OWASP Community Pages
Community Content • Contributing
Community Content
Click the triangle (or other control/character) to the left of the following headings to access an expanded list of community content pages.
Controls
- Blocking Brute Force Attacks by Esheridan
- Bytecode Obfuscation by Pierre Parrend
- Certificate and Public Key Pinning by Mark Gamache, Kevin Wall
- Changing A User's Registered Email Address by Philip H. Schlesinger
- Content Security Policy by Dominique RIGHETTO
- Cross-Origin Resource Policy (CORP) by Vaibhav Malik
- Detect Profiling Phase by Dominique RIGHETTO
- Intrusion Detection
- SIM Swapping Prevention Guidelines by Prakhar-Shankar
- Secure Cookie Attribute by MichaelCoates
- Session Fixation Protection by RoganDawes
- Source Code for Rendering UML for Diagrams
- Static Code Analysis by Ryan Dewhurst
- Subresource Integrity (SRI) by Vaibhav Malik
- Web Application Deception Technology by Vaibhav Malik
Attacks
- Binary Planting
- Blind SQL Injection
- Blind XPath Injection
- Brute Force Attack
- Buffer Overflow Attack
- Buffer Overflow via Environment Variables
- CORS OriginHeaderScrutiny
- CORS RequestPreflightScrutiny by Dominique RIGHETTO
- CSV Injection by Timo Goosen, Albinowax
- Cache Poisoning by Weilin Zhong, Rezos
- Cash Overflow by psiinon
- Clickjacking by Gustav Rydstedt
- Code Injection by Weilin Zhong, Rezos
- Command Injection by Weilin Zhong
- Comment Injection Attack by Weilin Zhong, Rezos
- Content Spoofing by Andrew Smith
- Credential stuffing by Neal Mueller
- Cross Frame Scripting by Rezos, Justin Ludwig
- Cross Site History Manipulation (XSHM) by Adar Weidman
- Cross Site Request Forgery (CSRF) by KirstenS
- Cross Site Scripting (XSS) by KirstenS
- Cross Site Tracing
- Cross-User Defacement
- Cryptanalysis
- Custom Special Character Injection by Rezos
- DOM Based XSS
- Denial of Service by Nsrav
- Direct Dynamic Code Evaluation - Eval Injection
- Embedding Null Code by Nsrav
- Execution After Redirect (EAR) by Robert Gilbert (amroot)
- Forced browsing
- Form action hijacking by Robert Gilbert (amroot)
- Format string attack
- Full Path Disclosure
- Function Injection
- HTTP Response Splitting
- IP Spoofing via HTTP Headers by Ahmadreza Parsizadeh
- LDAP Injection
- Log Injection
- Man-in-the-browser attack
- Manipulator-in-the-middle attack
- Mobile code invoking untrusted mobile code
- Mobile code non-final public field
- Mobile code object hijack
- Parameter Delimiter
- Password Spraying Attack by Rishu Ranjan
- Path Traversal
- Qrljacking
- Reflected DOM Injection
- Regular expression Denial of Service - ReDoS by Adar Weidman
- Repudiation Attack
- Resource Injection
- Reverse Tabnabbing
- SQL Injection
- SQL Injection Bypassing WAF
- Server Side Request Forgery by Eoftedal
- Server-Side Includes (SSI) Injection by Weilin Zhong, Nsrav
- Session Prediction
- Session fixation by mwood
- Session hijacking attack
- Setting Manipulation
- Special Element Injection
- Spyware
- Traffic flood
- Trojan Horse
- Unicode Encoding
- Web Parameter Tampering
- Web Service Amplification Attack by Thomas Vissers
- Windows ::DATA Alternate Data Stream
- XPATH Injection
- XSRF
- XSS in Converting File Content to Text by Mohammad Reza Omrani
- XSS in subtitle by Mohammad MortazaviZade
Vulnerabilities
- Allowing Domains or Accounts to Expire
- Buffer Overflow
- Business logic vulnerability
- CRLF Injection
- Catch NullPointerException
- Covert storage channel
- Deserialization of untrusted data
- Directory Restriction Error
- Doubly freeing memory
- Empty String Password
- Expression Language Injection
- Full Trust CLR Verification issue Exploiting Passing Reference Types by Reference
- Heartbleed Bug
- Improper Data Validation
- Improper pointer subtraction
- Information exposure through query strings in url by Robert Gilbert (amroot)
- Injection problem
- Insecure Compiler Optimization
- Insecure Deserialization by Vaibhav Malik
- Insecure Randomness
- Insecure Temporary File
- Insecure Third Party Domain Access
- Insecure Transport
- Insufficient Entropy
- Insufficient Session ID Length by Jake Karnes
- Least Privilege Violation
- Memory leak
- Missing Error Handling
- Missing XML Validation
- Multiple admin levels
- Null Dereference
- OWASP .NET Vulnerability Research
- Overly Permissive Regular Expression
- PHP File Inclusion
- PHP Object Injection by Egidio Romano
- PRNG Seed Error
- Password Management Hardcoded Password
- Password Plaintext Storage
- Poor Logging Practice by Weilin Zhong
- Portability Flaw
- Privacy Violation
- Process Control
- Return Inside Finally Block
- Session Variable Overloading
- String Termination Error
- The Follina Vulnerability - A Critical Threat to Microsoft Office by Tholkappiar
- Unchecked Error Condition
- Unchecked Return Value Missing Check against Null
- Undefined Behavior
- Unreleased Resource
- Unrestricted File Upload
- Unsafe JNI
- Unsafe Mobile Code
- Unsafe function call from a signal handler
- Unsafe use of Reflection
- Use of Obsolete Methods
- Use of hard-coded password
- Using a broken or risky cryptographic algorithm
- Using freed memory
- Vulnerability template
- XML External Entity (XXE) Processing
Other
- API Security Tools by Matt Tesauro
- ASP.NET Request Validation
- Access Control
- Anti CSRF Tokens ASP.NET
- Automated Audit using WAPITI
- Broken Access Control
- Code Sprint 2017
- Component Analysis by Steve Springett
- Double Encoding
- Fail Securely
- Free for Open Source Application Security Tools by Dave Wichers
- Fuzzing
- GSoC 2012 Ideas
- GSoC 2013 - ZAP SAML Support Status Updates
- GSoC 2013 Ideas
- GSoC 2014 Ideas
- GSoC 2015 Ideas
- GSoC 2016 Ideas
- GSoC 2017 Ideas
- GSoC 2018 Ideas
- GSoC 2019
- GSoC 2019
- GSoC 2019 Ideas
- GSoC 2020
- GSoC 2020 Ideas
- GSoC 2021
- GSoC 2021 Ideas
- GSoC 2022
- GSoC 2022 Ideas
- GSoC 2023
- GSoC 2023 Ideas
- GSoC 2024
- GSoC 2024 Ideas
- GSoC SAT
- Google Season of Docs 2019
- Google Season of Docs 2020
- Google Season of Docs 2021
- Hibernate
- How to Write Insecure Code
- HttpOnly
- Improper Error Handling
- Injection Flaws
- Injection Theory by Jeff Williams
- OWASP Application Security FAQ by Weilin Zhong
- OWASP Bug Bounty
- OWASP Community Meetings
- OWASP Favicon Database by Vlatko Kosturjak
- OWASP Risk Rating Methodology by Jeff Williams
- OWASP Risk Rating Methodology - Debate (Historic) by kingthorin
- OWASP Validation Regex Repository by Weilin Zhong, Achim
- Password Special Characters by Pawel Krawczyk
- Proactive Security: Catching Vulnerabilities Early in SLDC by Caleb Abhulimhen
- SameSite by Riramar, Pawel Krawczyk
- Secure Software Contract Annex by Jeff Williams
- Security Headers
- Session Timeout
- Slow Down Online Guessing Attacks with Device Cookies by Anton Dedov
- Source Code Analysis Tools
- Threat Modeling by Victoria Drake
- Threat Modeling Process by Larry Conklin
- Types of XSS
- Using the Java Cryptographic Extensions
- Virtual Patching Best Practices
- Vulnerability Scanning Tools
- Web Application Firewall
- Winter Code Sprint 2014
- XSS Filter Evasion Cheat Sheet - Redirect
Contributing
OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.
To contribute, go to the repository for this site.
Go into the pages folder and create a new file. Save and commit the file.
Include the following front matter and include in your file (for example, see: pages/password-special-characters.md in this repository):
---
layout: col-sidebar
title: [title of page]
author: [author name]
contributors: [contributors]
permalink: [direct link to page, removes /pages] (this is optional and requires some care)
tags: [attack, XSS, etc]
---
{% include writers.html %}
Please ensure your content contribution is based on original work/thought and not plagiarised. Also, please ensure that contributions are vendor/product neutral.
OWASP Initiatives
Google Summer of Code
Information related to OWASP’s participation in Google Summer of Code (GSoC) since 2012 can be found here.
Google Season of Docs
Information related to OWASP’s participation in Google Season of Docs (GSoD) since 2019 can be found here.
Code Sprints
At various points in OWASP’s history the organization has run Code Sprints similar to GSoC in order to give students and the community “real-life” development experience, and as a mechanism by which code projects can grow and be enhanced.
Information related to OWASP Code Sprints can be found here.
OWASP Bug Bounty
Information related to OWASP’s BugCrowd programs can be found here.