-
Open Web Application Security Project
- Free and open software security community
- 501(c)(3) Nonprofit organization
-
Core purpose
- Be the thriving global community that drives visibility and evolution in the safety and security of the world's software
- OPEN Everything at OWASP is radically transparent from our finances to our code.
- INNOVATION OWASP encourages and supports innovation and experiments for solutions to software security challenges.
- GLOBAL Anyone around the world is encouraged to participate in the OWASP community.
- INTEGRITY OWASP is an honest and truthful, vendor neutral, global community.
- Free & Open
- Governed by rough consensus & running code
- Abide by a code of ethics
- Not-for-profit
- Not driven by commercial interests
- Risk based approach
An OWASP project is a collection of related tasks that have a defined roadmap and team members.
| Project Type | Examples |
|---|---|
| Tool | Zed Attack Proxy, Dependency Check, DefectDojo, Juice Shop |
| Code | ModSecurity Core Rule Set, Java HTML Sanitizer, Security Logging Project, AppSensor |
| Documentation | OWASP Top 10, Application Security Verification Standard (ASVS), OWASP 24/7 Podcast, Cornucopia |
| Community | Advancing the state of security in the area of... |
|---|---|
 |
...application development |
 |
...security testing |
 |
...application defense, including the tools and techniques that enable the detection and response to application layer attacks |
| Level | Icon | Description |
|---|---|---|
| Incubator |  |
OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. |
| Labs |  |
OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. |
| Flagship |  |
The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. |
It is essential for an OWASP Labs project to have:
- A version number with a clear release schedule
- GitHub source control and a public issue tracking system
- Stable build and release
- Instructions on how to use and build the project properly
It is essential for an OWASP Flagship project to have:
- Considerable number of users and contributors
- Considerable number of commits and improvements in a time span of at least two years
- A unique approach or proposition in application security
- Exposure through security conferences
- Use and acceptance by the community
- Being used as reference in books and other resources
OWASP Chapters exist to raise awareness of the OWASP mission, making application security visible, at the local level.
There is one Chapter for Germany in total which is complemented by a so-called OWASP Stammtisch each in several metropolitan areas such as Hamburg, Munich, Frankfurt, Stuttgart or Karlsruhe.
- Organize free and open meetings
- Hold a minimum of 4 chapter meetings or events each year
- Give official meeting notice through the wiki, chapter mailing list, and OWASP Calendar
- Abide by OWASP principles and the code of ethics
- Protect the privacy of the chapter's local contacts
- Maintain vendor neutrality (act independently)
- Spend any chapter funds in accordance with the OWASP goals, code of ethics, and principles
| 1 | Injection | 6 | Security Misconfiguration |
| 2 | Broken Authentication | 7 | Cross-Site-Scripting (XSS) |
| 3 | Sensitive Data Exposure | 8 | Insecure Deserialization |
| 4 | XML External Entities | 9 | Using Components with Known Vulnerabilities |
| 5 | Broken Access Control | 10 | Insufficient Logging & Monitoring |
ℹ️ Based on the OWASP Risk Rating Methodology
| Cross-Site Request Forgery (CSRF) | Unvalidated Forward and Redirects |
| Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS') | Improper Control of Interaction Frequency (Anti-Automation) |
| Unrestricted Upload of File with Dangerous Type | Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content) |
| User Interface (UI) Misrepresentation of Critical Information (Clickjacking etc.) | Server-Side Request Forgery (SSRF) |
-
CWE Common Weakness Enumeration
- Community-developed list of common software security weaknesses
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
- Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux
- Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically
- Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup
- Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board
- CTF-support: Challenge notifications contain a customizable flag code for your own Capture-The-Flag events
- Re-branding: Fully customizable business context and look & feel
- Free and Open source: Licensed under the MIT license with no hidden costs or caveats
- Individual local instance per student
- Runs on node.js, Docker, Vagrant and in the ☁️
- Do not look at the source code on GitHub
- Do not look at GitHub issues, PRs etc.
- Do not cheat (with online tutorials or walkthroughs) before trying
- Report problems during exercises immediately
Pwning OWASP Juice Shop [...] will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under CC BY-NC-ND 4.0 and is available for free online-readable. The latest officially released edition is available for free on LeanPub in PDF, Kindle and ePub format.
- Open https://github.com/bkimminich/juice-shop#setup
- Follow the instructions for one method out of
- From Sources
- Packaged Distributions (:blue_heart: on university PCs)
- Docker Container
- Vagrant
- Register a user account at your local Juice Shop
- Browse the inventory and purchase some products
- Try out all other functionality you find in the application
- Find the hidden Score Board in the Juice Shop (:star:)
- Open your browser's developer tools (
F12in Chrome/Firefox) - Find the cookie
continueCodeand copy its value to your other computer - Install OWASP Juice Shop on your other computer and launch it
F12into the developer tools and create the cookiecontinueCodewith the value from your first computer- Restart the Juice Shop server