awesome-web-hacking
Web Security Guide
A comprehensive resource for learning web application security
A list of web application security
6k stars
249 watching
1k forks
last commit: 13 days ago
Linked from 5 awesome lists
appsechackinghacking-toolsmetasploitowasppenetration-testingpentestingscannersecurityvulnerabilitiesvulnerabilityweb-hackingweb-security
Table of Contents / Books | |||
http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/8126533404/ | The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws | ||
http://www.amazon.com/Hacking-Web-Apps-Preventing-Application/dp/159749951X/ | Hacking Web Apps: Detecting and Preventing Web Application Security Problems | ||
http://www.amazon.com/Hacking-Exposed-Web-Applications-Third/dp/0071740643/ | Hacking Exposed Web Applications | ||
http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/ | SQL Injection Attacks and Defense | ||
http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/ | The Tangled WEB: A Guide to Securing Modern Web Applications | ||
http://www.amazon.com/Web-Application-Obfuscation-Evasion-Filters/dp/1597496049/ | Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' | ||
http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ | XSS Attacks: Cross Site Scripting Exploits and Defense | ||
http://www.amazon.com/Browser-Hackers-Handbook-Wade-Alcorn/dp/1118662091/ | The Browser Hacker’s Handbook | ||
http://www.amazon.com/Basics-Web-Hacking-Techniques-Attack/dp/0124166008/ | The Basics of Web Hacking: Tools and Techniques to Attack the Web | ||
http://www.amazon.com/Web-Penetration-Testing-Kali-Linux/dp/1782163166/ | Web Penetration Testing with Kali Linux | ||
http://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168/ | Web Application Security, A Beginner's Guide | ||
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ | Hacking: The Art of Exploitation | ||
https://www.crypto101.io/ | Crypto 101 is an introductory course on cryptography | ||
http://www.offensive-security.com/metasploit-unleashed/ | Metasploit Unleashed | ||
http://www.cl.cam.ac.uk/~rja14/book.html | Security Engineering | ||
https://www.feistyduck.com/library/openssl-cookbook/ | OpenSSL Cookbook | ||
https://www.manning.com/books/real-world-cryptography | Learn and apply cryptographic techniques | ||
https://www.manning.com/books/making-sense-of-cyber-security | A guide to the key concepts, terminology, and technologies of cybersecurity perfect for anyone planning or implementing a security strategy | ||
https://www.manning.com/books/cyber-security-career-guide | Kickstart a career in cyber security by learning how to adapt your existing technical and non-technical skills | ||
https://www.manning.com/books/secret-key-cryptography | A book about cryptographic techniques and Secret Key methods | ||
https://www.manning.com/books/application-security-program-handbook | This practical book is a one-stop guide to implementing a robust application security program | ||
https://www.manning.com/books/cyber-threat-hunting | Practical guide to cyber threat hunting | ||
https://nostarch.com/bug-bounty-bootcamp | Bug Bounty Bootcamp | ||
https://nostarch.com/hacking-apis | Hacking APIs | ||
https://www.manning.com/books/grokking-web-application-security | A book about building web apps that are ready for and resilient to any attack | ||
Table of Contents / Documentation | |||
https://www.owasp.org/ | Open Web Application Security Project | ||
http://www.pentest-standard.org/ | Penetration Testing Execution Standard | ||
http://www.binary-auditing.com/ | Dr. Thorsten Schneider’s Binary Auditing | ||
https://appsecwiki.com/ | Application Security Wiki is an initiative to provide all Application security related resources to Security Researchers and developers at one place | ||
Table of Contents / Tools | |||
https://www.deepinfo.com/ | Deepinfo Attack Surface Platform discovers all your digital assets, monitors them 24/7, detects any issues, and notifies you quickly so you can take immediate action | ||
https://spyse.com/ | OSINT search engine that provides fresh data about the entire web, storing all data in its own DB, interconnect finding data and has some cool features | ||
http://www.metasploit.com/ | World's most used penetration testing software | ||
https://findsubdomains.com | Online subdomains scanner service with lots of additional data. works using OSINT | ||
https://github.com/bjeborn/basic-auth-pot | 47 | almost 10 years ago | HTTP Basic Authentication honeyPot |
http://www.arachni-scanner.com/ | Web Application Security Scanner Framework | ||
https://github.com/sullo/nikto | 8,695 | 18 days ago | Nikto web server scanner |
http://www.tenable.com/products/nessus-vulnerability-scanner | Nessus Vulnerability Scanner | ||
http://www.portswigger.net/burp/intruder.html | Burp Intruder is a tool for automating customized attacks against web apps | ||
http://www.openvas.org/ | The world's most advanced Open Source vulnerability scanner and manager | ||
https://github.com/iSECPartners/Scout2 | 1,725 | about 6 years ago | Security auditing tool for AWS environments |
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project | Is a multi threaded java application designed to brute force directories and files names on web/application servers | ||
https://www.owasp.org/index.php/ZAP | The Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications | ||
https://github.com/tecknicaltom/dsniff | 192 | over 14 years ago | dsniff is a collection of tools for network auditing and penetration testing |
https://github.com/WangYihang/Webshell-Sniper | 420 | over 3 years ago | Manage your webshell via terminal |
https://github.com/DanMcInerney/dnsspoof | 281 | over 7 years ago | DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response |
https://github.com/trustedsec/social-engineer-toolkit | 11,072 | about 1 month ago | The Social-Engineer Toolkit (SET) repository from TrustedSec |
https://github.com/sqlmapproject/sqlmap | 32,715 | 14 days ago | Automatic SQL injection and database takeover tool |
https://github.com/beefproject/beef | 9,890 | 4 days ago | The Browser Exploitation Framework Project |
http://w3af.org/ | w3af is a Web Application Attack and Audit Framework | ||
https://github.com/espreto/wpsploit | 217 | over 6 years ago | WPSploit, Exploiting Wordpress With Metasploit |
https://github.com/WangYihang/Reverse-Shell-Manager | 240 | over 1 year ago | Reverse shell manager via terminal |
https://github.com/RUB-NDS/WS-Attacker | 475 | 2 months ago | WS-Attacker is a modular framework for web services penetration testing |
https://github.com/wpscanteam/wpscan | 8,642 | 1 day ago | WPScan is a black box WordPress vulnerability scanner |
http://sourceforge.net/projects/paros/ | Paros proxy | ||
https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project | Web Scarab proxy | ||
https://code.google.com/p/skipfish/ | Skipfish, an active web application security reconnaissance tool | ||
http://www.acunetix.com/vulnerability-scanner/ | Acunetix Web Vulnerability Scanner | ||
https://cystack.net/ | CyStack Web Security Platform | ||
http://www-03.ibm.com/software/products/en/appscan | IBM Security AppScan | ||
https://www.netsparker.com/web-vulnerability-scanner/ | Netsparker web vulnerability scanner | ||
http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/index.html | HP Web Inspect | ||
https://github.com/sensepost/wikto | 175 | over 7 years ago | Wikto - Nikto for Windows with some extra features |
http://samurai.inguardians.com | Samurai Web Testing Framework | ||
https://code.google.com/p/ratproxy/ | Ratproxy | ||
http://www.websecurify.com | Websecurify | ||
http://sourceforge.net/projects/grendel/ | Grendel-scan | ||
https://tools.kali.org/web-applications/gobuster | Directory/file and DNS busting tool written in Go | ||
http://www.edge-security.com/wfuzz.php | Wfuzz | ||
http://wapiti.sourceforge.net | wapiti | ||
https://github.com/neuroo/grabber | 146 | about 8 years ago | Grabber |
https://subgraph.com/vega/ | Vega | ||
http://websecuritytool.codeplex.com | Watcher passive web scanner | ||
http://xss.codeplex.com | x5s XSS and Unicode transformations security testing assistant | ||
http://www.beyondsecurity.com/avds | AVDS Vulnerability Assessment and Management | ||
http://www.golismero.com | Golismero | ||
http://www.ikare-monitoring.com | IKare | ||
http://www.nstalker.com | N-Stalker X | ||
https://www.rapid7.com/products/nexpose/index.jsp | Nexpose | ||
http://www.rapid7.com/products/appspider/ | App Spider | ||
http://www.milescan.com | ParosPro | ||
https://www.qualys.com/enterprises/qualysguard/web-application-scanning/ | Qualys Web Application Scanning | ||
http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ | Retina | ||
https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework | Xenotix XSS Exploit Framework | ||
https://github.com/future-architect/vuls | 11,008 | about 21 hours ago | Vulnerability scanner for Linux, agentless, written in golang |
https://github.com/rastating/wordpress-exploit-framework | 1,019 | about 5 years ago | A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems |
http://www.xss-payloads.com/ | XSS Payloads to leverage XSS vulnerabilities, build custom payloads, practice penetration testing skills | ||
https://github.com/joaomatosf/jexboss | 2,425 | almost 5 years ago | JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool |
https://github.com/commixproject/commix | 4,629 | 5 days ago | Automated All-in-One OS command injection and exploitation tool |
https://github.com/pathetiq/BurpSmartBuster | 383 | about 4 years ago | A Burp Suite content discovery plugin that add the smart into the Buster! |
https://github.com/GoSecure/csp-auditor | 137 | over 4 years ago | Burp and ZAP plugin to analyze CSP headers |
https://github.com/ffleming/timing_attack | 120 | about 5 years ago | Perform timing attacks against web applications |
https://github.com/lalithr95/fuzzapi | 634 | almost 4 years ago | Fuzzapi is a tool used for REST API pentesting |
https://github.com/owtf/owtf | 1,822 | 11 days ago | Offensive Web Testing Framework (OWTF) |
https://github.com/nccgroup/wssip | 445 | almost 2 years ago | Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa |
https://github.com/PalindromeLabs/STEWS | 336 | almost 3 years ago | Tool suite for WebSocket discovery, fingerprinting, and vulnerability detection |
https://github.com/tijme/angularjs-csti-scanner | 304 | about 3 years ago | Automated client-side template injection (sandbox escape/bypass) detection for AngularJS (ACSTIS) |
https://reshift.softwaresecured.com | A source code analysis tool for detecting and managing Java security vulnerabilities | ||
https://encoding.tools | Web app for transforming binary data and strings, including hashes and various encodings. GPLv3 offline version available | ||
https://gchq.github.io/CyberChef/ | A "Cyber Swiss Army Knife" for carrying out various encodings and transformations of binary data and strings | ||
https://github.com/urbanadventurer/WhatWeb | 5,579 | 5 months ago | WhatWeb - Next generation web scanner |
https://www.shodan.io/ | Shodan - The search engine for find vulnerable servers | ||
https://github.com/WangYihang/Webshell-Sniper | 420 | over 3 years ago | A webshell manager via terminal |
https://github.com/nil0x42/phpsploit | 2,228 | 7 months ago | PhpSploit - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner |
https://webhint.io/ | webhint - webhint is a customizable linting tool that helps you improve your site's accessibility, speed, cross-browser compatibility, and more by checking your code for best practices and common errors | ||
https://gtfobins.github.io/ | gtfobins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems | ||
https://github.com/HightechSec/git-scanner | 340 | over 4 years ago | git-scanner - A tool for bug hunting or pentesting for targeting websites that have open repositories available in public |
Web Application Exploitation @ Rawsec Inventory | Complete list of Web pentesting tools | ||
Cyclops is a novel browser that can detect vulnerability automatically | 114 | 5 months ago | Cyclops is a web browser with XSS detection feature |
https://caido.io/ | Web proxy | ||
https://github.com/assetnote/kiterunner | 2,673 | 7 months ago | API discovery |
https://github.com/owasp-amass/amass | 12,148 | 3 days ago | domain recon |
https://columbus.elmasy.com/ | Columbus Project is an advanced subdomain discovery service with fast, powerful and easy to use API | ||
BadUSB Script To Exfiltrate Passwords | 54 | 6 months ago | Extracts all saved passwords from Chrome, Firefox, and Edge to be saved onto secondary USB for further analysis |
https://github.com/flibustier/jwt-online-cracker | 8 | about 1 month ago | Brute-force HS256, HS384 or HS512 JWT Token from your browser (fully client-side) |
Table of Contents / Cheat Sheets | |||
http://n0p.net/penguicon/php_app_sec/mirror/xss.html | XSS cheatsheet | ||
https://highon.coffee/blog/lfi-cheat-sheet/ | LFI Cheat Sheet | ||
https://highon.coffee/blog/reverse-shell-cheat-sheet/ | Reverse Shell Cheat Sheet | ||
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ | SQL Injection Cheat Sheet | ||
https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/ | Path Traversal Cheat Sheet: Windows | ||
Table of Contents / Docker images for Penetration Testing | |||
official Kali Linux | |||
official BlackArch Linux | |||
official OWASP ZAP | 12,804 | 4 days ago | - |
official WPScan | - | ||
docker-metasploit | - | ||
Damn Vulnerable Web Application (DVWA) | - | ||
OWASP Juice Shop | |||
Vulnerable WordPress Installation | - | ||
Vulnerability as a service: Shellshock | - | ||
Vulnerability as a service: Heartbleed | - | ||
Security Ninjas | - | ||
Arch Linux Penetration Tester | - | ||
Docker Bench for Security | - | ||
OWASP Security Shepherd | - | ||
OWASP WebGoat Project docker image | - | ||
OWASP WrongSecrets Project docker image | - | ||
OWASP Mutillidae II Web Pen-Test Practice Application | - | ||
Docker for pentest | 729 | over 2 years ago | - |
The Modern Port Scanner | 14,827 | 7 days ago | - |
Table of Contents / Vulnerabilities | |||
http://cve.mitre.org/ | Common Vulnerabilities and Exposures. The Standard for Information Security Vulnerability Names | ||
https://www.exploit-db.com/ | The Exploit Database – ultimate archive of Exploits, Shellcode, and Security Papers | ||
http://0day.today/ | Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals | ||
http://www.securityfocus.com/ | Since its inception in 1999, SecurityFocus has been a mainstay in the security community | ||
http://packetstormsecurity.com/ | Global Security Resource | ||
https://wpvulndb.com/ | WPScan Vulnerability Database | ||
https://snyk.io/vuln/ | Vulnerability DB, Detailed information and remediation guidance for known vulnerabilities | ||
https://stellastra.com/cipher-suite | Database of hundreds of TLS cipher suites and their security status | ||
https://vulncheck.com/xdb/ | An index of exploit proof-of-concept code in Git repositories | ||
Table of Contents / Courses | |||
https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/ | Offensive Security Advanced Web Attacks and Exploitation (live) | ||
https://www.sans.org/course/web-app-penetration-testing-ethical-hacking | Sans SEC542: Web App Penetration Testing and Ethical Hacking | ||
https://www.sans.org/course/advanced-web-app-penetration-testing-ethical-hacking | Sans SEC642: Advanced Web App Penetration Testing and Ethical Hacking | ||
http://opensecuritytraining.info/ | Open Security Training | ||
http://securitytrainings.net/security-trainings/ | Security Exploded Training | ||
http://www.securitytube.net/ | World’s largest Infosec and Hacking Portal | ||
https://www.hacker101.com/ | Free class for web security by | ||
https://www.darkrelay.com/courses/professional-penetration-tester | Zero-Hero style Pentesting course by | ||
Table of Contents / Online Hacking Demonstration Sites | |||
http://testasp.vulnweb.com/ | Acunetix ASP test and demonstration site | ||
http://testaspnet.vulnweb.com/ | Acunetix ASP.Net test and demonstration site | ||
http://testphp.vulnweb.com/ | Acunetix PHP test and demonstration site | ||
http://crackme.cenzic.com/kelev/view/home.php | Crack Me Bank | ||
http://zero.webappsecurity.com/ | Zero Bank | ||
http://demo.testfire.net/ | Altoro Mutual | ||
https://public-firing-range.appspot.com/ | Firing Range is a test bed for automated web application security scanners | ||
https://xss-game.appspot.com/ | XSS challenge | ||
https://google-gruyere.appspot.com/ | Google Gruyere, web application exploits and defenses | ||
https://ginandjuice.shop/catalog | |||
https://pentest-ground.com/ | Pentest-Ground is a free playground with deliberately vulnerable web applications and network services | ||
HackSimulator | is a GPT created by in which chatGPT 4 acts as a hacking CTF. This GPT will ask for your experience level and what you would like to improve on, before simulating a machine/application for you to hack into, using the chatbox as the place to input terminal commands. Since this is through AI, it changes and adjust based on your experience level and you can ask for help if you are stuck | ||
Table of Contents / Labs | |||
https://portswigger.net/web-security | Web Security Academy: Free Online Training from PortSwigger | ||
http://www.cis.syr.edu/~wedu/seed/all_labs.html | Developing Instructional Laboratories for Computer SEcurity EDucation | ||
https://www.vulnhub.com/ | Virtual Machines for Localhost Penetration Testing | ||
https://pentesterlab.com/ | PentesterLab is an easy and great way to learn penetration testing | ||
https://github.com/jerryhoff/WebGoat.NET | 225 | 12 months ago | This web application is a learning platform about common web security flaws |
http://www.dvwa.co.uk/ | Damn Vulnerable Web Application (DVWA) | ||
http://sourceforge.net/projects/lampsecurity/ | LAMPSecurity Training | ||
https://github.com/Audi-1/sqli-labs | 5,288 | 12 months ago | SQLI labs to test error based, Blind boolean based, Time based |
https://github.com/paralax/lfi-labs | 321 | 8 months ago | small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns |
https://hack.me/ | Build, host and share vulnerable web apps in a sandboxed environment for free | ||
http://azcwr.org/az-cyber-warfare-ranges | Free live fire Capture the Flag, blue team, red team Cyber Warfare Range for beginners through advanced users. Must use a cell phone to send a text message requesting access to the range | ||
https://github.com/adamdoupe/WackoPicko | 328 | 6 months ago | WackoPicko is a vulnerable web application used to test web application vulnerability scanners |
https://github.com/rapid7/hackazon | 973 | over 3 years ago | Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications |
https://github.com/RhinoSecurityLabs/cloudgoat | 2,982 | 13 days ago | Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool |
https://www.hackthebox.eu/ | Hack The Box is an online platform allowing you to test and advance your skills in cyber security | ||
https://github.com/tegal1337/0l4bs | 296 | over 3 years ago | 0l4bs is a Cross-site scripting labs for web application security enthusiasts |
https://github.com/oliverwiegers/pentest_lab | 182 | over 1 year ago | Local pentest lab leveraging docker compose |
https://ginandjuice.shop/catalog | |||
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application | 1,512 | 11 months ago | |
https://labex.io/skilltrees/cybersecurity | LabEx is an online platform for enhancing your cyber security skills through hands-on labs | ||
https://pythoncyber.go.ro | CyberPython helps you to make your own research in order to solve challenges, exploit CVEs and make good scripts | ||
Table of Contents / SSL | |||
https://www.ssllabs.com/ssltest/index.html | This service performs a deep analysis of the configuration of any SSL web server on the public Internet | ||
http://certdb.com/ | SSL/TLS data provider service. Collect the data about digital certificates - issuers, organisation, whois, expiration dates, etc... Plus, has handy filters for convenience | ||
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | Strong SSL Security on nginx | ||
https://weakdh.org/ | Weak Diffie-Hellman and the Logjam Attack | ||
https://letsencrypt.org/ | Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open | ||
https://filippo.io/Heartbleed/ | A checker (site and tool) for CVE-2014-0160 (Heartbleed) | ||
https://testssl.sh/ | A command line tool which checks a website's TLS/SSL ciphers, protocols and cryptographic flaws | ||
Table of Contents / Security Ruby on Rails | |||
http://brakemanscanner.org/ | A static analysis security vulnerability scanner for Ruby on Rails applications | ||
https://github.com/rubysec/ruby-advisory-db | 1,022 | about 22 hours ago | A database of vulnerable Ruby Gems |
https://github.com/rubysec/bundler-audit | 2,686 | 3 months ago | Patch-level verification for Bundler |
https://github.com/hakirisec/hakiri_toolbelt | 273 | over 7 years ago | Hakiri Toolbelt is a command line interface for the Hakiri platform |
https://hakiri.io/facets | Scan Gemfile.lock for vulnerabilities | ||
http://rails-sqli.org/ | This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input | ||
https://github.com/0xsauby/yasuo | 569 | almost 7 years ago | A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network |