owasp.org
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
AuthN 4
AuthZ 4
XSS 4
API Sec 3
SSRF 3
Talks 3
Deser 2
Python 2
SQLi 2
Bug Bounty 1
CSRF 1
GraphQL 1
IDOR 1
JWT 1
Mobile 1
Recon 1
SSTI 1
Supply Chain 1
XXE 1
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | OWASP Test for Subdomain TakeoverRecon | Library for testing subdomain takeover vulnerabilities, which occurs when a subdomain record points to a non-existent or inactive external service and the service provider does not verify ownership. This allows attackers to claim subdomains, leading to attacks like phishing or credential theft. The library covers testing various DNS record types, including A, CNAME, and NS, and details methods for black-box and gray-box testing using tools like `dig` and `dnsrecon`. |
| 2026-04-19 2026 | OWASP Top 10 2025 — A01 Broken Access ControlAuthZ | Reference detailing OWASP Top 10 2025 A01: Broken Access Control, the most prevalent vulnerability. It highlights common weaknesses like insecure direct object references, privilege escalation, JWT manipulation, CORS misconfigurations, and force browsing. Prevention strategies emphasize server-side enforcement, deny-by-default principles, robust access control mechanisms, and proper session management with short-lived JWTs or refresh tokens. The document also mentions related CWEs such as CWE-200, CWE-201, CWE-918 (SSRF), and CWE-352 (CSRF), and provides example attack scenarios. |
| 2026-04-17 2026 | Exploiting deserialization in recent Java versions (OWASP Stuttgart)Deser | Exploiting deserialization in recent Java versions (OWASP Stuttgart) |
| 2026-04-17 2026 | OWASP WSTG: Testing GraphQLGraphQL | Library detailing OWASP Web Security Testing Guide (WSTG) v4.2 procedures for testing GraphQL APIs. It covers introspection queries, authorization testing, and generic API attacks like SQL injection, using tools such as GraphQL Voyager, GraphiQL, and GraphQL Playground to assess misconfigurations and identify vulnerabilities on systems like the poc-graphql application. |
| 2026-04-16 2026 | OWASP API Security Testing FrameworkAPI Sec | Library for automated API security validation, the OWASP API Security Testing Framework (ASTF) identifies vulnerabilities based on the OWASP API Security Top 10. It supports REST, GraphQL, and gRPC, offers a comprehensive test suite, CI/CD integration, customizable rules, and detailed reporting with remediation guidance, incorporating real-world attack patterns. |
| 2026-04-10 2026 | OWASP WSTG: Testing for Session FixationAuthN | Reference detailing OWASP WSTG procedures for testing session fixation vulnerabilities. This guide outlines how to identify and exploit scenarios where session cookies are preserved across authentication, allowing attackers to impersonate users by forcing session IDs. It covers techniques for network attackers, the impact of session cookie integrity, and remediation strategies such as refreshing session tokens upon login. The document recommends using full HSTS adoption or __Host-/ __Secure- prefixes to prevent such attacks. |
| 2026-04-10 2026 | OWASP: Session Fixation ProtectionAuthN | Reference outlining a technique for protecting against session fixation attacks in classic ASP. The method involves using a secondary cookie, named "ASPFIXATION," to store a random value that is synchronized with a session variable. When the values do not match, indicating a potential attack, the user is redirected to the login page. The implementation uses a `RandomString` function for generating random values and `AntiFixationInit` and `AntiFixationVerify` subroutines for initializing and verifying the cookie and session values, respectively. |
| 2026-04-10 2026 | OWASP: Session fixation attackAuthN | Reference on Session Fixation attacks, a vulnerability where an attacker hijacks a valid user session by tricking the user into authenticating with a pre-determined session ID. The article details techniques such as embedding session tokens in URLs, hidden form fields, cookies via client-side scripting (like XSS) or META tags, and manipulating HTTP response headers with `Set-Cookie`. It contrasts this with session hijacking, emphasizing that fixation occurs before user login. |
| 2026-04-10 2026 | OWASP Top 10 A07: Identification and Authentication FailuresAuthN | Reference on OWASP Top 10 A07: Identification and Authentication Failures, this entry details risks including credential stuffing, brute force, weak passwords, and improper session management. Prevention strategies emphasize multi-factor authentication, avoiding default credentials, implementing strong password policies aligned with NIST 800-63b, hardening against account enumeration, and secure session handling. Attack scenarios illustrate vulnerabilities like exposed session identifiers and insufficient logout invalidation. |
| 2026-04-10 2026 | OWASP Testing for Server Side Template InjectionSSTI | Reference for testing Server-Side Template Injection (SSTI) vulnerabilities in web applications, a common flaw found when user input is unsafely embedded in templating engines like Jinja2 and Twig, potentially leading to remote code execution. The guide details methods for detecting injection points, identifying templating engines, and building exploits, referencing tools such as Tplmap and Burp Suite extensions. It also covers testing in both plaintext and code contexts. |
| 2026-04-10 2026 | OWASP WSTG: Testing JSON Web TokensJWT | Reference detailing OWASP's Web Security Testing Guide (WSTG) procedures for testing JSON Web Tokens (JWTs). It covers analyzing JWT headers and payloads for sensitive data, testing for tampering vulnerabilities, and verifying signature integrity. Specific attack vectors discussed include exploiting the "none" algorithm, the ECDSA "psychic signatures" vulnerability (CVE-2022-21449), weak HMAC key cracking using tools like crackjwt.py and John the Ripper, and HMAC vs. public key confusion attacks. |
| 2026-04-10 2026 | BLA9:2025 Broken Access Control - OWASPAuthZ | Reference detailing BLA9:2025 Broken Access Control, a critical OWASP Top 10 vulnerability. It explains how missing role checks, flawed logic trusting client-supplied parameters, overly broad permissions, and identifier tampering (BOLA) enable attackers to perform unauthorized operations. Examples include Gitlab branch deletion vulnerabilities and privilege escalation in hay-kot mealie v2.2.0, mapping to CWEs like CWE-863 and CWE-862, and referencing CVEs such as CVE-2021-39931 and CVE-2023-3290. |
| 2026-04-10 2026 | OWASP Global & Regional EventsTalks | Events hosted by OWASP offer application security professionals opportunities to network and enhance career skills. These include global conferences like OWASP Global AppSec EU and USA, alongside regional AppSec Days in locations such as Italy, Germany, France, and Israel. Events cover diverse topics including AI security and DevSecOps, often featuring expos, Capture the Flags, and career fairs. OWASP also partners with other major conferences to provide member benefits. |
| 2026-04-10 2026 | OWASP AppSec Days Developer Security SummitTalks | Summit information for the OWASP AppSec Days Developer Security Summit, detailing its purpose as an event page. The entry provides guidance on modifying front-matter elements like `layout`, `title`, and `tags` to accurately represent specific OWASP projects or chapters, encouraging the inclusion of news, screenshots, features, or supporter information to enrich the page content. |
| 2026-04-10 2026 | IDOR - OWASP FoundationIDOR | Reference detailing Insecure Direct Object Reference (IDOR) vulnerabilities, a class of Broken Access Control (OWASP Top 10 A01:2025). IDOR occurs when applications expose internal object references, like database keys or file names, without verifying user authorization, allowing attackers to access unauthorized resources by modifying these references in URL path parameters, query strings, or request bodies. Prevention strategies include enforcing server-side authorization, using non-sequential identifiers, applying the principle of least privilege, and validating access at the data layer. |
| 2026-04-10 2026 | CSRF - OWASP FoundationCSRF | Reference to Cross-Site Request Forgery (CSRF), an attack forcing authenticated users to execute unwanted actions. It details how attackers can trick victims via social engineering to perform state-changing requests, potentially compromising entire web applications or stealing private data through methods like login CSRF. The document highlights flawed prevention techniques and illustrates attack scenarios, including GET and POST request exploits, and mentions frameworks with built-in CSRF support and tools like OWASP CSRF Guard. |
| 2026-04-10 2026 | SQL Injection - OWASPSQLi | Reference on SQL Injection attacks, detailing how attackers insert malicious SQL queries into application inputs to access, modify, or delete sensitive database data. It covers common attack vectors, the high severity risk associated with these vulnerabilities, and provides examples of exploitation in PHP, ASP, J2EE, and ASP.NET applications. The OWASP resource also points to prevention strategies like parameterized SQL statements and code review guides. |
| 2026-04-03 2026 | SQL Injection Bypassing WAF | OWASPSQLi | Guide on bypassing Web Application Firewalls (WAFs) for SQL Injection attacks, detailing techniques like normalization vulnerabilities, HTTP Parameter Pollution (HPP), HTTP Parameter Fragmentation (HPF), and blind SQL injection exploitation. It covers various WAF bypassing strings and payload variations for common database functions and operators, illustrating how to evade signature-based detection and exploit application logic flaws. |
| 2026-04-03 2026 | XML External Entity (XXE) Processing | OWASPXXE | Reference on XML External Entity (XXE) Processing details the CWE-611 vulnerability, where applications parse XML input with weakly configured parsers. This can lead to sensitive data disclosure, denial of service, server-side request forgery, and even code execution. The entry covers how external entities are defined and processed, providing examples of attacks like accessing local files (`file:///etc/passwd`) and remote resource inclusion (`http://www.attacker.com/text.txt`), and recommends disabling DTD processing to mitigate risks. |
| 2026-04-03 2026 | Insecure Deserialization | OWASPDeser | Reference on Insecure Deserialization, a vulnerability that allows attackers to execute code or manipulate objects by abusing an application's deserialization process with untrusted data. This vulnerability can lead to remote code execution, denial-of-service, and privilege escalation. Mitigations include avoiding deserialization of untrusted data, implementing integrity checks, enforcing strict type constraints, isolating deserialization code, logging exceptions, monitoring the process, and using alternative formats like JSON. |
| 2026-04-03 2026 | A03 Software Supply Chain Failures - OWASP Top 10:2025Supply Chain | Reference to OWASP Top 10:2025 A03 Software Supply Chain Failures, this entry details breakdowns in software building, distribution, or updates caused by third-party code, tools, or dependencies. It highlights risks like unpatched components (e.g., CWE-1104, CWE-1395), untracked dependencies, and vulnerable CI/CD pipelines, referencing attacks like SolarWinds, Bybit theft, and the Shai-Hulud npm worm, and vulnerable CVEs such as CVE-2017-5638. Prevention involves robust SBOM management, continuous vulnerability monitoring (CVE, NVD, OSV), securing developer tools, and implementing strict change and hardening processes for repositories and build servers. |
| 2026-04-03 2026 | OWASP Mobile Top 10Mobile | Reference detailing the OWASP Mobile Top 10 for 2024, including risks like Improper Credential Usage, Inadequate Supply Chain Security, and Insecure Communication. This resource also outlines the data-driven methodology used for identifying and prioritizing these vulnerabilities, comparing the 2024 list to previous iterations from 2016 and 2014. |
| 2026-04-03 2026 | OWASP API Security Top 10API Sec | Project that provides awareness and mitigation strategies for common API security risks. It aims to document the Top 10 API Security Risks, offer best practices for secure API development, and foster community collaboration for evolving security trends. The resources are licensed under Creative Commons. |
| 2026-04-03 2026 | Testing for Privilege Escalation | OWASP WSTGAuthZ | Guide detailing privilege escalation testing within the OWASP Web Security Testing Guide. It covers techniques for identifying and exploiting vulnerabilities that allow users to gain unauthorized access to more resources or functionality. Specific methods include manipulation of user groups, profiles, condition values, and IP addresses, as well as bypassing authorization schemas by switching session identifiers. The guide also provides examples of how to test for vertical and horizontal privilege escalation. |
| 2026-04-03 2026 | Testing for Insecure Direct Object References | OWASP WSTGAuthZ | Guide for testing Insecure Direct Object References (IDOR), a vulnerability where direct object access is granted based on user-supplied input. It details how attackers can bypass authorization by modifying parameters used to retrieve database records, perform operations, access file system resources, or invoke application functionality. The guide recommends mapping object reference points, assessing access controls, and using multiple test user accounts with different object ownership and privileges to identify and exploit IDOR flaws. |
| 2026-04-03 2026 | OWASP API Security Project | OWASP FoundationAPI Sec | Project detailing API security strategies and solutions, focusing on mitigating unique vulnerabilities. It highlights the API Security Top 10 2023 list, including Object Level Access Control issues, faulty authentication, excessive data exposure, denial of service, authorization flaws, business logic abuse, Server-Side Request Forgery (SSRF), insecure configurations, lack of proper documentation, and reliance on third-party APIs. The project is licensed under Creative Commons Attribution-ShareAlike 4.0 and is freely available, with contributions maintained on GitHub. |
| 2026-03-01 2026 | Server Side Request Forgery - OWASP FoundationSSRF | Library detailing Server-Side Request Forgery (SSRF) attacks, where attackers leverage server functionality to access internal resources by manipulating URLs. It highlights common SSRF vectors like fetching AWS metadata from `http://169.254.169.254/`, connecting to internal NoSQL databases with HTTP interfaces, or reading local files via `file://` URIs, bypassing intended security controls. |
| 2025-08-14 2025 | Cross Site Scripting (XSS) | OWASP FoundationXSS | Reference on Cross-Site Scripting (XSS) attacks, detailing how malicious scripts are injected into trusted websites through unvalidated user input. It categorizes attacks into Reflected, Stored, and DOM-Based XSS, outlines consequences like session hijacking and content manipulation, and points to OWASP resources like the XSS Prevention Cheat Sheet and the OWASP ESAPI project for mitigation techniques. The reference also mentions tools such as Nessus and Nikto for vulnerability scanning. |
| 2025-08-14 2025 | XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASPXSS | Reference detailing XSS prevention techniques, emphasizing the necessity of combining defensive measures. It highlights how modern frameworks like React and Angular mitigate XSS through templating and auto-escaping, yet points out potential vulnerabilities when these frameworks are used insecurely, such as with React's `dangerouslySetInnerHTML` or Angular's `bypassSecurityTrustAs*` functions. The guide stresses the importance of output encoding, including HTML entity, attribute, JavaScript, CSS, and URL encoding, with specific advice on safe sinks like `.textContent` and `.setAttribute`. |
| 2025-08-14 2025 | A10 Server Side Request Forgery (SSRF) - OWASP Top 10:2021SSRF | The content mentions A10 Server Side Request Forgery (SSRF) as part of the OWASP Top 10:2021 list. SSRF is a vulnerability where an attacker can manipulate a server into making unauthorized requests, potentially leading to data breaches or server exploitation. This issue is significant in web security and is highlighted in the latest OWASP Top 10 list as a critical concern for organizations to address to protect their systems and data. |
| 2025-08-14 2025 | WSTG - v4.2 | OWASP FoundationSSRF | Guide for testing Server-Side Request Forgery (SSRF) vulnerabilities in web applications. It details how SSRF can grant attackers access to restricted actions, internal services, or files, potentially leading to Remote Code Execution (RCE). The guide covers identifying injection points, testing exploitability, assessing severity, and techniques for bypassing filters using decimal, octal, and shortened IP representations, along with URL obfuscation methods. It also discusses blind SSRF scenarios and provides remediation advice emphasizing allow lists. |
| 2024-07-22 2024 | DOM Based XSS | OWASP FoundationBug BountyXSS | Reference detailing DOM-based XSS (Type-0 XSS), a vulnerability where client-side scripts execute unexpectedly due to malicious modifications of the DOM environment, not the HTTP response itself. It provides examples, including a `decodeURIComponent` vulnerability and the fragment-based technique to bypass server-side detection, and mentions attacks against Adobe PDF plugins. The entry also references testing tools like DOM Snitch and the DOM XSS Wiki. |
| 2022-09-13 2022 | OWASP PygoatPython | Library for developers and testers to learn secure coding and application testing. Written in Python with the Django web framework, Pygoat incorporates OWASP Top 10, Mitre CVE, and SANS 25 Top Errors vulnerabilities like XSS and SQLi. It provides source code alongside vulnerabilities, enabling users to identify and fix insecure coding practices. |
| 2022-09-13 2022 | OWASP Pygoat | OWASP FoundationPython | Library for learning application security, Pygoat is a Python-based platform built on the Django framework. It includes traditional web application vulnerabilities like XSS and SQLi, and allows users to view source code to understand and fix security flaws. Vulnerabilities can be mapped to OWASP Top Ten, MITRE CVE, and SANS Top 25 errors, providing a practical resource for developers and testers to enhance secure coding and testing practices. |
| 2021-12-07 2021 | Owasp bucharest 2017 antukhTalks | Owasp bucharest 2017 antukh |
| 2018-05-07 2018 | XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASPXSS | Reference for preventing XSS vulnerabilities, this cheat sheet details crucial defense techniques including output encoding and HTML sanitization. It addresses specific framework gaps in React, Angular, and others, emphasizing the importance of understanding framework behaviors and potential escape hatches like `dangerouslySetInnerHTML` and `bypassSecurityTrustAs*`. The document covers context-specific encoding for HTML, HTML attributes, JavaScript (using `\xHH` format), CSS (within property values), and URLs (using `%HH` format), recommending safe sinks like `.textContent`, `.setAttribute`, and `style.property = x` when applicable. |