reduce 80% of the engineering effort for security fixes, which would equate to at least $10m a year for enterprises.

    We’re really excited to share this with you all and we’d love any thoughts, feedback, and comments!

  • sql-injection-payload-list

    🎯 SQL Injection Payload List

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • Massive-Web-Application-Penetration-Testing-Bug-Bounty-Notes

    • Project mention: Massive-Web-Application-Penetration-Testing-Bug-Bounty-Notes | /r/bugbounty | 2023-05-26

  • mutillidae

    OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. This is an easy-to-use web hacking environment designed for labs, security enthusiasts, classrooms, CTF, and vulnerability assessment tool targets.

    • Project mention: If you're looking for resources pertaining to hands-on practical demonstrations of learned skills and tools/techniques, look no further. | /r/Kalilinux | 2023-11-15

    There's also a bunch of intentionally vulnerable Webapps and VMs aimed at demonstrating potential footholds and common exploits leading to owning of the host including but not limited to: bWAPP, Damn Vulnerable Web App, WebGoat, Metasploitable 3, Mutillidae, Juice Shop

  • vapi

    vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.

  • akto

    Proactive, Open source API security → API discovery, Testing in CI/CD, Test Library with 150+ Tests, Add custom tests, Sensitive data exposure

    • Project mention: Open source vulnerability scanner | /r/cybersecurity | 2023-12-05

    Qualys is good. For open source vulnerability scanner for APIs - you can also try https://github.com/akto-api-security/akto

  • dvna

    Damn Vulnerable NodeJS Application

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo

  • gapps

    Security compliance platform - SOC2, CMMC, ASVS, ISO27001, HIPAA, NIST CSF, NIST 800-53, CSC CIS 18, PCI DSS, SSF tracking. https://gapps.darkbanner.com

    • Project mention: Open source GRC platform for SOC2, CSC, CMMC and more | news.ycombinator.com | 2023-10-25

  • aws-firewall-factory

    Easily improve the security of your web applications with aws firewall factory. Protect your valuable assets with seamless WAF deployment, updates, and staging, all efficiently managed centrally with Firewall Manager.

    • Project mention: Exciting Update: AWS Firewall Factory Enhanced with Centralized RegexPatternSet Management! | /r/aws | 2023-09-29

  • VulnPlanet

    Vulnerable code snippets with fixes for Web2, Web3, API, iOS, Android and Infrastructure-as-Code (IaC)

  • Admin-Panel_Finder

    A burp suite extension that enumerates infrastructure and application admin interfaces (OTG-CONFIG-005)

  • www-project-machine-learning-security-top-10

    OWASP Machine Learning Security Top 10 Project

    • Project mention: AI-Exploits: Repo of multiple unauthenticated RCEs in AI tools | news.ycombinator.com | 2023-11-16

    (I work for ProtectAI) There isn't an OWASP top 10 for MLSecOps at the moment. There a general OWASP top 10 for Machine Learning [1] and MITRE ATLAS [2] however.

    [1] https://owasp.org/www-project-machine-learning-security-top-...

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

owasp-top-10 related posts

  • AI-Exploits: Repo of multiple unauthenticated RCEs in AI tools

    5 projects | news.ycombinator.com | 16 Nov 2023

  • Assistance with vAPI Docker Compose Not Initiating 80:80 `vapi-www` Container

    1 project | /r/docker | 7 Dec 2022

  • A good course on API Tesing?

    1 project | /r/HowToHack | 17 Jun 2022

Index

What are some of the best open-source owasp-top-10 projects? This list will help you:

Project Stars
1 juice-shop 9,547
2 sql-injection-payload-list 4,327
3 Massive-Web-Application-Penetration-Testing-Bug-Bounty-Notes 1,184
4 mutillidae 1,176
5 vapi 1,112
6 akto 829
7 dvna 663
8 gapps 343
9 aws-firewall-factory 219
10 VulnPlanet 148
11 Admin-Panel_Finder 112
12 www-project-machine-learning-security-top-10 57

Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com