Start demoing application security today!

A live demo always beats a slide-only presentation. With OWASP 1-Liner you can demo what application security is about, both in terms of attacks and countermeasures.

OWASP 1-Liner is a deliberately vulnerable Java and JavaScript-based chat application. You install and run 1-Liner locally and it runs in two versions simultaneously – vulnerable and securish. The vulnerable version is intended for attack demos and the securish version is intended for demoing countermeasures.

Demos currently supported include XSS (with BeEF), CSRF against RESTful services, clickjacking, double submit anti-CSRF bypass, and multi-step CSRF.

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. OWASP 1-Liner is released under the Creative Commons Attribution-ShareAlike 3.0 Unported license. If you use the OWASP 1-Liner you should attribute its original author John Wilander and the OWASP Foundation. Thank you! | @johnwilander | OWASP |


Choose Path

You've got to choose path. The application runs in two versions simultaneously – vulnerable and securish.

Vulnerable Version

The vulnerable part lets you demo various attacks such as XSS, CSRF and clickjacking.

Securish Version

The securish part lets you demo various countermeasures such as client-side encoding and double submit anti-CSRF cookies.


The demo page for clickjacking follows the mouse pointer with an invisible (or semi-transparent for demo purpose) iframe and steals the click to the chat application's "Shoot" button.

Cross-Site Scripting

The vulnerable version of the app is susceptible to cross-site scripting. To demo this you typically send a reflected XSS from one chat client to another, i.e. between two different browsers on the same machine.

How To Download and Install

Full instructions and source code is available on GitHub.

OWASP 1-Liner is a Gradle application written in Java and JavaScript. You download the source, build, and deploy on your own machine. The intention is to allow for live coding and patching. The suggested IDE is Jetbrains' IntelliJ.

Don't hesitate to send a pull request via GitHub if you have a patch or have added a new countermeasure or attack.

How To Use OWASP 1-Liner

You typically run demos by opening OWASP 1-Liner in two different browsers and set different users for them. That allows you to chat between the browsers, and of course attempt attacks between them.

OWASP 1-Liner is deployed on your own machine. This is the quickest way to get going:

Get Involved – Help Wanted!

Application security is evolving and OWASP 1-Liner needs constant attention to be fresh and relevant. Your help is most welcome!

Some of the things you can do for this project:

  • Debug the demo spec in OWASP_1-Liner_Demos.txt
    Does the demo documentation work? What needs to be clarified?
  • Debug the app in Internet Explorer 9 and 10
    1-Liner has been developed on a Mac and there seems to be problems running it in IE.
  • Build a proper login
    Right now login is faked via the admin page. But we'll need proper login to be able to demo all the important things around authentication (attacks and countermeasures).
  • Build proper session handling
    Right not session handling is faked. Both vulnerable and securish session handling is needed.
  • Add a DOM-based XSS attack demo
    Since 1-Liner is a frontend heavy app it's a perfect victim for DOM-based XSS. Feel free to add such vulnerabilities.
  • Integrate OWASP ESAPI
    It would be nice to have ESAPI in the securish version of the app.
  • Get unit testing back on track
    All the unit tests where thrown out under the influence of the Demo Gods. Stuff just broke too easily back when the app was built and deployed with Maven and Spring was used to drive the JUnit test cases. We should get something working with Gradle.
  • Build a .Net backend
    It should be fairly easy to build a .Net backend now that there's a Java app to use as specification.
  • Build jQuery UI and Dojo frontends
    The current frontend is built using Ext JS but we probably need jQuery and Dojo as alternatives to maximize the impact.

To get in contact just email the project's list or the project leader directly.

Contributors in alphabetical order

  • Paraskevi "Vicky" Simita
  • John Wilander (project leader)