• This repository has been archived on 20/Nov/2023
  • Stars
    star
    142
  • Rank 258,495 (Top 6 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 14 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Owasp Orizon is a source code static analyzer tool designed to spot security issues in Java applications.

The Owasp Orizon project

Owasp Orizon is a source code static analyzer tool designed to spot security issues in Java applications.

The history

It was a dark and stormy night in Milan, Italy. It was 2006 and I felt the need of something helping me in reviewing other people java source code. So Owasp Orizon born and grew up as security tool trying to parse Java source code, building an Abstract Syntax Tree and spot for unsafe calls in the code.

In the very beginning Owasp Orizon was a sort of enhanced grep tool. In 2008, I started supporting PHP programming language but the initial boost disappeared. After being in love with other programming languages and technolgies, eight years later, in 2016 I kickstarted the project again from scratch.

The typo

The mission

Source code contains bugs and vulnerabilities. Owasp Orizon will help either application security specialists or developersto spot vulnerabilities in their code and to create security patches.

Owasp Orizon mission is to provide people an opensource tool, helping them in reviewing:

  • single Java classes
  • java standalone tools packed in JAR files
  • web applications packed in EAR / WAR files
  • Android APK applications

An overall introduction

When you launch Owasp Orizon it will start unpkacing the target file if not a standalone .class file.

First security analysis stage is about vulnerabilities from third party libraries. Owasp Orizon will try to understand target package dependencies and than look for known security issues.

As knowledge base for third party library vulnerabilities, Owasp Orizon will support:

  • vFeed.io database. Please note that we don't redistribute the database. You must go on vFeed website and purchase the license that best fits your tool usage
  • CVE archive from NVD

After this stage, Owasp Orizon will perform a walkthrough on Owasp TOP 10 security risks, using Apache BCEL library to disassemble java bytecode.

Usage

More a reminder than a real doc here

java -Dlog4j.configurationFile=./log4j2.xml -jar target/owasp-orizon-1.0-SNAPSHOT.jar

The overall design

To be written

More Repositories

1

dawnscanner

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
Ruby
735
star
2

owasp-esapi-ruby

The Owasp Esapi Ruby is a port for outstanding release quality Owasp Esapi project to the Ruby programming language. The idea is to build a Ruby gem (the standard ruby library archive format) containing the Esapi concepts implemented in Ruby classes so people using Ruby in their Rails application can have security into them.
Ruby
46
star
3

wordstress

A security scanner for Wordpress blogging engine
Ruby
32
star
4

shellerate

A shellcode generator with encryption, encoding and polymorphism facilities built-in
Python
29
star
5

gengiscan

Fingerprint server side technology
Ruby
28
star
6

enchant

Enchant is is tool aimed to discover web application directory and pages by fuzzing the requests using a dictionary approach.
Ruby
22
star
7

recon.sh

This is the reconnaissance script I wrote for my OSCP journey
Shell
15
star
8

links

A swiss army knife to leverage your webapp attack surface
Ruby
13
star
9

cross

A tool for finding Cross Site Scripting vulnerabilities in web applications
Ruby
9
star
10

ciphersurfer

Ruby
8
star
11

octopress_gravatar_plugin

Ruby
7
star
12

wc

Your Word Counter Gem
JavaScript
6
star
13

casper

A transparent HTTP proxy
Ruby
6
star
14

nightcrawler

A python program that crawls a website and tries to stress it, polluting forms with bogus data
Python
6
star
15

HackInBoSafeEdition

Materiale per il talk ad HackInBo - 2020
Assembly
4
star
16

octopress_highlight_plugin

An octopress plugin to highlight text in your posts
4
star
17

nexty

A command line interface to your Nexpose VA tool
Ruby
3
star
18

aurora

aurora is an hybrid source code analyzer for security issues
Shell
3
star
19

sinatra_ad_auth

Authenticate users against Active Directory in a Sinatra application
Ruby
3
star
20

nanoc_kickstart

A Nanoc site with batteries included.
Ruby
3
star
21

palco

Creates Sinatra based application and extension skeletons
Ruby
3
star
22

coat

COntract And Test - my 2012 summer project, just for fun. I'd like to merge BDD, design by contract, creating a preprocessor language to add security checks and both pre/post conditions in a ruby class
Ruby
3
star
23

uyuni-hardening-guide

3
star
24

spot_the_vuln

Python
2
star
25

flender

flender is a security oriented bot. It uses github APIs to scan opensource projects for vulnerabilities such as XSS, SQLInjections, and old school ones such as buffer overflow or format bugs
Ruby
2
star
26

java_audit_sh

A set of companion tools needed by everyday job during Java source code audits
Shell
2
star
27

templates

Some useful (for me) templates
Python
2
star
28

dawnscanner_knowledge_base

Python
2
star
29

railsberry2013

My Railsberry 2013 talk stuff
JavaScript
2
star
30

sniper

Network discovery and reconnaissance
Ruby
1
star
31

hound-dog

An automated web resources discovery hunter
Python
1
star
32

thesp0nge.com

The code behind my nanoc generated blog
Ruby
1
star
33

paoloperego.it

La mia landing page
1
star
34

datify

Datify is a rubygem to convert a string storing a date or a time in a proper Time ruby object
Ruby
1
star
35

polite

polite is your text cleaner gem. It removes bad words or offenses and make your text more polite.
Ruby
1
star
36

trimmy

Ruby
1
star
37

corto

Corto is a URL Shortening gem
Ruby
1
star
38

thesp0nge.github.com

My home page at GitHub
1
star
39

ama

Ask me anything
1
star
40

angel

AngeL is a linux kernel module with an ambitious goal: to turn a generic network party in a manner that such an host is unable to start any attack over the network
C
1
star
41

libweb

A tiny, portable and fast library for handling HTTP requests
Shell
1
star
42

codiceinsicuro.github.io

A responsive Jekyll theme with clean typography and support for large full page images.
JavaScript
1
star
43

sessionable

sessionable
Ruby
1
star
44

rhsa

Check RedHat Security Advisories for a specific package version closing a CVE
Ruby
1
star
45

deadly-simple-login-api

An API designed to fulfill login functionality providing a reasonable set of password complexity rules and support to passphrases
1
star
46

armoredcode.github.io

This is the source code for my English blog "The Armored Code"
HTML
1
star
47

enc0re

enc0re is a custom binary encoder created just for fun and for OSCE preparation
C
1
star