https://appsec.fyi/tools.html#owasp-zap Curated OWASP ZAP resources from appsec.fyi en-us Sun, 07 Jun 2026 04:05:35 +0000 carl@chs.us (Carl Sampson) https://www.invicti.com/blog/web-security/owasp-top-10-risks-llm-security-2025 https://www.invicti.com/blog/web-security/owasp-top-10-risks-llm-security-2025 Survey of the OWASP Top 10 for LLM Applications (2025), detailing evolving technical and socio-technical risks like prompt injection and excessive agency. This updated list guides enterprises in securing generative AI ecosystems, from training pipelines to plugins, addressing data disclosure and systemic vulnerabilities relevant to GDPR, HIPAA, CCPA, and the EU AI Act. Invicti's proof-based scanning and LLM-specific checks are presented as tools to validate real risks and strengthen defenses. OWASP ZAP beginner Sat, 11 Apr 2026 16:40:09 +0000 https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens Reference detailing OWASP's Web Security Testing Guide (WSTG) procedures for testing JSON Web Tokens (JWTs). It covers analyzing JWT headers and payloads for sensitive data, testing for tampering vulnerabilities, and verifying signature integrity. Specific attack vectors discussed include exploiting the "none" algorithm, the ECDSA "psychic signatures" vulnerability (CVE-2022-21449), weak HMAC key cracking using tools like crackjwt.py and John the Ripper, and HMAC vs. public key confusion attacks. OWASP ZAP intermediate Fri, 10 Apr 2026 21:21:41 +0000 https://owasp.org/www-project-top-10-for-business-logic-abuse/docs/the-top-10/broken-access-control https://owasp.org/www-project-top-10-for-business-logic-abuse/docs/the-top-10/broken-access-control Reference detailing BLA9:2025 Broken Access Control, a critical OWASP Top 10 vulnerability. It explains how missing role checks, flawed logic trusting client-supplied parameters, overly broad permissions, and identifier tampering (BOLA) enable attackers to perform unauthorized operations. Examples include Gitlab branch deletion vulnerabilities and privilege escalation in hay-kot mealie v2.2.0, mapping to CWEs like CWE-863 and CWE-862, and referencing CVEs such as CVE-2021-39931 and CVE-2023-3290. OWASP ZAP beginner Fri, 10 Apr 2026 01:56:58 +0000 https://blog.securelayer7.net/understanding-broken-access-control/ https://blog.securelayer7.net/understanding-broken-access-control/ Library detailing OWASP A01: Broken Access Control risks and prevention. This resource clarifies the distinction between authentication and authorization, highlights the importance of the principle of least privilege (PoLP) and Role-Based Access Control (RBAC), and provides a Python Flask code snippet demonstrating secure RBAC implementation. It further explains how vulnerabilities manifest through techniques like URL manipulation and parameter tampering, and identifies common failure scenarios such as Insecure Direct Object References (IDOR) and missing function-level access control. OWASP ZAP beginner Fri, 10 Apr 2026 01:56:53 +0000 https://github.com/R-Galarza/OWASP-TOP-10---Web-Application-Security-Risks/blob/main/A01:2025%20Broken%20Access%20Control.md https://github.com/R-Galarza/OWASP-TOP-10---Web-Application-Security-Risks/blob/main/A01:2025%20Broken%20Access%20Control.md Library detailing Broken Access Control, a critical OWASP Top 10 risk where applications fail to enforce user restrictions. This resource highlights how attackers can exploit missing or client-side enforced authorization checks, using tools like Burp Suite to directly access backend administrative endpoints. It demonstrates the vulnerability through a case study of an application trusting client-side role validation, leading to unauthorized data access, privilege escalation, and account compromise, and emphasizes implementing server-side authorization and the principle of least privilege for mitigation. OWASP ZAP beginner Fri, 10 Apr 2026 01:56:53 +0000 https://owasp.org/www-community/attacks/insecure_direct_object_reference https://owasp.org/www-community/attacks/insecure_direct_object_reference Reference detailing Insecure Direct Object Reference (IDOR) vulnerabilities, a class of Broken Access Control (OWASP Top 10 A01:2025). IDOR occurs when applications expose internal object references, like database keys or file names, without verifying user authorization, allowing attackers to access unauthorized resources by modifying these references in URL path parameters, query strings, or request bodies. Prevention strategies include enforcing server-side authorization, using non-sequential identifiers, applying the principle of least privilege, and validating access at the data layer. OWASP ZAP beginner Fri, 10 Apr 2026 01:55:39 +0000 https://owasp.org/www-community/vulnerabilities/Insecure_Deserialization https://owasp.org/www-community/vulnerabilities/Insecure_Deserialization Reference on Insecure Deserialization, a vulnerability that allows attackers to execute code or manipulate objects by abusing an application's deserialization process with untrusted data. This vulnerability can lead to remote code execution, denial-of-service, and privilege escalation. Mitigations include avoiding deserialization of untrusted data, implementing integrity checks, enforcing strict type constraints, isolating deserialization code, logging exceptions, monitoring the process, and using alternative formats like JSON. OWASP ZAP beginner Fri, 03 Apr 2026 15:51:09 +0000 https://gbhackers.com/owasp-crs-vulnerability/ https://gbhackers.com/owasp-crs-vulnerability/ Library update addresses CVE-2026-21876 in OWASP CRS, a critical vulnerability allowing charset validation bypass in WAFs. The flaw, affecting CRS 3.3.x and 4.0.0-4.21.0 across ModSecurity, Coraza, and libmodsecurity, enabled XSS and other encoding-based attacks by only validating the last multipart section's charset. The fix, implemented in CRS 4.22.0 and 3.3.8, now validates every detected charset to prevent bypass. OWASP ZAP news Fri, 09 Jan 2026 17:56:42 +0000 https://cyberpress.org/owasp-crs-vulnerability/ https://cyberpress.org/owasp-crs-vulnerability/ Writeup of CVE-2026-21876 in OWASP CRS, a CRITICAL vulnerability allowing attackers to bypass charset validation by exploiting ModSecurity's chained rule processing. The flaw, present in rule 922110, enables UTF-7 encoded XSS payloads by only validating the final multipart part of a request, leaving earlier, malicious parts uninspected. Patches are available in CRS 4.22.0 and CRS 3.3.8, addressing the bypass by validating all charset parameters. OWASP ZAP news Fri, 09 Jan 2026 12:21:25 +0000 https://videos.owasp.org/ https://videos.owasp.org/ The content is concise and simply states "OWASP Videos," indicating that there are videos related to the Open Web Application Security Project (OWASP). OWASP is a non-profit organization focused on improving software security. The videos likely cover various topics related to web application security, such as best practices, vulnerabilities, and tools. Viewers can expect educational content on how to secure web applications and prevent security breaches. OWASP ZAP beginner Thu, 14 Aug 2025 04:31:18 +0000 https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#A_Positive_XSS_Prevention_Model https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#A_Positive_XSS_Prevention_Model Reference detailing XSS prevention techniques, emphasizing the necessity of combining defensive measures. It highlights how modern frameworks like React and Angular mitigate XSS through templating and auto-escaping, yet points out potential vulnerabilities when these frameworks are used insecurely, such as with React's `dangerouslySetInnerHTML` or Angular's `bypassSecurityTrustAs*` functions. The guide stresses the importance of output encoding, including HTML entity, attribute, JavaScript, CSS, and URL encoding, with specific advice on safe sinks like `.textContent` and `.setAttribute`. OWASP ZAP beginner Thu, 14 Aug 2025 04:04:47 +0000 https://github.com/h0tak88r/Sec_Mind_Maps/blob/main/OWASP%20API%20TOP%2010.pdf https://github.com/h0tak88r/Sec_Mind_Maps/blob/main/OWASP%20API%20TOP%2010.pdf cyber security mind maps collection. Contribute to h0tak88r/Sec_Mind_Maps development by creating an account on GitHub. OWASP ZAP beginner Mon, 23 Sep 2024 00:19:36 +0000 https://owasp.org/www-community/attacks/DOM_Based_XSS https://owasp.org/www-community/attacks/DOM_Based_XSS Reference detailing DOM-based XSS (Type-0 XSS), a vulnerability where client-side scripts execute unexpectedly due to malicious modifications of the DOM environment, not the HTTP response itself. It provides examples, including a `decodeURIComponent` vulnerability and the fragment-based technique to bypass server-side detection, and mentions attacks against Adobe PDF plugins. The entry also references testing tools like DOM Snitch and the DOM XSS Wiki. OWASP ZAP beginner Mon, 22 Jul 2024 18:49:33 +0000 https://twitter.com/ZAProxyCon/status/1493783651011612681 https://twitter.com/ZAProxyCon/status/1493783651011612681 Favorite tweet: You're invited to #ZAPCon 2022! ⚡️ Whether you are just getting started, or have a decade of experience with ZAP, ZAPCon will level-up your AppSec skills. 100% Virtual. 100% Free! 🎟️ ... OWASP ZAP beginner Sun, 27 Feb 2022 22:12:49 +0000 https://videos.owasp.org https://videos.owasp.org The OWASP Foundation hosts videos on its website to educate about software security. OWASP is a nonprofit organization dedicated to enhancing software security. OWASP ZAP beginner Fri, 31 Jan 2020 22:27:08 +0000