Top 71 appsec open source projects

Git All the Payloads! A collection of web attack payloads.

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

🎯 RFI/LFI Payload List

The OWASP ZAP Heads Up Display (HUD)

SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈

Version 0.2 - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB).

YAWAST ...where a pentest starts. Security Toolkit for Web-based Applications

This project is about creating and publishing threat model examples.

Oversecured Vulnerable Android App

Methodology for high-quality web application security testing - https://github.com/tprynn/web-methodology/wiki

A simple Java command-line utility to mirror the CVE JSON data from NIST.

Kurukshetra - A framework for teaching secure coding by means of interactive problem solving.

njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.

A Bind9 server for pentesters to use for Out-of-Band vulnerabilities

Python Interactive Deepweb-oriented Rapid Intelligent Link Analyzer

OWASP SecurityRAT (version 1.x) - Tool for handling security requirements in development

HTML5 WebSocket message fuzzer

An application to assist in the organization and prioritization of software security activities.

An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.

All-in-one tool for managing vulnerability reports from AppSec pipelines

The OWASP ZAP core project

Reapsaw is a continuous security devsecops tool, which helps in enabling security into CI/CD Pipeline. It supports coverage for multiple programming languages.

Some of my security stuff and vulnerabilities. Nothing advanced. More to come.

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

A vulnerable version of Rails that follows the OWASP Top 10

An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications

Web path scanner

The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.

OWASP ZAP Add-ons

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.

Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

w3af: web application attack and audit framework, the open source web vulnerability scanner.

Integrates Dependency-Check reports into SonarQube

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

Next generation web scanner

Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer

Workshop on Template Injection (6 exercises) covering Twig, Jinja2, Tornado, Velocity and Freemaker engines.

Application Security Awareness Training

Detects the algorithm of input JWT Token and provide options to generate the new JWT token based on the user selected algorithm.

GitHub Action to set up Fortify ScanCentral Client

A Tool for Domain Flyovers

Vendor-Neutral Security Tool Automation Controller (over REST)

Web Browser Hooking Framework. Manage, execute and assess web browser vulnerabilities

A simple PHP application to learn SQL Injection detection and exploitation techniques.

Nmap and NSE command line wrapper in the style of Metasploit

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.

Jenkins plugin for OWASP Dependency-Check. Inspects project components for known vulnerabilities (e.g. CVEs).

A Java library for parsing and programmatically using threat models

The OWASP Vulnerable Web Applications Directory (VWAD) Project - OWASP Web Site

Full Nuclei automation script with logic explanation.

Application-embedded connectivity and zero-trust components

Documentation for Essential Node.js Security

Presentations, training modules, and other education materials from Duo Security's Application Security team.

Embedded AppSec Best Practices

Some good resources for getting started with application security

A curated list of policy-as-code resources like blogs, videos, and tools to practice on for learning Policy-as-Code.

OWASP Zed Attack Proxy project landing page.