awesome-web-security

Web Security Guide

A curated list of Web Security resources and materials to help developers learn about web vulnerabilities and security techniques.

đŸ¶ A curated list of Web Security materials and resources.

GitHub
12k stars
382 watching
2k forks
last commit: 10 months ago
Linked from 8 awesome lists

awesomeawesome-listlistpenetration-testingsecuritywebwebsecurity

Screenshot of qazbnm456/awesome-web-security website

awesomelists.top/#/repos/qazbnm456/awesome-web-security

Awesome Web Security / Digests
Hacker101 Written by
The Daily Swig - Web security digest Written by
Web Application Security Zone by Netsparker Written by
Infosec Newbie Written by
The Magic of Learning Written by
CTF Field Guide Written by
PayloadsAllTheThings 61,616 4 days ago Written by
tl;dr sec Weekly summary of top security tools, blog posts, and security research

Awesome Web Security / Forums
Phrack Magazine Ezine written by and for hackers
The Hacker News Security in a serious way
Security Weekly The security podcast network
The Register Biting the hand that feeds IT
Dark Reading Connecting The Information Security Community
HackDig Dig high-quality web security articles for hacker

Awesome Web Security / Introduction / XSS - Cross-Site Scripting
Cross-Site Scripting – Application Security – Google Written by
H5SC 2,858 almost 3 years ago Written by
AwesomeXSS 4,794 about 1 month ago Written by
XSS.png 56 almost 9 years ago Written by @jackmasa
C.XSS Guide Written by and
THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS Written by
payloadbox/xss-payload-list 6,437 5 months ago Written by
PayloadsAllTheThings - XSS Injection 61,616 4 days ago Written by

Awesome Web Security / Introduction / Prototype Pollution
Prototype pollution attack in NodeJS application 515 6 months ago Written by
Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) Written by
Real-world JS - 1 Written by

Awesome Web Security / Introduction / CSV Injection
CSV Injection -> Meterpreter on Pornhub Written by
The Absurdly Underestimated Dangers of CSV Injection Written by
PayloadsAllTheThings - CSV Injection 61,616 4 days ago Written by

Awesome Web Security / Introduction / SQL Injection
SQL Injection Cheat Sheet Written by
SQL Injection Wiki Written by
SQL Injection Pocket Reference Written by
payloadbox/sql-injection-payload-list 5,022 5 months ago Written by
PayloadsAllTheThings - SQL Injection 61,616 4 days ago Written by

Awesome Web Security / Introduction / Command Injection
Potential command injection in resolv.rb 22,189 about 24 hours ago Written by
payloadbox/command-injection-payload-list 3,019 5 months ago Written by
PayloadsAllTheThings - Command Injection 61,616 4 days ago Written by

Awesome Web Security / Introduction / ORM Injection
HQL for pentesters Written by
HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) Written by
ORM2Pwn: Exploiting injections in Hibernate ORM Written by
ORM Injection Written by

Awesome Web Security / Introduction / FTP Injection
Advisory: Java/Python FTP Injections Allow for Firewall Bypass Written by
SMTP over XXE − how to send emails using Java's XML parser Written by

Awesome Web Security / Introduction / XXE - XML eXternal Entity
XXE Written by
XML external entity (XXE) injection Written by
XML Schema, DTD, and Entity Attacks Written by and Omar Al Ibrahim
payloadbox/xxe-injection-payload-list 1,097 5 months ago Written by
PayloadsAllTheThings - XXE Injection 61,616 4 days ago Written by various contributors

Awesome Web Security / Introduction / CSRF - Cross-Site Request Forgery
Wiping Out CSRF Written by
PayloadsAllTheThings - CSRF Injection 61,616 4 days ago Written by

Awesome Web Security / Introduction / Clickjacking
Clickjacking Written by
X-Frame-Options: All about Clickjacking? 73 over 2 years ago Written by

Awesome Web Security / Introduction / SSRF - Server-Side Request Forgery
SSRF bible. Cheatsheet Written by
PayloadsAllTheThings - Server-Side Request Forgery 61,616 4 days ago Written by

Awesome Web Security / Introduction / Web Cache Poisoning
Practical Web Cache Poisoning Written by
PayloadsAllTheThings - Web Cache Deception 61,616 4 days ago Written by

Awesome Web Security / Introduction / Relative Path Overwrite
Large-scale analysis of style injection by relative path overwrite Written by
MBSD Technical Whitepaper - A few RPO exploitation techniques Written by

Awesome Web Security / Introduction / Open Redirect
Open Redirect Vulnerability Written by
payloadbox/open-redirect-payload-list 534 5 months ago Written by
PayloadsAllTheThings - Open Redirect 61,616 4 days ago Written by

Awesome Web Security / Introduction / Security Assertion Markup Language (SAML)
How to Hunt Bugs in SAML; a Methodology - Part I Written by
How to Hunt Bugs in SAML; a Methodology - Part II Written by
How to Hunt Bugs in SAML; a Methodology - Part III Written by
PayloadsAllTheThings - SAML Injection 61,616 4 days ago Written by

Awesome Web Security / Introduction / Upload
File Upload Restrictions Bypass Written by
PayloadsAllTheThings - Upload Insecure Files 61,616 4 days ago Written by

Awesome Web Security / Introduction / Rails
Rails Security - First part Written by
Zen Rails Security Checklist 1,817 over 4 years ago Written by
Rails SQL Injection Written by
Official Rails Security Guide Written by

Awesome Web Security / Introduction / AngularJS
XSS without HTML: Client-Side Template Injection with AngularJS Written by
DOM based Angular sandbox escapes Written by

Awesome Web Security / Introduction / ReactJS
XSS via a spoofed React element Written by

Awesome Web Security / Introduction / SSL/TLS
SSL & TLS Penetration Testing Written by
Practical introduction to SSL/TLS 573 4 days ago Written by

Awesome Web Security / Introduction / Webmail
Why mail() is dangerous in PHP Written by

Awesome Web Security / Introduction / NFS
NFS | PENETRATION TESTING ACADEMY Written by

Awesome Web Security / Introduction / AWS
PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET Written by Dwight Hohnstein from
AWS PENETRATION TESTING PART 1. S3 BUCKETS Written by
AWS PENETRATION TESTING PART 2. S3, IAM, EC2 Written by
Misadventures in AWS Written by Christian Demko

Awesome Web Security / Introduction / Azure
Common Azure Security Vulnerabilities and Misconfigurations Written by
Cloud Security Risks (Part 1): Azure CSV Injection Vulnerability Written by

Awesome Web Security / Introduction / Sub Domain Enumeration
A penetration tester’s guide to sub-domain enumeration Written by
The Art of Subdomain Enumeration Written by

Awesome Web Security / Introduction / Crypto
Applied Crypto Hardening Written by
What is a Side-Channel Attack ? Written by

Awesome Web Security / Introduction / Web Shell
Hunting for Web Shells Written by
Hacking with JSP Shells Written by

Awesome Web Security / Introduction / OSINT
Hacking Cryptocurrency Miners with OSINT Techniques Written by
OSINT x UCCU Workshop on Open Source Intelligence Written by
102 Deep Dive in the Dark Web OSINT Style Kirby Plessas Presented by
The most complete guide to finding anyone’s email Written by

Awesome Web Security / Introduction / DNS Rebinding
Attacking Private Networks from the Internet with DNS Rebinding Written by
Hacking home routers from the Internet Written by

Awesome Web Security / Introduction / Deserialization
What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. Written by
Attacking .NET deserialization Written by
.NET Roulette: Exploiting Insecure Deserialization in Telerik UI Written by
How to exploit the DotNetNuke Cookie Deserialization Written by
HOW TO EXPLOIT LIFERAY CVE-2020-7961 : QUICK JOURNEY TO POC Written by

Awesome Web Security / Introduction / OAuth
Introduction to OAuth 2.0 and OpenID Connect Written by
What is going on with OAuth 2.0? And why you should not use it for authentication. Written by

Awesome Web Security / Introduction / JWT
Hardcoded secrets, unverified tokens, and other common JWT mistakes Written by

Awesome Web Security / Evasions / XXE
Bypass Fix of OOB XXE Using Different encoding Written by

Awesome Web Security / Evasions / CSP
Any protection against dynamic module import? 210 8 days ago Written by
CSP: bypassing form-action with reflected XSS Written by
TWITTER XSS + CSP BYPASS Written by
Neatly bypassing CSP Written by
Evading CSP with DOM-based dangling markup Written by
GitHub's CSP journey Written by
GitHub's post-CSP journey Written by

Awesome Web Security / Evasions / WAF
Web Application Firewall (WAF) Evasion Techniques Written by
Web Application Firewall (WAF) Evasion Techniques #2 Written by
Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities Written by
How to bypass libinjection in many WAF/NGWAF Written by

Awesome Web Security / Evasions / JSMVC
JavaScript MVC and Templating Frameworks Written by

Awesome Web Security / Evasions / Authentication
Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) Written by and

Awesome Web Security / Tricks / CSRF
Neat tricks to bypass CSRF-protection Written by
Exploiting CSRF on JSON endpoints with Flash and redirects Written by
Stealing CSRF tokens with CSS injection (without iFrames) 318 almost 7 years ago Written by
Cracking Java’s RNG for CSRF - Javax Faces and Why CSRF Token Randomness Matters Written by
If HttpOnly You Could Still CSRF
 Of CORS you can! Written by

Awesome Web Security / Tricks / Clickjacking
Clickjackings in Google worth 14981.7$ Written by

Awesome Web Security / Tricks / Remote Code Execution
CVE-2019-1306: ARE YOU MY INDEX? Written by
WebLogic RCE (CVE-2019-2725) Debug Diary Written by Badcode@Knownsec 404 Team
What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. Written by
Exploiting Node.js deserialization bug for Remote Code Execution Written by
DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE Written by
How we exploited a remote code execution vulnerability in math.js Written by
GitHub Enterprise Remote Code Execution Written by
Evil Teacher: Code Injection in Moodle Written by
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Written by
$36k Google App Engine RCE Written by
Poor RichFaces Written by
Remote Code Execution on a Facebook server Written by

Awesome Web Security / Tricks / XSS
Exploiting XSS with 20 characters limitation Written by
Upgrade self XSS to Exploitable XSS an 3 Ways Technic Written by
XSS without parentheses and semi-colons Written by
XSS-Auditor — the protector of unprotected and the deceiver of protected. Written by
Query parameter reordering causes redirect page to render unsafe URL Written by
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else Written by
How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) Written by
DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS Written by , , and
Uber XSS via Cookie Written by
DOM XSS – auth.uber.com Written by
Stored XSS on Facebook Written by
XSS in Google Colaboratory + CSP bypass Written by
Another XSS in Google Colaboratory Written by
is filtered ? Written by
$20000 Facebook DOM XSS Written by

Awesome Web Security / Tricks / SQL Injection
MySQL Error Based SQL Injection Using EXP Written by
SQL injection in an UPDATE query - a bug bounty story! Written by
GitHub Enterprise SQL Injection Written by
Making a Blind SQL Injection a little less blind Written by
Red Team Tales 0x01: From MSSQL to RCE Written by
SQL INJECTION AND POSTGRES - AN ADVENTURE TO EVENTUAL RCE Written by

Awesome Web Security / Tricks / NoSQL Injection
GraphQL NoSQL Injection Through JSON Types Written by

Awesome Web Security / Tricks / FTP Injection
XML Out-Of-Band Data Retrieval Written by and Alexey Osipov
XXE OOB exploitation at Java 1.7+ Written by

Awesome Web Security / Tricks / XXE
Evil XML with two encodings Written by
XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites) Written by
XML Out-Of-Band Data Retrieval Written by Timur Yunusov and Alexey Osipov
XXE OOB exploitation at Java 1.7+ (2014) : Exfiltration using FTP protocol - Written by
XXE OOB extracting via HTTP+FTP using single opened port Written by
What You Didn't Know About XML External Entities Attacks Written by
Pre-authentication XXE vulnerability in the Services Drupal module Written by
Forcing XXE Reflection through Server Error Messages Written by
Exploiting XXE with local DTD files Written by
Automating local DTD discovery for XXE exploitation Written by

Awesome Web Security / Tricks / SSRF
AWS takeover through SSRF in JavaScript Written by
SSRF in Exchange leads to ROOT access in all instances Written by
SSRF to ROOT Access A $25k bounty for SSRF leading to ROOT Access in all instances by
PHP SSRF Techniques Written by
SSRF in https://imgur.com/vidgif/url Written by
All you need to know about SSRF and how may we write tools to do auto-detect Written by
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! Written by
SSRF Tips Written by
Into the Borg – SSRF inside Google production network Written by
Piercing the Veil: Server Side Request Forgery to NIPRNet access Written by

Awesome Web Security / Tricks / Web Cache Poisoning
Bypassing Web Cache Poisoning Countermeasures Written by
Cache poisoning and other dirty tricks Written by

Awesome Web Security / Tricks / Header Injection
Java/Python FTP Injections Allow for Firewall Bypass Written by

Awesome Web Security / Tricks / URL
Some Problems Of URLs Written by
Phishing with Unicode Domains Written by
Unicode Domains are bad and you should feel bad for supporting them Written by
[dev.twitter.com] XSS Written by

Awesome Web Security / Tricks / Deserialization
ASP.NET resource files (.RESX) and deserialisation issues Written by

Awesome Web Security / Tricks / OAuth
Facebook OAuth Framework Vulnerability Written by

Awesome Web Security / Tricks / Others
How I hacked Google’s bug tracking system itself for $15,600 in bounties Written by
Some Tricks From My Secret Group Written by
Inducing DNS Leaks in Onion Web Services 41 over 6 years ago Written by
Stored XSS, and SSRF in Google using the Dataset Publishing Language Written by

Awesome Web Security / Browser Exploitation / Frontend (like SOP bypass, URL spoofing, and something like that)
The world of Site Isolation and compromised renderer Written by
The Cookie Monster in Your Browsers Written by
Bypassing Mobile Browser Security For Fun And Profit Written by
The inception bar: a new phishing method Written by
JSON hijacking for the modern web Written by
IE11 Information disclosure - local file detection Written by James Lee
SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) Written by
ĐžŃĐŸĐ±Đ”ĐœĐœĐŸŃŃ‚Đž Safari ĐČ client-side атаĐșах Written by
How do we Stop Spilling the Beans Across Origins? Written by and
Setting arbitrary request headers in Chromium via CRLF injection Written by
I’m harvesting credit card numbers and passwords from your site. Here’s how. Written by
Sending arbitrary IPC messages via overriding Function.prototype.apply Written by
Take Advantage of Out-of-Scope Domains in Bug Bounty Programs Written by

Awesome Web Security / Browser Exploitation / Backend (core of Browser implementation, and often refers to C or C++ part)
Breaking UC Browser Written by
Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622 Written by
Three roads lead to Rome Written by
Exploiting a V8 OOB write. Written by
SSD Advisory – Chrome Turbofan Remote Code Execution Written by
Look Mom, I don't use Shellcode - Browser Exploitation Case Study for Internet Explorer 11 Written by
PUSHING WEBKIT'S BUTTONS WITH A MOBILE PWN2OWN EXPLOIT Written by
A Methodical Approach to Browser Exploitation Written by
CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime. Written by
CLEANLY ESCAPING THE CHROME SANDBOX Written by
A Methodical Approach to Browser Exploitation Written by , and

Awesome Web Security / PoCs / Database
js-vuln-db 2,291 about 5 years ago Collection of JavaScript engine CVEs with PoCs by
awesome-cve-poc 3,331 almost 3 years ago Curated list of CVE PoCs by
Some-PoC-oR-ExP 2,397 10 months ago ć„ç§æŒæŽžpoc、Expçš„æ”¶é›†æˆ–çŒ–ć†™ by
uxss-db 686 almost 4 years ago Collection of UXSS CVEs with PoCs by
SPLOITUS Exploits & Tools Search Engine by
Exploit Database ultimate archive of Exploits, Shellcode, and Security Papers by

Awesome Web Security / Cheetsheets
XSS Cheat Sheet - 2018 Edition Written by
Capture the Flag CheatSheet 52 6 months ago Written by

Awesome Web Security / Tools / Auditing
prowler 10,888 4 days ago Tool for AWS security assessment, auditing and hardening by
slurp 2 over 2 years ago Evaluate the security of S3 buckets by
A2SV 627 almost 4 years ago Auto Scanning to SSL Vulnerability by

Awesome Web Security / Tools / Command Injection
commix 4,629 5 days ago Automated All-in-One OS command injection and exploitation tool by

Awesome Web Security / Tools / Reconnaissance
Shodan Shodan is the world's first search engine for Internet-connected devices by
Censys Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by
urlscan.io Service which analyses websites and the resources they request by
ZoomEye Cyberspace Search Engine by
FOFA Cyberspace Search Engine by
NSFOCUS THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL
Photon 11,101 4 months ago Incredibly fast crawler designed for OSINT by
FOCA 2,996 almost 2 years ago FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by
SpiderFoot Open source footprinting and intelligence-gathering tool by
xray 2,208 5 months ago XRay is a tool for recon, mapping and OSINT gathering from public networks by
gitrob 5,951 about 2 years ago Reconnaissance tool for GitHub organizations by
GSIL 2,127 about 1 year ago Github Sensitive Information LeakageGithubæ•æ„ŸäżĄæŻæł„éœČby
raven 778 over 4 years ago raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by
ReconDog 1,819 almost 4 years ago Reconnaissance Swiss Army Knife by
Databases - start.me Various databases which you can use for your OSINT research by
peoplefindThor the easy way to find people on Facebook by [postkassen](mailto: ?subject=peoplefindthor.dk comments)
tinfoleak 1,934 almost 6 years ago The most complete open-source tool for Twitter intelligence analysis by
Raccoon 3,094 6 months ago High performance offensive security tool for reconnaissance and vulnerability scanning by
Social Mapper 3,811 almost 3 years ago Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by
espi0n/Dockerfiles 39 over 6 years ago Dockerfiles for various OSINT tools by
Sublist3r 9,900 4 months ago Sublist3r is a multi-threaded sub-domain enumeration tool for penetration testers by
EyeWitness 18 6 months ago EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by
subDomainsBrute 3,494 about 2 years ago A simple and fast sub domain brute tool for pentesters by
AQUATONE 5,655 over 2 years ago Tool for Domain Flyovers by
domain_analyzer 1,846 almost 2 years ago Analyze the security of any domain by finding all the information possible by
VirusTotal domain information Searching for domain information by
Certificate Transparency 868 over 1 year ago Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system by
Certificate Search Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by
GSDF 176 almost 7 years ago Domain searcher named GoogleSSLdomainFinder by

Awesome Web Security / Tools / Code Generating
VWGen 84 almost 7 years ago Vulnerable Web applications Generator by

Awesome Web Security / Tools / Fuzzing
wfuzz 5,974 4 months ago Web application bruteforcer by
charsetinspect 26 over 8 years ago Script that inspects multi-byte character sets looking for characters with specific user-defined properties by
IPObfuscator 138 over 2 years ago Simple tool to convert the IP to a DWORD IP by
domato 1,695 7 days ago DOM fuzzer by
FuzzDB 8,265 about 1 year ago Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery
dirhunt 1,775 about 1 year ago Web crawler optimized for searching and analyzing the directory structure of a site by
ssltest Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by
fuzz.txt 2,917 7 days ago Potentially dangerous files by

Awesome Web Security / Tools / Scanning
wpscan 8,642 1 day ago WPScan is a black box WordPress vulnerability scanner by
JoomlaScan 215 over 1 year ago Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by
WAScan Is an open source web application security scanner that uses "black-box" method, created by
Nuclei 20,882 1 day ago Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by

Awesome Web Security / Tools / Penetration Testing
Burp Suite Burp Suite is an integrated platform for performing security testing of web applications by
TIDoS-Framework 1,781 over 1 year ago A comprehensive web application audit framework to cover up everything from Reconnaissance and OSINT to Vulnerability Analysis by
Astra 2,520 6 months ago Automated Security Testing For REST API's by
aws_pwn 1,172 over 1 year ago A collection of AWS penetration testing junk by
grayhatwarfare Public buckets by

Awesome Web Security / Tools / Offensive
beef 9,890 4 days ago The Browser Exploitation Framework Project by
JShell 511 over 5 years ago Get a JavaScript shell with XSS by
XSStrike 13,398 4 months ago XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by
xssor2 2,138 almost 3 years ago XSS'OR - Hack with JavaScript by
csp evaluator A tool for evaluating content-security-policies by
sqlmap 32,715 14 days ago Automatic SQL injection and database takeover tool
tplmap 3,807 8 months ago Code and Server-Side Template Injection Detection and Exploitation Tool by
dtd-finder 614 10 months ago List DTDs and generate XXE payloads using those local DTDs by
XSRFProbe 1,110 about 1 month ago The Prime CSRF Audit & Exploitation Toolkit by
Open redirect/SSRF payload generator Open redirect/SSRF payload generator by

Awesome Web Security / Tools / Leaking
HTTPLeaks 1,986 about 1 month ago All possible ways, a website can leak HTTP requests by
dvcs-ripper 1,709 5 months ago Rip web accessible (distributed) version control systems: SVN/GIT/HG... by
DVCS-Pillage 314 almost 8 years ago Pillage web accessible GIT, HG and BZR repositories by
GitMiner 2,092 over 4 years ago Tool for advanced mining for content on Github by
gitleaks 18,073 1 day ago Searches full repo history for secrets and keys by
CSS-Keylogging 3,215 almost 7 years ago Chrome extension and Express server that exploits keylogging abilities of CSS by
pwngitmanager 107 over 8 years ago Git manager for pentesters by
snallygaster 2,076 about 19 hours ago Tool to scan for secret files on HTTP servers by
LinkFinder 3,742 8 months ago Python script that finds endpoints in JavaScript files by

Awesome Web Security / Tools / Detecting
sqlchop SQL injection detection engine by
xsschop XSS detection engine by
retire.js 3,698 11 days ago Scanner detecting the use of JavaScript libraries with known vulnerabilities by
malware-jail 462 over 1 year ago Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by
repo-supervisor 640 over 1 year ago Scan your code for security misconfiguration, search for passwords and secrets
bXSS 519 over 1 year ago bXSS is a simple Blind XSS application adapted from by
OpenRASP 2,803 6 months ago An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load
GuardRails A GitHub App that provides security feedback in Pull Requests

Awesome Web Security / Tools / Preventing
DOMPurify 14,146 4 days ago DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by
js-xss 5,229 9 months ago Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by
Acra 1,366 3 months ago Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by
Csper A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by

Awesome Web Security / Tools / Proxy
Charles HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet
mitmproxy 36,986 5 days ago Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by

Awesome Web Security / Tools / Webshell
nano 435 almost 5 years ago Family of code golfed PHP shells by
webshell 10,135 8 months ago This is a webshell open source project by
Weevely 3,208 about 2 months ago Weaponized web shell by
Webshell-Sniper 420 over 3 years ago Manage your website via terminal by
Reverse-Shell-Manager 240 over 1 year ago Reverse Shell Manager via Terminal 
reverse-shell 1,851 11 months ago Reverse Shell as a Service by
PhpSploit 2,228 7 months ago Full-featured C2 framework which silently persists on webserver via evil PHP oneliner by

Awesome Web Security / Tools / Disassembler
plasma 3,049 over 3 years ago Plasma is an interactive disassembler for x86/ARM/MIPS by
radare2 20,791 4 days ago Unix-like reverse engineering framework and commandline tools by
Iaitƍ 1,463 over 3 years ago Qt and C++ GUI for radare2 reverse engineering framework by

Awesome Web Security / Tools / Decompiler
CFR Another java decompiler by

Awesome Web Security / Tools / DNS Rebinding
DNS Rebind Toolkit 486 about 3 years ago DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by
dref 482 over 3 years ago DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by
Singularity of Origin 1,037 6 months ago It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by
Whonow DNS Server 628 almost 3 years ago A malicious DNS server for executing DNS Rebinding attacks on the fly by

Awesome Web Security / Tools / Others
Dnslogger DNS Logger by
CyberChef 29,430 about 1 month ago The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by
ntlm_challenger 143 about 2 years ago Parse NTLM over HTTP challenge messages by
cefdebug 197 over 4 years ago Minimal code to connect to a CEF debugger by
ctftool 1,642 about 3 years ago Interactive CTF Exploration Tool by

Awesome Web Security / Social Engineering Database
haveibeenpwned Check if you have an account that has been compromised in a data breach by

Awesome Web Security / Blogs
Orange Taiwan's talented web penetrator
leavesongs China's talented web penetrator
James Kettle Head of Research at
Broken Browser Fun with Browser Vulnerabilities
Scrutiny Internet Security through Web Browsers by Dhiraj Mishra
BRETT BUERHAUS Vulnerability disclosures and rambles on application security
n0tr00t ~# n0tr00t Security Team
OpnSec Open Mind Security!
RIPS Technologies Write-ups for PHP vulnerabilities
0Day Labs Awesome bug-bounty and challenges writeups
Blog of Osanda Security Researching and Reverse Engineering

Awesome Web Security / Twitter Users
@HackwithGitHub Initiative to showcase open source hacking tools for hackers and pentesters
@filedescriptor Active penetrator often tweets and writes useful articles
@cure53berlin is a German cybersecurity firm
@XssPayloads The wonderland of JavaScript unexpected usages, and more
@kinugawamasato Japanese web penetrator
@h3xstream Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero
@garethheyes English web penetrator
@hasegawayosuke Japanese javascript security researcher
@shhnjk Web and Browsers Security Researcher

Awesome Web Security / Practices / Application
OWASP Juice Shop 10,530 6 days ago Probably the most modern and sophisticated insecure web application - Written by and the team
BadLibrary 58 11 months ago Vulnerable web application for training - Written by
Hackxor Realistic web application hacking game - Written by
SELinux Game Learn SELinux by doing. Solve Puzzles, show skillz - Written by
Portswigger Web Security Academy Free trainings and labs - Written by

Awesome Web Security / Practices / AWS
FLAWS Amazon AWS CTF challenge - Written by
CloudGoat 2,982 13 days ago Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool - Written by

Awesome Web Security / Practices / XSS
XSS game Google XSS Challenge - Written by Google
prompt(1) to win Complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels) - Written by
alert(1) to win Series of XSS challenges - Written by
XSS Challenges Series of XSS challenges - Written by yamagata21

Awesome Web Security / Practices / ModSecurity / OWASP ModSecurity Core Rule Set
ModSecurity / OWASP ModSecurity Core Rule Set Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by

Awesome Web Security / Community
Reddit
Stack Overflow

Awesome Web Security / Miscellaneous
awesome-bug-bounty 4,691 11 months ago Comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by
bug-bounty-reference 3,766 4 months ago List of bug bounty write-up that is categorized by the bug nature by
Google VRP and Unicorns Written by
Brute Forcing Your Facebook Email and Phone Number Written by
Pentest + Exploit dev Cheatsheet wallpaper Penetration Testing and Exploit Dev CheatSheet
The Definitive Security Data Science and Machine Learning Guide Written by JASON TROS
EQGRP 4,099 over 7 years ago Decrypted content of eqgrp-auction-file.tar.xz by
notes 1,268 over 5 years ago Some public notes by
A glimpse into GitHub's Bug Bounty workflow Written by
Cybersecurity Campaign Playbook Written by
Infosec_Reference 5,589 6 months ago Information Security Reference That Doesn't Suck by
Internet of Things Scanner Check if your internet-connected devices at home are public on Shodan by
The Bug Hunters Methodology v2.1 Written by
$7.5k Google services mix-up Written by
How I exploited ACME TLS-SNI-01 issuing Let's Encrypt SSL-certs for any domain using shared hosting Written by
TL:DR: VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%) Written by
Escape and Evasion Egressing Restricted Networks Written by
Be careful what you copy: Invisibly inserting usernames into text with Zero-Width Characters Written by
Domato Fuzzer's Generation Engine Internals Written by
CSS Is So Overpowered It Can Deanonymize Facebook Users Written by
Introduction to Web Application Security Written by , and
Finding The Real Origin IPs Hiding Behind CloudFlare or TOR Written by
Why Facebook's api starts with a for loop Written by
How I could have stolen your photos from Google - my first 3 bug bounty writeups Written by
An example why NAT is NOT security Written by
WEB APPLICATION PENETRATION TESTING NOTES Written by
Hacking with a Heads Up Display Written by
Alexa Top 1 Million Security - Hacking the Big Ones Written by
The bug bounty program that changed my life Written by
List of bug bounty writeups Written by
Implications of Loading .NET Assemblies Written by
WCTF2019: Gyotaku The Flag Written by
How we abused Slack's TURN servers to gain access to internal services Written by
DOS File Path Magic Tricks Written by
How I got my first big bounty payout with Tesla Written by

Backlinks from these awesome lists:

More related projects: