a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS.

bluemonday takes untrusted user generated content as an input, and will return HTML that has been sanitised against an allowlist of approved HTML elements and attributes so that you can safely include the content in your web page.

Related contents:

• Episode 132 @ Linux Dev Time.

Antidote to VibeCoding. Offline-First, AI-Centric SAST & Code Intelligence Platform.

Unlike traditional SAST tools, TheAuditor is designed specifically for AI-assisted development workflows, providing ground truth that both developers and AI assistants can trust.

Related contents:

• TheAuditor - L'outil de sécurité qui rend vos assistants IA moins laxistes sur la sécurité de votre code @ Korben :fr:.

Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management.

OWASP Nettacker project was created to automate information gathering, vulnerability scanning and in general to aid penetration testing engagements. Nettacker is able to run various scans using a variety of methods and generate scan reports(in HTML/TXT/JSON/CSV format) for applications and networks, including discovering open ports, services, bugs, vulnerabilities, misconfigurations, default credentials, subdomains, etc. Nettacker can be run as a command-line utility (including running as a Docker container), API, Web GUI mode or as Maltego transforms.

• OWASP Nettacker @ GitHub.

Automated OWASP CRS and Bad Bot Detection for Caddy, Nginx, Apache, Traefik and HaProxy.

Automate the scraping of OWASP Core Rule Set (CRS) patterns and convert them into Apache, Nginx, Caddy, Traefik, and HAProxy WAF configurations. Additionally, Bad Bot/User-Agent detection is integrated to block malicious web crawlers and scrapers.

Software Bill of Materials (SBOM) Analysis.

• Dependency-Track @ GitHub.
• Démarrer avec Dependency Track @ Culture et Outils DevSecOps :fr:.

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

• Dependency-Check @ GitHub.

No more insecure software. Make sure your software delivery organization has the capabilities required to deliver secure products.

The OWASP Product Security Capability Framework (PSCF) is a comprehensive guide designed to frame and enhance the security of software products. By leveraging a structured approach to identify, implement, and manage security capabilities, the PSCF aims to improve product security and ensure compliance with regulatory and industry standards.

• OWASP PSCF @ GitHub.
• Reasonable 🔐AppSec #43 - The Symbiotic Relationship Between Attack Trees and Threat Modeling, Five Security Articles, and Podcast Corner @ Reasonable Application Security.

A basic tool to check security headers of a website

The OSTE meta scanner is a comprehensive web vulnerability scanner that combines multiple DAST scanners, including Nikto Scanner, OWASP ZAP, Nuclei, SkipFish, and Wapiti.

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration with ASPM/VM platforms and in CI environments.

SessionProbe is a multi-threaded tool designed for penetration testing and bug bounty hunting. It evaluates user privileges in web applications by taking a session token and checking access across a list of URLs, highlighting potential authorization issues.

• SessionProbe: Open-source multi-threaded pentesting tool @ Help Net Security.

Vulnerable REST API with OWASP top 10 vulnerabilities for security testing.

VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in erev0s.com.

the Open Source Foundation for Application Security.

• OWASP Top 10 : comment (vraiment) sécuriser son API ? @ AXOPEN podcast :fr:.

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

The OWASP Amass Project has developed a framework to help information security professionals perform network mapping of attack surfaces and external asset discovery using open source intelligence gathering and reconnaissance techniques.

OWASP Amass.

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics.

OWASP Cheat Sheet Series @ GitHub.

WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.

• OWASP WebGoat @ GitHub.

Related contents:

• WebGoat - Pour vous former au hacking éthique @ Korben :fr:.

The world's most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers.

• ZAP @ GitHub.
• Building a Scanner and a Community with Zed Attack Proxy - Simon Bennetts - ASW #254 @ YouTube.
• Strengthening Your Web Application Security: Integrating OWASP ZAP with GitHub Actions @ System Weakness.