If we use Spring MVC there is also something we can add in the model if we use Spring WebFlow. According to Spring Documentation and this SO article this is possible to specific bind the model.

I think this

This should scan javascript files and javascript in HTML for dangerous JS functions.
See danielmiessler/SecLists#367 which already links to a PR for Angular ones.
Ideally the rule should include the relevant framework in the alert description.
I plan to look at this soonish, but if anyone else fancies a go at a relatively simple passive scan rule then just get in touch

Hi there,

Thanks for the awesome tool!

During the installation I encountered a problem with node as it kept on asking me to install retire via npm:

/usr/bin/env: 'node': No such file or directory
External programs used by w3af are not installed or were not found. Run these commands to install them on your system:

npm install -g retire@2.0.3
npm update -g retire

A script wit

What would you like added?

Add an article for Self DOM-Based Cross-Site Scripting Testing and ensure it meets the article standards.

Refer to: https://hackerone.com/reports/406587

There are several issues with this documentation.

1. The documented solution and bug still uses hash rocket syntax, which causes errors on Rails 5.1. I found a working solution with the following:

  validates :password, presence: true,
                       confirmation: true,
                       length: {within: 6..40},
                       format: { with: /\A.*(?=.{10,})(?=

Describe the bug
I have configured service principal in Azure and also the respective key vault with a secret name token. I'm using AD so, I'm trying to encrypt using the following flags:

kamus-cli encrypt \
    --auth-tenant <tenant_uuid> \
    --auth-resource <resource_uuid> \
    --auth-application <application_uuid> \
    --secret token \
    --service-account kamus-admin \

https://docs.dependencytrack.org/integrations/badges/

Current Behavior:

You need to hardcode version (or UUID - which changes by version (!)) in the url for the badge - it would be more convenient to have an url for latest version.

Proposed Behavior:

Just point at name and get semver latest version (or latest scanned version) - this way the url can be stable in READMEs etc.

During an application scan, we do check to see if there is a robots.txt file, though we don't parse this file, nor do we do anything else with it - other than letting the user know that it exists. What we should do is parse the file, and feed what we find into the URL list for the spider, so that we can make sure that we pick up any content that is included there, but not linked to from the port

Is your feature request related to a problem? Please describe.

Currently all the settings are rigidly defined at the project level (foo := defaultFoo in projectSettings). This means that the users can only override each of them at the project level - so Global/foo and ThisBuild/foo are ignored. This is inconvenient for multi-project builds, where it makes sense to provide project-wi

To show directly if all dependencies are up-to-date or code coverage of our tests, etc. We should add github badges:

https://github.com/boennemann/badges

We need to add some text in the readme that says that examples in this repo are not examples of good systems, but rather contains bad insecure systems that are easy to model.

Same goes with the threat models examples, most of them will actually be ok, but models should be used as examples and tailed to the particular needs of the viewer context and reality.

(maybe put this as DISCLAIMER.