• Stars
    star
    1,196
  • Rank 39,117 (Top 0.8 %)
  • Language
    Java
  • License
    GNU Affero Genera...
  • Created over 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Vulnerable app with examples showing how to not use secrets

OWASP WrongSecrets

Tweet

Java checkstyle and testing Pre-commit Terraform FMT CodeQL Dead Link CheckerJavadoc and Swaggerdoc generator

Test minikube script (k8s) Test minikube script (k8s&vault) Docker container testTest container on podman and Colima DAST with ZAP

OWASP Lab Project OpenSSF Best Practices Discussions

Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to not store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.

Can you solve all the 33 challenges?

Try some of them on our Heroku demo environment.

Want to play the other challenges? Read the instructions on how to set them up below.

screenshotOfChallenge1

Table of contents

Support

Need support? Contact us via OWASP Slack for which you sign up here , file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.

Copyright (c) 2020-2023 Jeroen Willemsen and WrongSecrets contributors.

Basic docker exercises

Can be used for challenges 1-4, 8, 12-33

For the basic docker exercises you currently require:

You can install it by doing:

docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault

Now you can try to find the secrets by means of solving the challenge offered at:

Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).

Running these on Heroku

You can test them out at https://wrongsecrets.herokuapp.com/ as well! But please understand that we have NO guarantees that this works. Given we run in Heroku free-tier, please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.

Running on Fly.io

You can test them out at https://wrongsecrets.fly.dev as well! Please understand that we run on a free-tier instance, we cannot give any guarantees. Please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.

Basic K8s exercise

Can be used for challenges 1-6, 8, 12-33

Minikube based

Make sure you have the following installed:

The K8S setup currently is based on using Minikube for local fun:

    minikube start
    kubectl apply -f k8s/secrets-config.yml
    kubectl apply -f k8s/secrets-secret.yml
    kubectl apply -f k8s/challenge33.yml
    kubectl apply -f k8s/secret-challenge-deployment.yml
    while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
    kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
    minikube service secret-challenge

now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).

k8s based

Want to run vanilla on your own k8s? Use the commands below:

    kubectl apply -f k8s/secrets-config.yml
    kubectl apply -f k8s/secrets-secret.yml
    kubectl apply -f k8s/challenge33.yml
    kubectl apply -f k8s/secret-challenge-deployment.yml
    while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
    kubectl port-forward \
        $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
        8080:8080

now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).

Okteto based

Develop on Okteto

Don't want to go over the hassle of setting up K8S yourself? visit https://wrongsecrets-commjoen.cloud.okteto.net. Please note that we are using the free Developer version here, so it might take a while for it to respond at first (e.g. "development environment not ready" and then a 50x for a minute). Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.

Vault exercises with minikube

Can be used for challenges 1-8, 12-29 Make sure you have the following installed:

Run ./k8s-vault-minkube-start.sh, when the script is done, then the challenges will wait for you at http://localhost:8080 . This will allow you to run challenges 1-8, 12-33.

When you stopped the k8s-vault-minikube-start.sh script and want to resume the port forward run: k8s-vault-minikube-resume.sh. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.

Cloud Challenges

Can be used for challenges 1-33

READ THIS: Given that the exercises below contain IAM privilege escalation exercises, never run this on an account which is related to your production environment or can influence your account-over-arching resources.

Running WrongSecrets in AWS

Follow the steps in the README in the AWS subfolder.

Running WrongSecrets in GCP

Follow the steps in the README in the GCP subfolder.

Running WrongSecrets in Azure

Follow the steps in the README in the Azure subfolder.

Running Challenge15 in your own cloud only

When you want to include your own Canarytokens for your cloud-deployment, do the following:

  1. Fork the project.
  2. Make sure you use the GCP ingress or AWS ingress scripts to generate an ingress for your project.
  3. Go to canarytokens.org and select AWS Keys, in the webHook URL field add <your-domain-created-at-step1>/canaries/tokencallback.
  4. Encrypt the received credentials so that Challenge15 can decrypt them again.
  5. Commit the unencrypted and encrypted materials to Git and then commit again without the decrypted materials.
  6. Adapt the hints of Challenge 15 in your fork to point to your fork.
  7. Create a container and push it to your registry
  8. Override the K8s definition files for either AWS or GCP.

Do you want to play without guidance or spoils?

Each challenge has a Show hints button and a What's wrong? button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise. Therefore, you can manipulate them by overriding the following settings in your env:

  • hints_enabled=false will turn off the Show hints button.
  • reason_enabled=false will turn of the What's wrong? explanation button.
  • spoiling_enabled=false will turn off the /spoil-x endpoint (where x is the number of the challenge).

Enabling Swaggerdocs and UI

You can enable Swagger documentation and the Swagger UI by overriding the SPRINGDOC_UI and SPRINGDOC_DOC when running the Docker container. See our Okteto Deployment for more details.

Special thanks & Contributors

Leaders:

Top contributors:

Testers:

Special mentions for helping out:

Sponsorships

We would like to thank the following parties for helping us out:

gitguardian_logo.png

GitGuardian for their sponsorship which allows us to pay the bills for our cloud-accounts.

jetbrains_logo.png

Jetbrains for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!

docker_logo.png

Docker for granting us their Docker Open Source Sponsored program.

1password_logo.png

1Password for granting us an open source license to 1Password for the secret detection testbed.

AWS Open Source

AWS for granting us AWS Open Source credits which we use to test our project and the Wrongsecrets CTF Party setup on AWS.

Help Wanted

You can help us by the following methods:

  • Star us
  • Share this app with others
  • Of course, we can always use your help to get more flavors of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloud providers, like Alibaba or Tencent cloud for instance. Do you miss something else than a cloud provider? File an issue or create a PR! See our guide on contributing for more details. Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app.

Use OWASP WrongSecrets as a secret detection benchmark

As tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it. Want to know if your tool detects everything? We will keep track of the embedded secrets in this issue and have a branch in which we put additional secrets for your tool to detect. The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.

CTF

We have 3 ways of playing CTFs:

CTFD Support

Want to use CTFD to play a CTF based on the free Heroku wrongsecrets-ctf instance together with CTFD? You can!

NOTE: CTFD support now works based on the Juiceshop CTF CLI.

NOTE-II: https://wrongsecrets-ctf.herokuapp.com (temporary down based on lack of oss credits) is based on Heroku and has limited capacity. Alternatively you can use our Okteto setup at https://wrongsecrets-ctf-commjoen.cloud.okteto.net/, which uses a free tier and needs some time to warm up. However, the Okteto environment does have more resources & supports the kubernetes challenges, unlike our Heroku setup that only supports the Docker challenges.

Initial creation of the zip file for CTFD requires you to visit https://wrongsecrets-ctf.herokuapp.com/api/Challenges or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/ once before executing the steps below.

Follow the following steps:

    npm install -g [email protected]
    juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com (or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/) as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.
    docker run -p 8001:8000 -it ctfd/ctfd:3.4.3

Now visit the CTFD instance at http://localhost:8001 and setup your CTF. Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command. Game on using https://wrongsecrets-ctf.herokuapp.com or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/! Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.

FBCTF Support (Experimental!)

NOTE: FBCTF support is experimental.

Follow the same step as with CTFD, only now choose fbctfd and as a url for the countrymapping choose https://raw.githubusercontent.com/OWASP/wrongsecrets/79a982558016c8ce70948a8106f9a2ee5b5b9eea/config/fbctf.yml. Then follow https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide to run the FBCTF.

Notes on development

For development on local machine use the local profile ./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault

If you want to test against vault without K8s: start vault locally with

 export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
 export VAULT_API_ADDR='http://127.0.0.1:8200'
 vault server -dev

and in your next terminal, do (with the token from the previous commands):

export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
export SPRING_CLOUD_VAULT_TOKEN='<TOKENHERE>'
vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root"
vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"

Now use the local-vault profile to do your development.

./mvnw spring-boot:run -Dspring-boot.run.profiles=local,local-vault

If you want to dev without a Vault instance, use additionally the without-vault profile to do your development:

./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault

Want to push a container? See .github/scripts/docker-create-and-push.sh for a script that generates and pushes all containers. Do not forget to rebuild the app before composing the container

Dependency management

We have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities. You can use the OWASP Dependency-checker by calling mvn dependency-check:aggregate and mvn cyclonedx:makeBom to use CycloneDX to create an SBOM.

Get the project started in IntelliJ IDEA

Requirements: make sure you have the following tools installed: Docker, Java19 JDK, NodeJS 18 and IntelliJ IDEA.

  1. Fork and clone the project as described in the documentation.
  2. Import the project in IntelliJ (e.g. import as mvn project / local sources)
  3. Go to the project settings and make sure it uses Java19 (And that the JDK can be found)
  4. Go to the IDE settings>Language & Frameworks > Lombok and make sure Lombok processing is enabled
  5. Open the Maven Tab in your IDEA and run "Reload All Maven Projects" to make the system sync and download everything. Next, in that same tab use the "install" option as part of the OWASP WrongSecrets Lifecycle to genereate the asciidoc and such.
  6. Now run the main method in org.owasp.wrongsecrets.WrongSecretsApplication.java. This should fail with a stack trace.
  7. Now go to the run configuration of the app and make sure you have the active profile without-vault. This is done by setting the VM options arguments to -Dserver.port=8080 -Dspring.profiles.active=local,without-vault. Set K8S_ENV=docker as environment argument.
  8. Repeat step 6: run the app again, you should have a properly running application which is visitable in your browser at http://localhost:8080.

Pictorial Guide on how to get the project started in IntelliJ IDEA is available at Contributing.md.

Feel free to edit and propose changes via pull requests. Be sure to follow our guidance in the documentation to get your work accepted.

Please note that we officially only support Linux and MacOS for development. If you want to develop using a Windows machine, use WSL2 or a virtual machine running Linux. We did include Windows detection & a bunch of exe files for a first experiment, but are looking for active maintainers of them. Want to make sure it runs on Windows? Create PRs ;-).

If, after reading this section, you still have no clue on the application code: Have a look at some tutorials on Spring boot from Baeldung

Automatic reload during development

To make changes made load faster we added spring-dev-tools to the Maven project. To enable this in IntelliJ automatically, make sure:

  • Under Compiler -> Automatically build project is enabled, and
  • Under Advanced settings -> Allow auto-make to start even if developed application is currently running.

You can also manually invoke: Build -> Recompile the file you just changed, this will also force reloading of the application.

How to add a Challenge

Follow the steps below on adding a challenge:

  1. First make sure that you have an Issue reported for which a challenge is really wanted.
  2. Add the new challenge in the org.owasp.wrongsecrets.challenges folder. Make sure you add an explanation in src/main/resources/explanations and refer to it from your new Challenge class.
  3. Add unit, integration and UI tests as appropriate to show that your challenge is working.
  4. Don't forget to add @Order annotation to your challenge ;-).
  5. Review the CONTRIBUTING guide for setting up your contributing environment and writing good commit messages.

For more details please refer Contributing.md.

If you want to move existing cloud challenges to another cloud: extend Challenge classes in the org.owasp.wrongsecrets.challenges.cloud package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to org.owasp.wrongsecrets.RuntimeEnvironment. Collaborate with the others at the project to get your container running so you can test at the cloud account.

Local testing

If you have made some changes to the codebase or added a new challenge and would like to see exactly how the container will look after merge for testing, we have a script that makes this very easy. Follow the steps below:

  1. Ensure you have bash installed and open.
  2. Navigate to .github/scripts.
  3. Run the docker-create script bash docker-create.sh.
  4. Follow any instructions given, you made need to install/change packages.
  5. Run the newly created container docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test

Want to play, but are not allowed to install the tools?

If you want to play the challenges, but cannot install tools like keepass, Radare, etc. But are allowed to run Docker containers, try the following:

docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latest

or use something more configurable:

docker run -d \
  --name=webtop \
  --security-opt seccomp=unconfined \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -e SUBFOLDER=/ \
  -e KEYBOARD=en-us-qwerty \
  -p 3000:3000 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --shm-size="2gb" \
  --restart unless-stopped \
  jeroenwillemsen/wrongsecrets-desktop:latest

And then at http://localhost:3000.

Note: be careful with trying to deploy the jeroenwillemsen/wrongsecrets-desktop container to Heroku ;-).

Docker on macOS with M1 and Colima (Experimental!)

NOTE: Colima support is experimental.

Using Colima (version 0.5.2 when written) you your macOS with Apple Silicon M1 to run Docker image jeroenwillemsen/wrongsecrets you try one of:

  • switch off Colima
  • change Docker context
  • run Colima with 1 CPU

Switch off Colima

colima stop

and run natively Docker image jeroenwillemsen/wrongsecrets on ARM.

Change Docker context

Running docker image on Colima container runtimes on macOS Ventura with M1 CPU can run very slowly or can hang at some point. Wrong Secrets provide arm64 Docker image and switching to desktop-linux context will use the native arm64 image. To do that in the terminal run:

docker context ls

you should see context default colima *:

NAME                TYPE                DESCRIPTION                               DOCKER ENDPOINT                                    KUBERNETES ENDPOINT                ORCHESTRATOR
colima *            moby                colima                                    unix:///Users/YOUR_USER_NAME/.colima/default/docker.sock
default             moby                Current DOCKER_HOST based configuration   unix:///var/run/docker.sock                        https://127.0.0.1:6443 (default)   swarm
desktop-linux       moby                                                          unix:///Users/YOUR_USER_NAME/.docker/run/docker.sock

Now run one of the above Docker commands together with --context switch e.g.:

docker --context desktop-linux run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault

Run Colima with 1 CPU

Colima is using QEMU behind and for QEMU on Apple Silicon M1 is recommended to use 1 CPU core:

colima start -m 8 -c 1 --arch x86_64

and run with AMD x64 emulation e.g.:

docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault

Further reading on secrets management

Want to learn more? Checkout the sources below:

More Repositories

1

CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Python
27,397
star
2

owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
Python
11,723
star
3

Amass

In-depth Attack Surface Mapping and Asset Discovery
Go
7,941
star
4

wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Dockerfile
7,242
star
5

Go-SCP

Golang Secure Coding Practices guide
Go
4,841
star
6

Top10

Official OWASP Top 10 Document Repository
HTML
4,262
star
7

Nettacker

Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
Python
3,374
star
8

ASVS

Application Security Verification Standard
HTML
2,720
star
9

API-Security

OWASP API Security Project
Dockerfile
2,050
star
10

owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
Python
2,045
star
11

DevGuide

The OWASP Guide
2,011
star
12

NodeGoat

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
HTML
1,857
star
13

QRLJacking

QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.
Python
1,346
star
14

SecurityShepherd

Web and mobile application security training platform
Java
1,338
star
15

crAPI

completely ridiculous API (crAPI)
Java
1,100
star
16

www-project-top-ten

OWASP Foundation Web Respository
HTML
1,098
star
17

www-community

OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.
HTML
1,078
star
18

joomscan

OWASP Joomla Vulnerability Scanner Project https://www.secologist.com/
Raku
1,062
star
19

threat-dragon

An open source threat modeling tool from OWASP
JavaScript
915
star
20

railsgoat

A vulnerable version of Rails that follows the OWASP Top 10
HTML
859
star
21

java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Java
788
star
22

OWASP-VWAD

The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
749
star
23

DevSecOpsGuideline

The OWASP DevSecOps Guideline can help us to embedding security as a part of the development pipeline.
Python
705
star
24

IoTGoat

IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
C
689
star
25

ZSC

OWASP ZSC - Shellcode/Obfuscate Code Generator https://www.secologist.com/
Python
645
star
26

Docker-Security

Getting a handle on container security
Dockerfile
630
star
27

OWASP-WebScarab

OWASP WebScarab
Java
582
star
28

MASTG-Hacking-Playground

Java
574
star
29

www-project-kubernetes-top-ten

OWASP Foundation Web Respository
HTML
554
star
30

SecureCodingDojo

The Secure Coding Dojo is a platform for delivering secure coding knowledge.
PHP
536
star
31

DVSA

a Damn Vulnerable Serverless Application
JavaScript
532
star
32

glue

Application Security Automation
Ruby
522
star
33

www-project-top-10-for-large-language-model-applications

OWASP Foundation Web Respository
TeX
514
star
34

owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
Java
488
star
35

OFFAT

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
Python
457
star
36

Python-Honeypot

OWASP Honeypot, Automated Deception Framework.
Python
429
star
37

www-project-web-security-testing-guide

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
HTML
429
star
38

rbac

PHP-RBAC is an authorization library for PHP. It provides developers with NIST Level 2 Standard Role Based Access Control and more, in the fastest implementation yet.
PHP
423
star
39

owasp.github.io

OWASP Foundation main site repository
HTML
423
star
40

iGoat-Swift

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
C
406
star
41

samm

SAMM stands for Software Assurance Maturity Model.
JavaScript
397
star
42

threat-model-cookbook

This project is about creating and publishing threat model examples.
Python
373
star
43

igoat

OWASP iGoat - A Learning Tool for iOS App Pentesting and Security by Swaroop Yermalkar
C
368
star
44

Vulnerable-Web-Application

OWASP Vulnerable Web Application Project https://github.com/hummingbirdscyber
PHP
345
star
45

O-Saft

O-Saft - OWASP SSL advanced forensic tool
Perl
344
star
46

vbscan

OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
Perl
323
star
47

Serverless-Goat

OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws
Python
312
star
48

SecureTea-Project

The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices)
JavaScript
285
star
49

RiskAssessmentFramework

The Secure Coding Framework
TypeScript
245
star
50

D4N155

OWASP D4N155 - Intelligent and dynamic wordlist using OSINT
Shell
223
star
51

Serverless-Top-10-Project

OWASP Serverless Top 10
210
star
52

pysap

pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.
Python
205
star
53

www-project-ai-security-and-privacy-guide

OWASP Foundation Web Respository
HTML
202
star
54

www-chapter-japan

OWASP Foundation Web Respository
HTML
198
star
55

phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197
star
56

json-sanitizer

Given JSON-like content, The JSON Sanitizer converts it to valid JSON.
Java
190
star
57

Maturity-Models

Node application to help managing Maturity Models like the ones created by BSIMM and OpenSAMM
JavaScript
184
star
58

passfault

OWASP Passfault evaluates passwords and enforces password policy in a completely different way.
JavaScript
169
star
59

ASST

OWASP ASST (Automated Software Security Toolkit) | A Novel Open Source Web Security Scanner.
JavaScript
152
star
60

IoT-Security-Verification-Standard-ISVS

OWASP IoT Security Verification Standard (ISVS)
TeX
133
star
61

Software-Component-Verification-Standard

Software Component Verification Standard (SCVS)
Python
133
star
62

owasp-summit-2017

Content for OWASP Summit 2017 site
CSS
128
star
63

BLT

OWASP BLT is a bug logging tool to report issues and get points, companies are held accountable.
HTML
124
star
64

www-project-secure-headers

The OWASP Secure Headers Project
Python
122
star
65

www-project-proactive-controls

OWASP Foundation Web Respository
Shell
122
star
66

www-project-code-review-guide

OWASP Code Review Guide Web Repository
HTML
119
star
67

SEDATED

SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure)
Shell
109
star
68

sonarqube

OWASP SonarQube Project
Dockerfile
109
star
69

raider

OWASP Raider: a novel framework for manipulating the HTTP processes of persistent sessions
Python
103
star
70

OWASP-Testing-Guide

OWASP Testing Guide
103
star
71

OWASPWebGoatPHP

A deliberately vulnerable web application for learning web application security.
PHP
99
star
72

user-security-stories

Repo to hold mapping of user-security-stories
99
star
73

KubeLight

OWASP Kubernetes security and compliance tool [WIP]
Python
97
star
74

owasp-istg

The IoT Security Testing Guide (ISTG) provides a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results.
Python
89
star
75

www-project-mobile-top-10

HTML
83
star
76

www-project-webgoat

OWASP Foundation Web Respository
HTML
81
star
77

Honeypot-Project

Python
79
star
78

NINJA-PingU

Python
77
star
79

threat-dragon-desktop

Desktop variant of OWASP Threat Dragon
77
star
80

OpenCRE

Python
77
star
81

www-project-developer-guide

OWASP Project Developer Guide - Document and Project Web pages
HTML
77
star
82

www-project-csrfguard

The aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer Tokens
Java
77
star
83

www-project-machine-learning-security-top-10

OWASP Machine Learning Security Top 10 Project
HTML
73
star
84

www-project-zap

OWASP Zed Attack Proxy project landing page.
HTML
72
star
85

www-project-threat-dragon

OWASP Foundation Threat Dragon Project Web Repository
HTML
70
star
86

SSO_Project

OWASP Single Sign-On allows a secure-by-default self-hosted SSO experience, including phishing-proof two-factor authentication, using state-of-the-art security mechanisms.
JavaScript
68
star
87

www-project-application-security-verification-standard

OWASP Foundation Web Respository
HTML
67
star
88

PHP-ESAPI

Migrated from code.google.com to a more active public repository.
PHP
65
star
89

www-project-security-knowledge-framework

OWASP Foundation Web Respository
HTML
64
star
90

wpBullet

Python
63
star
91

www-project-secure-coding-practices-quick-reference-guide

OWASP Foundation Project Web Repository for Secure Coding Practices Quick-reference Guide
HTML
63
star
92

www-project-top-10-low-code-no-code-security-risks

OWASP Low-Code/No-Code Top 10
HTML
62
star
93

www-project-top-10-ci-cd-security-risks

OWASP Foundation Web Respository
HTML
58
star
94

Container-Security-Verification-Standard

Container Security Verification Standard
Python
57
star
95

www-project-devsecops-guideline

The OWASP DevSecOps Guideline explains how we can implement a secure pipeline and use best practices and introduce tools that we can use in this matter. Also, the project is trying to help us promote the shift-left security culture in our development process.
HTML
49
star
96

www-project-devsecops-maturity-model

OWASP Foundation Web Respository
HTML
48
star
97

www-project-juice-shop

OWASP Foundation Web Respository
HTML
48
star
98

packman

A documentation and tracking project with the goal of making package management systems more secure.
48
star
99

www-project-api-security

OWASP Foundation Web Repository
HTML
47
star
100

WebGoat

This is a defunct code base. The project is located at: https://github.com/WebGoat
HTML
47
star