I have some user input. Within my code, I ensure that the following symbols are escaped: & -> & < -> < > -> > OWASP states that there are more chars to...

I'm trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I've read, understand, and agree with: OWASP CSRF Prevention Cheat Sheet, Questions about CSRF) As ...

Howto add certificate pinning to a NSURLSession in Swift? The OWASP website contains only an example for Objective-C and NSURLConnection.

I have a build in CI failing on a the OWASP dependency check. For example [HIGH] CVE-2021-37136 - io.netty:netty-codec-4.1.66.Final I understand I can add a suppression in owaspDependencyCheckSupp...

While implementing Azure OAuth flow I have used state parameter, Azure docs says about state param: A value included in the request that is also returned in the token response. It can be a string ...

when I try to start OWASP ZAP, after installing, the following messages appears: "This application requires a Java Runtime Environment 1.8.0". I have installed OpenJDK 11 properly, update...

I am using the OWASP Html Sanitizer to prevent XSS attacks on my web app. For many fields that should be plain text the Sanitizer is doing more than I expect. For example: HtmlPolicyBuilder htm...

Our customer requires us to run the OWASP ZAP tool against our web application (ASP.NET 4.5.2, Webforms) and we cannot have any high priority findings in the report. We've done the analysis, and O...

There is dependency-check-maven plugin which checks if 3rd party dependencies in my Java project have known vulnerability. The issue is that this plugin has lot of false positives (and quite likely...

On a Maven project, I am running both the OWASP dependency-check-maven plugin as also the OWASP command line tool in order to generate a report with dependencies having vulnerabilities. What I cann...

I am working on a php project that uses composer but some of the dependencies are very old, including the php version. We are trying to convince the client to upgrade the version of php and consequ...

Mission: To prevent open redirection in an ASP.NET MVC 5 application The story: The user is on some webpage of website /, say overview page /Home/Overview and clicks login After login, the server ...

So I implemented a CSP filter for tomcat. I am trying to show an iframe which is running locally on my tomcat server. public class CSPFilter implements Filter { public static final String POLICY ...

I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp. I used to use org.apache.commons.lang.StringEscapeUtils like this: public static St...

I've been implementing ASP ARF tokens in my MVC3 web application and read into the workings of the CSRF exploit and how ARF tokens defend against it. Now I was wondering if 'hackers' couldn't bypas...

Regarding the OWASP A5:2017-Broken Access Control, what does the the quote in the title mean? Emphasis on "Unique application business limit" -part.

I am developing a salesforce app which is rendered inside an iframe in salesforce page. Using node express server to render this page. As part of security review, i want to render only in salesforc...

Is there such a thing as automated security testing in Java? If so, how is it implemented? Is it just JUnit tests written to try and exploit known server vulnerabilities, or are their security-cent...

I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places: JSON data (in Request) received from Client or Other Syst...

Good day, I'm running an Apache2 server in front of a Tomcat and I need to implement a DDOS protection mechanism on the Apache2 layer. I have two candidates: mod_evasive and mod_security2 with the...

I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff' This ch...

I ran my java code against sonarqube and I got 'Disable XML external entity (XXE) processing' as vulnerability. I spend some time on google to resolve the issue. I have been trying alot of approach...

My company's Sonatype scan shows Spring-Web is vulnerable even for the latest version (currently 5.2.3.RELEASE). It reads: "Found security vulnerability CVE-2016-1000027 with severity 9.8&quo...

I am using javax.xml.validation.Validator to validate my xml as below - Validator validator = myschema.newValidator(); validator.validate(new StreamSource(new StringReader(xmlString))); I wou...

Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services Focused primarily on the “back-end” than web-design issues An open...