Fixing broken URLs

Co-authored-by: kingthorin <[email protected]>

_data/tools.json

@@ -962,15 +962,6 @@
       "note": "Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.",
       "type": "SAST"
    },
-   {
-      "title": "Julia",
-      "url": "https://juliasoft.com/solutions",
-      "owner": "JuliaSoft",
-      "license": "Commercial",
-      "platforms": null,
-      "note": "SaaS Java static analysis",
-      "type": "SAST"
-   },
    {
       "title": "Klocwork",
       "url": "https://www.perforce.com/products/klocwork",
@@ -1261,7 +1252,7 @@
    },
    {
       "title": "VisualCodeGrepper",
-      "url": "https://www.splint.https://sourceforge.net/projects/visualcodegrepp/",
+      "url": "https://sourceforge.net/projects/visualcodegrepp/",
       "owner": null,
       "license": "Open Source or Free",
       "platforms": "Windows",

pages/Anti_CRSF_Tokens_ASP.NET.md

@@ -155,7 +155,7 @@ questions:
 
 # Related [Attacks](https://owasp.org/www-community/attacks/)
 
-[CSRF (Attack)](https://owasp.org/www-community/attacks/csrf/)
+[CSRF (Attack)](https://owasp.org/www-community/attacks/csrf)
 [CSRF (Full Wikipedia Article)](https://en.wikipedia.org/wiki/Cross-site_request_forgery)
 [XSS (Attack)](https://owasp.org/www-community/attacks/xss/)
 

pages/Fuzzing.md

@@ -184,7 +184,7 @@ appear these days; some examples:
 
 <!-- end list -->
 
-  - One may use tools like [Hachoir](http://hachoir.org/) as a generic
+  - One may use tools like [Hachoir](https://hachoir.readthedocs.io/) as a generic
     parser for file format fuzzer development.
 
 ## Fuzzers advantages
@@ -231,7 +231,7 @@ Recent fuzzing initiatives:
 <!-- end list -->
 
   - The [Month of Browser Bugs](http://browserfun.blogspot.com/)
-    ([review here](http://osvdb.org/blog/?p=127)); number of bugs found:
+    ; number of bugs found:
     MSIE: 25 Apple Safari: 2 Mozilla: 2 Opera: 1 Konqueror: 1; used
     DHTML, Css, DOM, ActiveX fuzzing tools
 
@@ -266,8 +266,7 @@ archive](https://web.archive.org/web/20090202043027/http://www.whitestar.linuxbo
 
 #### Mutational Fuzzers
 
-[american fuzzy
-lop](https://en.wikipedia.org/wiki/American_fuzzy_lop_\(fuzzer\))
+[american fuzzy lop](https://en.wikipedia.org/wiki/American_fuzzy_lop_%28fuzzer%29)
 
 [Radamsa - a flock of fuzzers](https://github.com/aoh/radamsa)
 

pages/OWASP_Application_Security_FAQ.md

@@ -75,7 +75,7 @@ We should first ask the user to supply some details like personal
 details or ask a hint question. Then we should send a mail to the users
 authorized mail id with a link which will take the user to a page for
 resetting the password. This link should be active for only a short
-time, and should be SSL- enabled. This way the actual password is never
+time, and should be SSL-enabled. This way the actual password is never
 seen. The security benefits of this method are: the password is not sent
 in the mail; since the link is active for a short time, there is no harm
 even if the mail remains in the mailbox for a long time.
@@ -95,9 +95,10 @@ intervention after a few failed attempts. A method used by a number of
 sites these days is to have the user read and enter a random word that
 appears in an image on the page. Since this cannot be done by a tool, we
 can thwart automated password guessing. The following are some tools
-that guess passwords of web applications: Brutus -
-<http://www.hoobie.net/brutus/> WebCracker
-<http://www.securityfocus.com/tools/706>
+that guess passwords of web applications:
+
+* Brutus
+* [http://www.securityfocus.com/tools/706](WebCracker)
 
 ## How can I protect against keystroke loggers on the client machine?
 
@@ -527,8 +528,8 @@ and compare the responses with the database. This is the technique used
 by tools like Fire & Water. This tool can be found at
 <http://www.ntobjectives.com/products/firewater/> There is a paper by
 Saumil Shah that discusses the tool httprint at
-<http://net-square.com/httprint/httprint_paper.html> httprint can be
-found at <http://net-square.com/httprint/>
+<http://net-square.com/httprint_paper.html> httprint can be
+found at <http://net-square.com/httprint.html>
 
 ## A friend told me it's safer to run my web server on a non-standard port. Is that right?
 
@@ -588,9 +589,10 @@ find](http://www.plynt.com/resources/learn/tools/what_cant_a_scanner_find_1/).
 
 In our tests using a slightly modified WebGoat the best Black-box
 scanning tool found less than 20% of the issues \! Some tools for
-automated scanning are: SpikeProxy, open source and freely available at
-<http://www.immunitysec.com/spikeproxy.html> WebInspect, can be found at
-<http://www.spidynamics.com/productline/WE_over.html>
+automated scanning are:
+
+* [http://manpages.ubuntu.com/manpages/trusty/man1/spikeproxy.1.html](SpikeProxy)
+* [https://www.microfocus.com/en-us/products/webinspect-dynamic-analysis-dast/overview](WebInspect)
 
 ## Where can I try out my testing skills? Is there a sample application I can practice with?
 
@@ -956,10 +958,8 @@ Michael Howard, David LeBlanc and John Viega
 
 Microsoft offers training programs on Developing Security-Enhanced Web
 Applications and Developing and Deploying Secure Microsoft .NET
-Framework Application. More information can be found at
-<http://www.microsoft.com/traincert/syllabi/2300AFinal.asp> and
-<http://www.microsoft.com/traincert/syllabi/2350BFinal.asp> Foundstone
-offers secure coding training through Global Knowledge Aspect Security
-offers a similar course.
+Framework Application. 
+Foundstone offers secure coding training through Global Knowledge Aspect
+Security offers a similar course.
 
 OWASP_FAQ_Ver3.doc

pages/Security_Headers.md

@@ -18,9 +18,9 @@ by default there are secure settings which should be enabled unless
 there are other overriding concerns.
 
   - X-Frame-Options: SAMEORIGIN
-    [1](https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options%7Cref)
+    [1](https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options)
   - X-XSS-Protection: 1; mode=block
-    [2](http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx%7Cref)
+    [2](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
   - X-Content-Type-Options: nosniff
   - Content-Type: text/html; charset=utf-8
 

pages/attacks/Blind_SQL_Injection.md

@@ -196,12 +196,12 @@ vulnerabilities.
 - Kevin Spett from SPI Dynamics:
   - http://www.net-security.org/dl/articles/Blind_SQLInjection.pdf
   - http://www.imperva.com/resources/whitepapers.asp?t=ADC
-  - [Advanced SQL Injection](https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt)
+  - [Advanced SQL Injection](https://wiki.owasp.org/images/7/74/Advanced_SQL_Injection.ppt)
 
 ### Tools
 
 - [SQL Power Injector](http://www.sqlpowerinjector.com/)
-- [Absinthe :: Automated Blind SQL Injection](http://www.0x90.org/releases/absinthe/) // ver1.3.1
+- [Absinthe :: Automated Blind SQL Injection](https://github.com/cameronhotchkies/Absinthe)
 - [SQLBrute - Multi Threaded Blind SQL Injection Bruteforcer](http://www.securiteam.com/tools/5IP0L20I0E.html) in Python
 - [SQLiX - SQL Injection Scanner](:Category:OWASP_SQLiX_Project "wikilink") in Perl
 - [sqlmap, automatic SQL injection tool](http://sqlmap.org/) in Python

pages/attacks/Buffer_overflow_attack.md

@@ -266,4 +266,4 @@ See the [OWASP Code Review Guide](https://owasp.org/www-project-code-review-guid
 
 ## References
 
-- [SmashStack](http://insecure.org/stf/smashstack.html>=)
+- [SmashStack](http://insecure.org/stf/smashstack.html)

pages/attacks/Credential_stuffing.md

@@ -91,7 +91,7 @@ credential stuffing.
     Attackers then used these stolen credentials to try to log in to
     sites across the internet, including Dropbox”.
       - Source: Dropbox.
-        [4](https://blog.dropbox.com/2014/10/dropbox-wasnt-hacked/)
+        [4](https://blog.dropbox.com/topics/company/dropbox-wasnt-hacked/)
 
 <!-- end list -->
 

pages/attacks/Cross-User_Defacement.md

@@ -89,7 +89,7 @@ This way it was possible to replace the web page, which was served to
 the specified user.
 
 More information can be found in one of the presentations under
-<http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt>
+<http://wiki.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt>
 
 ## Related [Threat Agents](Threat_Agents "wikilink")
 
@@ -118,4 +118,4 @@ More information can be found in one of the presentations under
 [Category:OWASP ASDR Project](Category:OWASP_ASDR_Project "wikilink")
 [Category:Abuse of
 Functionality](Category:Abuse_of_Functionality "wikilink")
-[Category:Attack](Category:Attack "wikilink")
+[Category:Attack](Category:Attack "wikilink")

pages/attacks/Cross_Site_History_Manipulation_(XSHM).md

@@ -113,7 +113,7 @@ redirect, then this application is vulnerable to **XSHM** and
 essentially it is a similar to a direct exposure to [Universal
 XSS](media:OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf "wikilink")
 – the application itself is
-[XSS](Cross-site_Scripting_\(XSS\) "wikilink")-safe, but running it from
+[XSS](https://owasp.org/www-community/attacks/xss)-safe, but running it from
 a different site inside an IFRAME makes it vulnerable.
 
 ## Related [Threat Agents](Threat_Agents "wikilink")
@@ -123,19 +123,9 @@ TBD
 ## Related [Attacks](https://owasp.org/www-community/attacks/)
 
   - [Cross-site Scripting
-    (XSS)](Cross-site_Scripting_\(XSS\) "wikilink")
+    (XSS)](https://owasp.org/www-community/attacks/xss)
   - [Cross-Site Request Forgery
-    (CSRF)](Cross-Site_Request_Forgery_\(CSRF\) "wikilink")
-
-## Related [Vulnerabilities](https://owasp.org/www-community/vulnerabilities/)
-
-  - [Cross Site Scripting Flaw](Cross_Site_Scripting_Flaw "wikilink")
-
-## Related [Controls](https://owasp.org/www-community/controls/)
-
-  - [Input Validation](Input_Validation "wikilink")
-  - [Output Validation](Output_Validation "wikilink")
-  - [Canonicalization](Canonicalization "wikilink")
+    (CSRF)](https://owasp.org/www-community/attacks/csrf)
 
 ## References
 
@@ -154,4 +144,4 @@ TBD
 ## Credit
 
 [Category:OWASP ASDR Project](Category:OWASP_ASDR_Project "wikilink")
-[Category:Attack](Category:Attack "wikilink")
+[Category:Attack](Category:Attack "wikilink")

pages/attacks/Cross_Site_Tracing.md

@@ -141,8 +141,8 @@ TBD
     <http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf>
   - [Testing for HTTP Methods and XST
     (OWASP-CM-008)](Testing_for_HTTP_Methods_and_XST_\(OWASP-CM-008\) "wikilink")
-  - [OSVDB 877](http://osvdb.org/show/osvdb/877)
-  - [CVE-2005-3398](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3398)
+  - [OSVDB 877](https://vulners.com/osvdb/OSVDB:877)
+  - [CVE-2005-3398](https://nvd.nist.gov/vuln/detail/CVE-2005-3398)
   - [XSS: Gaining access to HttpOnly Cookie
     in 2012](http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html)
   - [Mozilla
@@ -151,4 +151,4 @@ TBD
     Bug 381264](https://bugzilla.mozilla.org/show_bug.cgi?id=381264)
 
 [Category:OWASP ASDR Project](Category:OWASP_ASDR_Project "wikilink")
-[Category:Attack](Category:Attack "wikilink")
+[Category:Attack](Category:Attack "wikilink")

pages/attacks/DOM_Based_XSS.md

@@ -131,7 +131,7 @@ Applications from Universal PDF XSS: A discussion of how weird the web
 application security world has become" at the [2007 OWASP Europe AppSec
 Conference](OWASP_AppSec_Europe_2007_-_Italy "wikilink") in Milan. The
 presentation (\[5\]) can be downloaded
-[here](http://www.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUniversalPDFXSS.ppt).
+[here](https://wiki.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUniversalPDFXSS.ppt).
 
 ### Extensions
 
@@ -202,7 +202,7 @@ Giorgio Fedon, December 2006
 \[5\] "Protecting Web Applications from Universal PDF XSS" (2007 OWASP
 Europe AppSec presentation) Ivan Ristic, May 2007
 
-<http://www.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUniversalPDFXSS.ppt>
+<https://wiki.owasp.org/images/c/c2/OWASPAppSec2007Milan_ProtectingWebAppsfromUniversalPDFXSS.ppt>
 
 \[6\] OWASP Testing Guide
 

pages/attacks/Full_Path_Disclosure.md

@@ -44,7 +44,7 @@ configuration files.
     ?>
 
 An attacker crafts a URL like so:
-`http://site.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php`
+`http://example.org/index.php?page=../../../../../../../home/example/public_html/includes/config.php`
 with the knowledge of the FPD in combination with [Relative Path
 Traversal](https://owasp.org/www-community/attacks/Path_Traversal).
 
@@ -88,12 +88,12 @@ launching exploits requiring working usernames.
 
 If we have a site that uses a method of requesting a page like this:
 
-    http://site.com/index.php?page=about
+    http://example.org/index.php?page=about
 
 We can use a method of opening and closing braces that causes the page
 to output an error. This method would look like this:
 
-    http://site.com/index.php?page[]=about
+    http://example.org/index.php?page[]=about
 
 This renders the page defunct thus spitting out an error:
 
@@ -158,7 +158,7 @@ directly requested. Sometimes, it's a clue to Local File Inclusion
 vulnerability.
 
 Concerning with Mambo CMS, if we access to a direct url,
-<http://site.com/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php>,
+<http://example.org/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php>,
 then we gets
 
     <br />

pages/attacks/Regular_expression_Denial_of_Service_-_ReDoS.md

@@ -166,9 +166,9 @@ will hang.
 - [ReDOS Attacks: From the Exploitation to the Prevention (in .NET)](https://dzone.com/articles/regular-expressions-denial)
 - [Tool for detecting ReDoS vulnerabilities.](http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml)
 - Examples of ReDoS in open source applications:
-    - [ReDoS in DataVault](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3277)
-    - [ReDoS in EntLib](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3275)
-    - [ReDoS in NASD CORE.NET Terelik](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3276)
+    - [ReDoS in DataVault](https://nvd.nist.gov/vuln/detail/CVE-2009-3277)
+    - [ReDoS in EntLib](https://nvd.nist.gov/vuln/detail/CVE-2009-3275)
+    - [ReDoS in NASD CORE.NET Terelik](https://nvd.nist.gov/vuln/detail/CVE-2009-3276)
     - [ReDoS in .NET Framework](http://blog.malerisch.net/2015/09/net-mvc-redos-denial-of-service-vulnerability-cve-2015-2526.html)
     - [ReDoS in Javascript minimatch](https://nodesecurity.io/advisories/118)
 

pages/attacks/SQL_Injection_Bypassing_WAF.md

@@ -120,9 +120,8 @@ can be used (e.g., \#\#\#\#\#, %00).*
 ` /?id=1;select+1&id=2,3+from+users+where+id=1--`
 
 *Successful conduction of an HPP attack bypassing WAF depends on the
-environment of the application being attacked.*
-*\[<http://www>..org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
-EU09 Luca Carettoni, Stefano diPaola\].*
+environment of the application being attacked.
+*[http://wiki.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf](EU09 Luca Carettoni, Stefano diPaola)*
 
 ![<File:Sqli-HPP.png>](Sqli-HPP.png "File:Sqli-HPP.png")
 

pages/controls/Bytecode_obfuscation.md

@@ -115,4 +115,4 @@ commands:
 - [Proguard](https://www.guardsquare.com/en/proguard)
 - [Javaguard](http://sourceforge.net/projects/javaguard/)
 - [Elements of Java Obfuscation](https://www.preemptive.com/obfuscation)
-- [Software Obfuscation](https://en.wikipedia.org/wiki/Obfuscation_\(software\))
+- [Software Obfuscation](https://en.wikipedia.org/wiki/Obfuscation_%28software%29)

pages/initiatives/code_sprint/cs2017.md

@@ -204,7 +204,7 @@ Simon Bennetts and the rest of the ZAP Core Team
 
 ### Bamboo Support
 
-ZAP already has an official plugin for Jenkins https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin. 
+ZAP already has an official plugin for Jenkins https://plugins.jenkins.io/zap/. 
 
 It would be great if we also had similar integration for Bamboo https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software)
 

pages/initiatives/code_sprint/wcs2014.md

@@ -22,7 +22,7 @@ You make excellent contacts and you participate in an international team
 
 Students who successfully(*) participate in the project will get:
 
-* An OWASP annual individual membership. More info [here](http://owasp.com/index.php/Individual_Member)
+* An OWASP annual individual membership. More info [here](https://owasp.org/membership/)
 * An OWASP Winter Code Sprint t-shirt.
 * An OWASP conference pass (no flight/accommodation - just an OWASP conference pass of choice)
 
@@ -936,4 +936,4 @@ Kevin W. Wall - OWASP ESAPI for Java Project Leader - [email protected]
 Here's a small and not complete list of professors who are accepting participants (If your professor wants to accept more than one team, and you want to help your classmates please add institute name and professor/course here)
 
 ## More info?
-Please get in touch with the OWASP Winter Code Sprint Lead: [email protected]
+Please get in touch with the OWASP Winter Code Sprint Lead: [email protected]

pages/initiatives/gsoc/gsoc2013ideas.md

@@ -507,7 +507,7 @@ The automated functionality of OWASP OWTF is currently limited to the non-authen
 2) Configuration files
 
 What we would like to do here is to leverage the [powerful mechanize python library](http://wwwsearch.sourceforge.net/mechanize/) and build at least support for the following authentication options:
-* Basic authentication - As requested here: [Issue 91](https://github.com/7a/owtf/issues/9 https://github.com/7a/owtf/issues/91).
+* Basic authentication - As requested here: [Issue 91](https://github.com/7a/owtf/issues/91).
 * Cookie based authentication
 * Form-based authentication
 
@@ -586,7 +586,7 @@ For background on OWASP OWTF please see: [OWASP_OWTF](https://www.owasp.org/inde
 #### Additional Information and Suggestions (based on student questions):
 
 * Play with the interactive reports to see where we are now (get the OWTF 0.15 one, <b>no need to install anything</b>): [demos](https://github.com/7a/owtf_demos)
-* Reports are created with [report framework](https://github.com/7a/owtf/tree/master/framework/report) and [includes](https://github.com/7a/owtf/tree/master/includes) producing interactive reports such as [demos](https://github.com/7a/owtf_demos https://github.com/7a/owtf_demos)
+* Reports are created with [report framework](https://github.com/7a/owtf/tree/master/framework/report) and [includes](https://github.com/7a/owtf/tree/master/includes) producing interactive reports such as [demos](https://github.com/7a/owtf_demos)
 * How it works at the moment: Each plugin creates its own small report which is loaded by the main report in an iframe, this will make more sense when you play with the interactive demos and look at the source.
 * How the report is meant to be used: I would suggest to watch the live demos in this talk to get the drift of this (Demos start after 1h approx.): [talk](http://www.rubcast.rub.de/index2.php?id=1009)
 * How the report is created now: Each plugin report is created right after each plugin finishes, then the master report is reassembled again: This approach is not very efficient so I am open to alternatives. Not all plugins run tools, some plugins run OWTF checks. But the report will be re-written each time a plugin finishes (using the current approach)

pages/initiatives/gsoc/gsoc2015ideas.md

@@ -692,7 +692,7 @@ Abraham Aranguren - OWASP OWTF Project Leader - Contact: Abraham.Aranguren@owasp
 
 #### Brief Explanation:
 
-This project is to implement what was suggested in the following [github issue](https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192)
+This project is to implement what was suggested in the following [github issue](https://github.com/owtf/owtf/issues/192)
 
 Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
 Having a private server with:

pages/initiatives/gsoc/gsoc2017ideas.md

@@ -329,7 +329,7 @@ Simon Bennetts and the rest of the ZAP Core Team
 
 ### Bamboo Support
 
-ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). 
+ZAP already has an official plugin for Jenkins (https://plugins.jenkins.io/zap/). 
 
 It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))