Top repositories
1
CheatSheetSeries
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.Python
26,254
2
owasp-mastg
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).Python
11,279
3
Amass
In-depth Attack Surface Mapping and Asset DiscoveryGo
7,941
4
wstg
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.Dockerfile
6,561
5
Go-SCP
Golang Secure Coding Practices guideGo
4,708
6
Top10
Official OWASP Top 10 Document RepositoryHTML
4,026
7
Nettacker
Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability ManagementPython
2,924
8
ASVS
Application Security Verification StandardHTML
2,499
9
DevGuide
The OWASP Guide
2,011
10
API-Security
OWASP API Security ProjectDockerfile
1,933
11
owasp-masvs
The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.Python
1,930
12
NodeGoat
The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.HTML
1,809
13
QRLJacking
QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.Python
1,308
14
SecurityShepherd
Web and mobile application security training platformJava
1,272
15
wrongsecrets
Vulnerable app with examples showing how to not use secretsJava
1,071
16
www-project-top-ten
OWASP Foundation Web RespositoryHTML
1,022
17
joomscan
OWASP Joomla Vulnerability Scanner Project https://www.secologist.com/
Raku
1,009
18
crAPI
completely ridiculous API (crAPI)Java
955
19
www-community
OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.HTML
888
20
railsgoat
A vulnerable version of Rails that follows the OWASP Top 10HTML
852
21
threat-dragon
An open source threat modeling tool from OWASPJavaScript
810
22
java-html-sanitizer
Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.Java
788
23
OWASP-VWAD
The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
749
24
DevSecOpsGuideline
The OWASP DevSecOps Guideline can help us to embedding security as a part of the development pipeline.Python
705
25
ZSC
OWASP ZSC - Shellcode/Obfuscate Code Generator https://www.secologist.com/Python
635
26
IoTGoat
IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.C
622
27
Docker-Security
Getting a handle on container securityDockerfile
603
28
OWASP-WebScarab
OWASP WebScarabJava
582
29
MASTG-Hacking-Playground
Java
549
30
www-project-kubernetes-top-ten
OWASP Foundation Web RespositoryHTML
549
31
DVSA
a Damn Vulnerable Serverless ApplicationJavaScript
515
32
glue
Application Security AutomationRuby
513
33
owasp-java-encoder
The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!Java
473
34
SecureCodingDojo
The Secure Coding Dojo is a platform for delivering secure coding knowledge.PHP
441
35
rbac
PHP-RBAC is an authorization library for PHP. It provides developers with NIST Level 2 Standard Role Based Access Control and more, in the fastest implementation yet.PHP
423
36
owasp.github.io
OWASP Foundation main site repositoryHTML
423
37
Python-Honeypot
OWASP Honeypot, Automated Deception Framework.Python
404
38
samm
SAMM stands for Software Assurance Maturity Model.JavaScript
395
39
iGoat-Swift
OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOSC
391
40
www-project-web-security-testing-guide
The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.HTML
376
41
www-project-top-10-for-large-language-model-applications
OWASP Foundation Web RespositoryTeX
374
42
threat-model-cookbook
This project is about creating and publishing threat model examples.Python
373
43
igoat
OWASP iGoat - A Learning Tool for iOS App Pentesting and Security by Swaroop YermalkarC
368
44
O-Saft
O-Saft - OWASP SSL advanced forensic toolPerl
344
45
Vulnerable-Web-Application
OWASP Vulnerable Web Application Project https://github.com/hummingbirdscyberPHP
324
46
vbscan
OWASP VBScan is a Black Box vBulletin Vulnerability ScannerPerl
322
47
Serverless-Goat
OWASP ServerlessGoat: a serverless application demonstrating common serverless security flawsPython
302
48
SecureTea-Project
The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices)JavaScript
271
49
RiskAssessmentFramework
The Secure Coding FrameworkTypeScript
245
50
pysap
pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.Python
205
51
Serverless-Top-10-Project
OWASP Serverless Top 10
199
52
phpsec
OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197
53
json-sanitizer
Given JSON-like content, The JSON Sanitizer converts it to valid JSON.Java
190
54
D4N155
OWASP D4N155 - Intelligent and dynamic wordlist using OSINTShell
186
55
www-chapter-japan
OWASP Foundation Web RespositoryHTML
181
56
Maturity-Models
Node application to help managing Maturity Models like the ones created by BSIMM and OpenSAMMJavaScript
176
57
passfault
OWASP Passfault evaluates passwords and enforces password policy in a completely different way.JavaScript
169
58
www-project-ai-security-and-privacy-guide
OWASP Foundation Web RespositoryHTML
153
59
ASST
OWASP ASST (Automated Software Security Toolkit) | A Novel Open Source Web Security Scanner.JavaScript
147
60
IoT-Security-Verification-Standard-ISVS
OWASP IoT Security Verification Standard (ISVS)TeX
129
61
Software-Component-Verification-Standard
Software Component Verification Standard (SCVS)Python
127
62
owasp-summit-2017
Content for OWASP Summit 2017 siteCSS
126
63
BLT
OWASP BLT is a bug logging tool to report issues and get points, companies are held accountable.HTML
124
64
www-project-secure-headers
The OWASP Secure Headers ProjectPython
114
65
SEDATED
SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure)Shell
109
66
sonarqube
OWASP SonarQube ProjectDockerfile
107
67
www-project-code-review-guide
OWASP Code Review Guide Web RepositoryHTML
106
68
www-project-proactive-controls
OWASP Foundation Web RespositoryShell
104
69
raider
OWASP Raider: a novel framework for manipulating the HTTP processes of persistent sessionsPython
103
70
OWASP-Testing-Guide
OWASP Testing Guide
103
71
OWASPWebGoatPHP
A deliberately vulnerable web application for learning web application security.PHP
99
72
user-security-stories
Repo to hold mapping of user-security-stories
99
73
KubeLight
OWASP Kubernetes security and compliance tool [WIP]Python
97
74
www-project-webgoat
OWASP Foundation Web RespositoryHTML
78
75
Honeypot-Project
Python
77
76
NINJA-PingU
Python
77
77
threat-dragon-desktop
Desktop variant of OWASP Threat Dragon
76
78
www-project-mobile-top-10
HTML
74
79
SSO_Project
OWASP Single Sign-On allows a secure-by-default self-hosted SSO experience, including phishing-proof two-factor authentication, using state-of-the-art security mechanisms.JavaScript
68
80
www-project-csrfguard
The aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer TokensJava
68
81
www-project-zap
OWASP Zed Attack Proxy project landing page.HTML
67
82
PHP-ESAPI
Migrated from code.google.com to a more active public repository.PHP
65
83
www-project-security-knowledge-framework
OWASP Foundation Web RespositoryHTML
64
84
wpBullet
Python
63
85
www-project-threat-dragon
OWASP Foundation Threat Dragon Project Web RepositoryHTML
59
86
www-project-top-10-ci-cd-security-risks
OWASP Foundation Web RespositoryHTML
58
87
www-project-application-security-verification-standard
OWASP Foundation Web RespositoryHTML
58
88
www-project-machine-learning-security-top-10
OWASP Machine Learning Security Top 10 ProjectHTML
57
89
Container-Security-Verification-Standard
Container Security Verification StandardPython
56
90
www-project-top-10-low-code-no-code-security-risks
OWASP Low-Code/No-Code Top 10HTML
56
91
OpenCRE
CSS
55
92
owasp-istg
Project repository for the IoT Security Testing GuidePython
54
93
www-project-developer-guide
OWASP Project Developer Guide - Document and Project Web pagesHTML
52
94
www-project-secure-coding-practices-quick-reference-guide
OWASP Foundation Project Web Repository for Secure Coding Practices Quick-reference GuideHTML
50
95
www-project-devsecops-guideline
The OWASP DevSecOps Guideline explains how we can implement a secure pipeline and use best practices and introduce tools that we can use in this matter. Also, the project is trying to help us promote the shift-left security culture in our development process.HTML
49
96
www-project-devsecops-maturity-model
OWASP Foundation Web RespositoryHTML
48
97
www-project-juice-shop
OWASP Foundation Web RespositoryHTML
48
98
packman
A documentation and tracking project with the goal of making package management systems more secure.
47
99
www-project-api-security
OWASP Foundation Web RepositoryHTML
47
100
WebGoat
This is a defunct code base. The project is located at: https://github.com/WebGoatHTML
47