== Project Information == The ORG (OWASP Report Generator) is a multi-purpose reporting tool designed to be extensible for various reporting needs. By using what is known as a provider model, report providers can be plugged in to ORG. OWASP Report Providers will include Penetration Testing and S...

Web applications face any number of threats; one of them is cross-site scripting and related injection attacks. 90% of all web applications contain cross-site scripting attacks because they are easy to introduce, and the proper tools are not always available to prevent them. There is no good singl...

There was a great article on MSDN a while back (years at this point) that showed the creation of a SOAP extension that would verify incoming requests against a schema, something .NET does not support out of the box (even in 2.0). Additionally there was quasi support for schematron via Assert attrib...

The next version of the OWASP Development Guide (which is hosted on this site's wiki and is currently under development) will be in effect the detailed design guide for the requirements of the OWASP Application Security Verification Standard (ASVS). For more information, [http://code.google.com/p...

Owasp Orizon is code review engine that can be used by security specialist to perform security code reviews. Owasp Orizon assesses source codes written in a lot of programming languages (Java, PHP, C, and counting) and it is completely parser based so, there is no need for a compiler in order to ...

The OWASP O2 Platform is an OWASP Project which is a collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile. The objective is to 'Automate Application Security Knowledge an...

Scrubbr is a BSD-licensed database scanning tool that checks numerous database technologies for the presence of possible stored cross-site scripting attacks.

This project is intended to test for access control flaws in web applications. As a theoretical part of this project the research was conveyed that was intended to answer the following questions: 1. Is there a reasonable classification of business logic vulnerabilities? 2. Is it possible to g...

The purpose of the ESAPI is to provide a simple interface that provides all the security functions a developer is likely to need in a clear, consistent, and easy to use way. The ESAPI architecture is very simple, just a collection of classes that encapsulate the key security operations most applicat...

*OWASP ESAPI for PHP: Strong, Simple Security Controls for PHP Developers* Don’t write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. The OWASP Enterprise Sec...