If we use Spring MVC there is also something we can add in the model if we use Spring WebFlow. According to Spring Documentation and this SO article this is possible to specific bind the model.

I think this

The rule would raise info alerts for each script it found along with the integrety hash, as per
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

This could just work on URLs that are in scope - it would just be useful when you're trying to create a CSP for a specific site.

Maybe forging an event emission for a challenge that does not really exist but make the client pick it up nonetheless?

Want to back this issue? Post a bounty on it! We accept bounties via [Bount

Hi there,

Thanks for the awesome tool!

During the installation I encountered a problem with node as it kept on asking me to install retire via npm:

/usr/bin/env: 'node': No such file or directory
External programs used by w3af are not installed or were not found. Run these commands to install them on your system:

npm install -g retire@2.0.3
npm update -g retire

A script wit

Merge /Testing_for_Vertical_Bypassing_Authorization_Schema_WSTG-AUTHZ-00X.md into 4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.md

The test responds with a URL that is missing. We either need to create the page, or change this to link back to the old tutorial if nothing changed from a functional standpoint between R4/R5.

rspec ./spec/vulnerabilities/mass_assignment_spec.rb:12 # mass assignment attack one
rspec ./spec/vulnerabilities/mass_assignment_spec.rb:26 # mass assignment attack two, Tutorial: https://github.com

Authentication via Azure/aad-pod-identity for keyvault access could be a good feature to avoid use of clientId/ clientSecret in chart values. Don't you think ?

https://docs.dependencytrack.org/integrations/badges/

Current Behavior:

You need to hardcode version (or UUID - which changes by version (!)) in the url for the badge - it would be more convenient to have an url for latest version.

Proposed Behavior:

Just point at name and get semver latest version (or latest scanned version) - this way the url can be stable in READMEs etc.

I read more and more articles about the dangers of sim swapping. Would be nice to have some guidelines on how to prevent such attacks.

Example article https://www.vice.com/en_us/article/pke9zk/paypal-and-venmo-are-letting-sim-swappers-hijack-accounts

During an application scan, we do check to see if there is a robots.txt file, though we don't parse this file, nor do we do anything else with it - other than letting the user know that it exists. What we should do is parse the file, and feed what we find into the URL list for the spider, so that we can make sure that we pick up any content that is included there, but not linked to from the port

Is your feature request related to a problem? Please describe.

Currently all the settings are rigidly defined at the project level (foo := defaultFoo in projectSettings). This means that the users can only override each of them at the project level - so Global/foo and ThisBuild/foo are ignored. This is inconvenient for multi-project builds, where it makes sense to provide project-wi

Referring to issue #126 I open this minor issue:

Having long strings in requirements view table is causing incorrect rendering of the table:
horizontal scrollbar should be visible but are not available.

Changing the zoom of the browser can be used as a workaround

We need to add some text in the readme that says that examples in this repo are not examples of good systems, but rather contains bad insecure systems that are easy to model.

Same goes with the threat models examples, most of them will actually be ok, but models should be used as examples and tailed to the particular needs of the viewer context and reality.

(maybe put this as DISCLAIMER.