diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 76b88c5d..a9f28b5e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,8 +12,8 @@ updates: patterns: - "*" update-types: - - "minor" - "patch" + - "minor" security-update: applies-to: security-updates patterns: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e26e6fd7..319258d4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Link Checker - uses: lycheeverse/lychee-action@v2.7.0 + uses: lycheeverse/lychee-action@v2.8.0 with: args: >- --no-progress @@ -73,7 +73,7 @@ jobs: # rojopolis/spellcheck-github-actions does not support PT-BR, # only PT, and PT-BR is too different to pass a PT spellcheck - name: Set up Python for PT-BR - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: '3.10' @@ -96,7 +96,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x @@ -130,7 +130,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml index 49f63a2e..cf75b1ea 100644 --- a/.github/workflows/housekeeping.yaml +++ b/.github/workflows/housekeeping.yaml @@ -25,7 +25,7 @@ jobs: keep_minimum_runs: 10 - name: Delete unused workflows - uses: otto-de/purge-deprecated-workflow-runs@v4.0.2 + uses: otto-de/purge-deprecated-workflow-runs@v4.0.3 with: token: ${{ github.token }} @@ -37,7 +37,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Link Checker - uses: lycheeverse/lychee-action@v2.7.0 + uses: lycheeverse/lychee-action@v2.8.0 with: # skip the jekyll files under '_includes' directory, check all other directories args: >- @@ -61,7 +61,7 @@ jobs: steps: - name: Tidy stale PRs and issues - uses: actions/stale@v10.1.1 + uses: actions/stale@v10.2.0 with: days-before-issue-stale: 183 days-before-issue-close: -1 diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index c2d72cd6..3e038d67 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -16,7 +16,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Link Checker - uses: lycheeverse/lychee-action@v2.7.0 + uses: lycheeverse/lychee-action@v2.8.0 with: args: >- --exclude 'github\.com/OWASP/DevGuide/blob/main/docs' @@ -81,7 +81,7 @@ jobs: # rojopolis/spellcheck-github-actions does not support PT-BR, # only PT, and PT-BR is too different to pass a PT spellcheck - name: Set up Python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: '3.10' @@ -104,7 +104,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x @@ -135,7 +135,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 780ecf0c..94282fce 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@v6.0.2 - name: Install python - uses: actions/setup-python@v6.1.0 + uses: actions/setup-python@v6.2.0 with: python-version: 3.x diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 5cf2fbc1..a02ef746 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -162,6 +162,7 @@ LINNDUN LLM LSMs Laravel +LevelBlue Lezza LifeCycle Lifecycle diff --git a/.wordlist-es.txt b/.wordlist-es.txt index e2a44141..4a30c965 100644 --- a/.wordlist-es.txt +++ b/.wordlist-es.txt @@ -263,6 +263,7 @@ leaks learning left Left +LevelBlue LFD library LINDDUN diff --git a/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md b/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md index abba2362..dcec0d83 100644 --- a/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md +++ b/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md @@ -1,4 +1,4 @@ -The [Threat Model Project][tmproject] is an over-arching project provided by OWASP +The OWASP [Threat Modeling Project][tmproject] is an over-arching project that seeks to inform and guide on the very large domain that is [Threat Modeling][tmptm]. #### What is the Threat Model project? @@ -6,14 +6,15 @@ that seeks to inform and guide on the very large domain that is [Threat Modeling The Threat Model project is not intended to be a primary source on the threat modeling domain; there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat. -Instead the Threat Model project seeks to provide information on [threat modeling techniques][tmpapp] +Instead the Threat Model project seeks to provide direction on [threat modeling techniques][tmpapp] for applications and systems of all types, with a focus on current and emerging techniques. +To provide this the project intends to collate threat modeling techniques, methodologies, tools and examples. -To do this project intends to gather techniques, methodologies, tools and examples. -There is also the intention to foster a threat modeling community and support it through initiatives and forums. +There is also the aim to foster a threat modeling community and support it through initiatives and forums. -Note that much of this is what the project intends to provide in the future. -As of January 2026 the project is going through a change process that will better provide this information and guidance. +Note that much of this are intentions for the future; +as of January 2026 the project is going through a change process that will better provide this information and guidance. +At present it is at OWASP Incubator status with promotion to Laboratory status expected later in 2026. #### Why refer to this project? @@ -21,8 +22,8 @@ The [Threat Modeling][tmproject] project is an over-arching project for the othe It can be used as a landing page for all things threat modeling; the starting point for finding [resources and tools][tmpres] as well as the core concepts. -For example there is an introduction to Shostack's [Four Question Framework][4QFW], -that then references the primary source if the user needs to know more. +For example there is an introduction to Shostack's [Four Question Framework][4QFW] +that references the primary source if the user needs to know more. #### OWASP threat modeling projects diff --git a/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md b/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md new file mode 100644 index 00000000..b87aec24 --- /dev/null +++ b/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md @@ -0,0 +1,79 @@ +The OWASP [Java Encoder][java-encoder-project] and OWASP [Java HTML Sanitizer][html-sanitizer-project] projects +are security libraries for Java web applications that provide output encoding and HTML input sanitization. + +The OWASP [JSON Sanitizer][json-sanitizer] Java library is used to ensure both JSON input and output +are _reasonably_ safe for Java applications. + +#### What are they? + +Java Encoder package provides the Java application with contextual output encoding of HTML. +It provides individual methods for HTML, URLs, JavaScript and CSS. + +Java HTML Sanitizer is used to sanitize untrusted HTML so that it can be safely handled within a Java application. +The JAR file is included in a Java application and then a policy is defined for it. + +These are both established projects with a regular release history stretching back to 2013. + +The JSON Sanitizer is a Java component that will transform arbitrary JSON +to well-formed JSON as defined by [RFC 4627][rfc4627]. +This can be used to accept JSON input from an untrusted source and then safely output JSON to other processes. + +JSON Sanitizer is a widely used library provided by OWASP, +and it is a direct dependents for many 1000s of other libraries and in many more applications. +It is a project that was transferred to OWASP in 2021 by github user `mikesamuel` +and so this OWASP library is identified as `com.mikesamuel:json-sanitizer`. + +#### Why use the libraries? + +The use of both Java Encoder and Java HTML Sanitizer is part of a defense in depth approach +to preventing [cross site scripting][csxss] (XSS) and other attacks. +They are well established OWASP projects with 'Lab' status. + +The OWASP [JSON Sanitizer][json-sanitizer] Java library is widely used, +for example it is a direct dependency for literally [1000s of Java components][json-sanitizer-dependents], +and should be considered for JSON specific output normalization and input validation. +It is less well supported than the Java Encoder or Java HTML Sanitizer, version 1.2.2 was released in January 2021, +but it is still stable and (really) useful. + +#### How to use the libraries + +Include the Java Encoder package into a Java application [via Maven][java-encoder]. +The '[How to Use the OWASP Java Encoder][java-encoder-usage]' documentation explains how to use it in various contexts, +such as HTML, URLs, JavaScript and CSS. + +Follow the [examples][html-sanitizer-examples] provided by Java HTML Sanitizer +to include the utility and configure it with policy. + +The JSON Sanitizer JAR file can be fetched from Maven Central, follow the [Getting Started][json-sanitizer-usage] guide: + +```text +import com.google.json.JsonSanitizer; +String wellFormedJson = JsonSanitizer.sanitize(myJsonLikeString); +``` + +#### References + +* OWASP [Cross Site Scripting prevention][csxss] Cheatsheet +* OWASP [Java Encoder][java-encoder-github] +* OWASP [Java HTML Sanitizer][html-sanitizer] +* OWASP [JSON Sanitizer][json-sanitizer] + +---- + +The OWASP Developer Guide is a community effort; if there is something that needs changing +then [submit an issue][issue050304] or [edit on GitHub][edit050304]. + +[csxss]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet +[edit050304]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md +[html-sanitizer]: https://github.com/OWASP/java-html-sanitizer/releases/latest/ +[html-sanitizer-examples]: https://github.com/OWASP/java-html-sanitizer/tree/main/owasp-java-html-sanitizer/src/main/java/org/owasp/html/examples +[html-sanitizer-project]: https://owasp.org/www-project-java-html-sanitizer/ +[issue050304]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/04-java-secure-libs +[java-encoder]: http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22 +[java-encoder-github]: https://github.com/OWASP/owasp-java-encoder/releases/latest/ +[java-encoder-project]: https://owasp.org/www-project-java-encoder/ +[java-encoder-usage]: https://owasp.org/www-project-java-encoder/#div-use +[json-sanitizer]: https://github.com/OWASP/json-sanitizer/releases/latest/ +[json-sanitizer-dependents]: https://central.sonatype.com/artifact/com.mikesamuel/json-sanitizer/dependents +[json-sanitizer-usage]: https://github.com/OWASP/json-sanitizer/blob/master/docs/getting_started.md +[rfc4627]: https://www.ietf.org/rfc/rfc4627.txt diff --git a/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md b/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md index d4e615a7..7b4b7b2c 100644 --- a/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md +++ b/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md @@ -65,7 +65,7 @@ then [submit an issue][issue080401] or [edit on GitHub][edit080401]. [defectdojo]: https://defectdojo.com/ [defectdojo-docs]: https://docs.defectdojo.com/ [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md -[defectdojo-install]: https://docs.defectdojo.com/en/about_defectdojo/new_user_checklist/ +[defectdojo-install]: https://docs.defectdojo.com/get_started/about/ [defectdojo-project]: https://owasp.org/www-project-defectdojo/ [defectdojo-tools]: https://defectdojo.com/integrations [edit080401]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md diff --git a/docs/en/07-training-education/02-secure-coding-dojo.md b/docs/en/07-training-education/02-secure-coding-dojo.md index f72df1b9..a89aa664 100644 --- a/docs/en/07-training-education/02-secure-coding-dojo.md +++ b/docs/en/07-training-education/02-secure-coding-dojo.md @@ -46,7 +46,7 @@ to practice penetration testing. The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0902] or [edit on GitHub][edit0902]. -[codedojo]: https://securecodingdojo.owasp.org/ +[codedojo]: https://securecodingdojo.owasp.org/public/index.html [codedojo-insecure]: https://github.com/OWASP/SecureCodingDojo/wiki/Running-Insecure.Inc [codedojo-install]: https://github.com/OWASP/SecureCodingDojo/wiki/Deploying-with-Docker [codedojo-project]: https://owasp.org/www-project-secure-coding-dojo/ diff --git a/docs/en/09-operations/03-modsecurity.md b/docs/en/09-operations/03-modsecurity.md index b7168271..e7af6248 100644 --- a/docs/en/09-operations/03-modsecurity.md +++ b/docs/en/09-operations/03-modsecurity.md @@ -6,7 +6,7 @@ In 2024 it became an OWASP Production project, supported by the existing leaders #### What is ModSecurity? In January 2024 the [ModSecurity][modsec] Web Application Firewall project was [adopted by OWASP][modsec-press], -previously [TrustWave][trustwave] had been the custodian of this project. +previously TrustWave (now [LevelBlue][levelblue]) had been the custodian of this project. ModSecurity itself has a long history as an open source project, the first release was in November 2002, and is widely used as a web application firewall for [cloud applications][cscloud] and on-premises web servers. @@ -39,7 +39,7 @@ then [submit an issue][issue1103] or [edit on GitHub][edit1103]. [cscloud]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet [edit1103]: https://github.com/OWASP/DevGuide/blob/main/docs/en/09-operations/03-modsecurity.md [issue1103]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2009-operations/03-modsecurity +[levelblue]: https://www.levelblue.com/ [modsec]: https://owasp.org/www-project-modsecurity/ [modsec-docs]: https://modsecurity.org/ [modsec-press]: https://owasp.org/blog/2024/01/09/ModSecurity.html -[trustwave]: https://www.trustwave.com/ diff --git a/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md b/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md index 1c2d055d..77382e86 100644 --- a/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md +++ b/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md @@ -70,7 +70,7 @@ La Guía para Desarrolladores de OWASP es un esfuerzo comunitario; si hay algo q [defectdojo]: https://defectdojo.com/ [defectdojo-docs]: https://docs.defectdojo.com/ [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md -[defectdojo-install]: https://docs.defectdojo.com/en/about_defectdojo/new_user_checklist/ +[defectdojo-install]: https://docs.defectdojo.com/get_started/about/ [defectdojo-project]: https://owasp.org/www-project-defectdojo/ [defectdojo-tools]: https://defectdojo.com/integrations [edit080401]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md diff --git a/mkdocs-pdf-en.yaml b/mkdocs-pdf-en.yaml index 8f414b65..39deb7b3 100644 --- a/mkdocs-pdf-en.yaml +++ b/mkdocs-pdf-en.yaml @@ -91,6 +91,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md diff --git a/mkdocs-pdf-es.yaml b/mkdocs-pdf-es.yaml index d00378f0..ed75a3e6 100644 --- a/mkdocs-pdf-es.yaml +++ b/mkdocs-pdf-es.yaml @@ -96,6 +96,7 @@ nav: - ESAPI: es/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: es/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: es/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: es/05-implementation/04-maswe.md - Verificación: - Descripción: es/06-verification/index.md diff --git a/mkdocs-pdf-fa.yaml b/mkdocs-pdf-fa.yaml index de1514c0..96bd5f0c 100644 --- a/mkdocs-pdf-fa.yaml +++ b/mkdocs-pdf-fa.yaml @@ -91,6 +91,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md diff --git a/mkdocs-pdf-pt-br.yaml b/mkdocs-pdf-pt-br.yaml index 88e20e3a..0863bf38 100644 --- a/mkdocs-pdf-pt-br.yaml +++ b/mkdocs-pdf-pt-br.yaml @@ -94,6 +94,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md diff --git a/mkdocs.yaml b/mkdocs.yaml index 4d52201e..806700bc 100644 --- a/mkdocs.yaml +++ b/mkdocs.yaml @@ -111,6 +111,7 @@ nav: - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md + - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md - MASWE: en/05-implementation/04-maswe.md - Verification: - Overview: en/06-verification/index.md