Learn the foundations of web application assessments. Exploit common web vulnerabilities, learn how to exfiltrate sensitive data from target web applications, and earn your OffSec Web Assessor (OSWA) certification.

A database of cloud security incidents, campaigns, and techniques, Portswigger's labs on testing LLMs in web apps, using Azure logs for detection

A new script in the community-scripts repository enables the signing of outgoing requests with RSA keys, addressing the challenge of testing applications that require this functionality.

Stir Trek 2024 will take place at the AMC Easton Town Center 30 on Friday, May 3rd. We'll be at the same great location we have been for the past few ...

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.OWASP is completely v...

Useful secure defaults + SCPs for your AWS account, a chatbot LLM ReAct agent for prompt injection practice, vulnerable by design AWS Cloud Development Kit infrastructure

A review of application security happenings and industry news from Chris Romeo.

Trustwave Transfers ModSecurity Custodianship to OWASP on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

How many programmers does it take to filter out 36 characters? You may think this is an opening to a joke, but it’s not.

It takes a special kind of person to name a company after their own body part. Fortunately the Microsoft Security Response Center doesn’t seem to have inherited that kind of mentality, because when I have reported not a bug but a feature as a vulnerability - they accepted it.

AI dev assistants can be convinced to spill secrets learned during training

It was the year of the Linux desktop 1978. Old yellowed computers were not yet old, nor yellowed. Digital Equipment Corporation released the first popular terminal to support a standardized in-band encoding for control functions, the VT100.

Website with the collection of all the cheat sheets of the project.

Aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs)

A critical design flaw in the Google Cloud Build service discovered by cloud security firm Orca Security can let attackers escalate privileges, providing them with almost nearly-full and unauthorized access to Google Artifact Registry code repositories.

In this post we are going to show how you can (ab)use the new HTML popup functionality in Chrome to exploit XSS in meta tags and hidden inputs. It all started when I noticed the new popover behaviour

There's a fundamental tension in authorization. Is it business logic or authorization logic? Should it be in the app, or separate? Let’s talk about what makes a

Attackers could exploit a common AI experience — false recommendations — to spread malicious code via developers that use ChatGPT to create software.

C’mon, dev teams — it's about time to get serious about memory safety, XSS and SQLi.

GraphQL vulnerabilities generally arise due to implementation and design flaws. For example, the introspection feature may be left active, enabling ...

In this blog post, you can read just how much of a mess Java XML security is

In this talk, Louis covers 3 web cache related attacks: cache deception, edge side includes, and cache poisoning.

A brand-new Burp Suite extension for discovering DNS vulnerabilities in web applications.

You might have found HTML injection, but unfortunately identified that the site is protected with CSP. All is not lost, it might be possible to bypass CSP using DOM clobbering, which you can now detec

Pre-authenticated RCE in VMware vRealize Network Insight (CVE-2023-20887)