awesome-web-security

đŸ¶ A curated list of Web Security materials and resources.

GitHub

11k stars
380 watching
2k forks
last commit: 8 months ago
Linked from 8 awesome lists

awesomeawesome-listlistpenetration-testingsecuritywebwebsecurity

Awesome Web Security / Digests

Hacker101 Written by
The Daily Swig - Web security digest Written by
Web Application Security Zone by Netsparker Written by
Infosec Newbie Written by
The Magic of Learning Written by
CTF Field Guide Written by
PayloadsAllTheThings 60,304 20 days ago Written by
tl;dr sec Weekly summary of top security tools, blog posts, and security research

Awesome Web Security / Forums

Phrack Magazine Ezine written by and for hackers
The Hacker News Security in a serious way
Security Weekly The security podcast network
The Register Biting the hand that feeds IT
Dark Reading Connecting The Information Security Community
HackDig Dig high-quality web security articles for hacker

Awesome Web Security / Introduction / XSS - Cross-Site Scripting

Cross-Site Scripting – Application Security – Google Written by
H5SC 2,844 over 2 years ago Written by
AwesomeXSS 4,758 6 months ago Written by
XSS.png 56 over 8 years ago Written by @jackmasa
C.XSS Guide Written by and
THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS Written by
payloadbox/xss-payload-list 6,193 3 months ago Written by
PayloadsAllTheThings - XSS Injection 60,304 20 days ago Written by

Awesome Web Security / Introduction / Prototype Pollution

Prototype pollution attack in NodeJS application 513 4 months ago Written by
Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) Written by
Real-world JS - 1 Written by

Awesome Web Security / Introduction / CSV Injection

CSV Injection -> Meterpreter on Pornhub Written by
The Absurdly Underestimated Dangers of CSV Injection Written by
PayloadsAllTheThings - CSV Injection 60,304 20 days ago Written by

Awesome Web Security / Introduction / SQL Injection

SQL Injection Cheat Sheet Written by
SQL Injection Wiki Written by
SQL Injection Pocket Reference Written by
payloadbox/sql-injection-payload-list 4,834 3 months ago Written by
PayloadsAllTheThings - SQL Injection 60,304 20 days ago Written by

Awesome Web Security / Introduction / Command Injection

Potential command injection in resolv.rb 21,953 12 days ago Written by
payloadbox/command-injection-payload-list 2,907 3 months ago Written by
PayloadsAllTheThings - Command Injection 60,304 20 days ago Written by

Awesome Web Security / Introduction / ORM Injection

HQL for pentesters Written by
HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) Written by
ORM2Pwn: Exploiting injections in Hibernate ORM Written by
ORM Injection Written by

Awesome Web Security / Introduction / FTP Injection

Advisory: Java/Python FTP Injections Allow for Firewall Bypass Written by
SMTP over XXE − how to send emails using Java's XML parser Written by

Awesome Web Security / Introduction / XXE - XML eXternal Entity

XXE Written by
XML external entity (XXE) injection Written by
XML Schema, DTD, and Entity Attacks Written by and Omar Al Ibrahim
payloadbox/xxe-injection-payload-list 1,069 3 months ago Written by
PayloadsAllTheThings - XXE Injection 60,304 20 days ago Written by various contributors

Awesome Web Security / Introduction / CSRF - Cross-Site Request Forgery

Wiping Out CSRF Written by
PayloadsAllTheThings - CSRF Injection 60,304 20 days ago Written by

Awesome Web Security / Introduction / Clickjacking

Clickjacking Written by
X-Frame-Options: All about Clickjacking? 67 about 2 years ago Written by

Awesome Web Security / Introduction / SSRF - Server-Side Request Forgery

SSRF bible. Cheatsheet Written by
PayloadsAllTheThings - Server-Side Request Forgery 60,304 20 days ago Written by

Awesome Web Security / Introduction / Web Cache Poisoning

Practical Web Cache Poisoning Written by
PayloadsAllTheThings - Web Cache Deception 60,304 20 days ago Written by

Awesome Web Security / Introduction / Relative Path Overwrite

Large-scale analysis of style injection by relative path overwrite Written by
MBSD Technical Whitepaper - A few RPO exploitation techniques Written by

Awesome Web Security / Introduction / Open Redirect

Open Redirect Vulnerability Written by
payloadbox/open-redirect-payload-list 512 3 months ago Written by
PayloadsAllTheThings - Open Redirect 60,304 20 days ago Written by

Awesome Web Security / Introduction / Security Assertion Markup Language (SAML)

How to Hunt Bugs in SAML; a Methodology - Part I Written by
How to Hunt Bugs in SAML; a Methodology - Part II Written by
How to Hunt Bugs in SAML; a Methodology - Part III Written by
PayloadsAllTheThings - SAML Injection 60,304 20 days ago Written by

Awesome Web Security / Introduction / Upload

File Upload Restrictions Bypass Written by
PayloadsAllTheThings - Upload Insecure Files 60,304 20 days ago Written by

Awesome Web Security / Introduction / Rails

Rails Security - First part Written by
Zen Rails Security Checklist 1,810 over 4 years ago Written by
Rails SQL Injection Written by
Official Rails Security Guide Written by

Awesome Web Security / Introduction / AngularJS

XSS without HTML: Client-Side Template Injection with AngularJS Written by
DOM based Angular sandbox escapes Written by

Awesome Web Security / Introduction / ReactJS

XSS via a spoofed React element Written by

Awesome Web Security / Introduction / SSL/TLS

SSL & TLS Penetration Testing Written by
Practical introduction to SSL/TLS 564 about 1 month ago Written by

Awesome Web Security / Introduction / Webmail

Why mail() is dangerous in PHP Written by

Awesome Web Security / Introduction / NFS

NFS | PENETRATION TESTING ACADEMY Written by

Awesome Web Security / Introduction / AWS

PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET Written by Dwight Hohnstein from
AWS PENETRATION TESTING PART 1. S3 BUCKETS Written by
AWS PENETRATION TESTING PART 2. S3, IAM, EC2 Written by
Misadventures in AWS Written by Christian Demko

Awesome Web Security / Introduction / Azure

Common Azure Security Vulnerabilities and Misconfigurations Written by
Cloud Security Risks (Part 1): Azure CSV Injection Vulnerability Written by

Awesome Web Security / Introduction / Sub Domain Enumeration

A penetration tester’s guide to sub-domain enumeration Written by
The Art of Subdomain Enumeration Written by

Awesome Web Security / Introduction / Crypto

Applied Crypto Hardening Written by
What is a Side-Channel Attack ? Written by

Awesome Web Security / Introduction / Web Shell

Hunting for Web Shells Written by
Hacking with JSP Shells Written by

Awesome Web Security / Introduction / OSINT

Hacking Cryptocurrency Miners with OSINT Techniques Written by
OSINT x UCCU Workshop on Open Source Intelligence Written by
102 Deep Dive in the Dark Web OSINT Style Kirby Plessas Presented by
The most complete guide to finding anyone’s email Written by

Awesome Web Security / Introduction / DNS Rebinding

Attacking Private Networks from the Internet with DNS Rebinding Written by
Hacking home routers from the Internet Written by

Awesome Web Security / Introduction / Deserialization

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. Written by
Attacking .NET deserialization Written by
.NET Roulette: Exploiting Insecure Deserialization in Telerik UI Written by
How to exploit the DotNetNuke Cookie Deserialization Written by
HOW TO EXPLOIT LIFERAY CVE-2020-7961 : QUICK JOURNEY TO POC Written by

Awesome Web Security / Introduction / OAuth

Introduction to OAuth 2.0 and OpenID Connect Written by
What is going on with OAuth 2.0? And why you should not use it for authentication. Written by

Awesome Web Security / Introduction / JWT

Hardcoded secrets, unverified tokens, and other common JWT mistakes Written by

Awesome Web Security / Evasions / XXE

Bypass Fix of OOB XXE Using Different encoding Written by

Awesome Web Security / Evasions / CSP

Any protection against dynamic module import? 207 27 days ago Written by
CSP: bypassing form-action with reflected XSS Written by
TWITTER XSS + CSP BYPASS Written by
Neatly bypassing CSP Written by
Evading CSP with DOM-based dangling markup Written by
GitHub's CSP journey Written by
GitHub's post-CSP journey Written by

Awesome Web Security / Evasions / WAF

Web Application Firewall (WAF) Evasion Techniques Written by
Web Application Firewall (WAF) Evasion Techniques #2 Written by
Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities Written by
How to bypass libinjection in many WAF/NGWAF Written by

Awesome Web Security / Evasions / JSMVC

JavaScript MVC and Templating Frameworks Written by

Awesome Web Security / Evasions / Authentication

Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) Written by and

Awesome Web Security / Tricks / CSRF

Neat tricks to bypass CSRF-protection Written by
Exploiting CSRF on JSON endpoints with Flash and redirects Written by
Stealing CSRF tokens with CSS injection (without iFrames) 315 over 6 years ago Written by
Cracking Java’s RNG for CSRF - Javax Faces and Why CSRF Token Randomness Matters Written by
If HttpOnly You Could Still CSRF
 Of CORS you can! Written by

Awesome Web Security / Tricks / Clickjacking

Clickjackings in Google worth 14981.7$ Written by

Awesome Web Security / Tricks / Remote Code Execution

CVE-2019-1306: ARE YOU MY INDEX? Written by
WebLogic RCE (CVE-2019-2725) Debug Diary Written by Badcode@Knownsec 404 Team
What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. Written by
Exploiting Node.js deserialization bug for Remote Code Execution Written by
DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE Written by
How we exploited a remote code execution vulnerability in math.js Written by
GitHub Enterprise Remote Code Execution Written by
Evil Teacher: Code Injection in Moodle Written by
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Written by
$36k Google App Engine RCE Written by
Poor RichFaces Written by
Remote Code Execution on a Facebook server Written by

Awesome Web Security / Tricks / XSS

Exploiting XSS with 20 characters limitation Written by
Upgrade self XSS to Exploitable XSS an 3 Ways Technic Written by
XSS without parentheses and semi-colons Written by
XSS-Auditor — the protector of unprotected and the deceiver of protected. Written by
Query parameter reordering causes redirect page to render unsafe URL Written by
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else Written by
How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) Written by
DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS Written by , , and
Uber XSS via Cookie Written by
DOM XSS – auth.uber.com Written by
Stored XSS on Facebook Written by
XSS in Google Colaboratory + CSP bypass Written by
Another XSS in Google Colaboratory Written by
is filtered ? Written by
$20000 Facebook DOM XSS Written by

Awesome Web Security / Tricks / SQL Injection

MySQL Error Based SQL Injection Using EXP Written by
SQL injection in an UPDATE query - a bug bounty story! Written by
GitHub Enterprise SQL Injection Written by
Making a Blind SQL Injection a little less blind Written by
Red Team Tales 0x01: From MSSQL to RCE Written by
SQL INJECTION AND POSTGRES - AN ADVENTURE TO EVENTUAL RCE Written by

Awesome Web Security / Tricks / NoSQL Injection

GraphQL NoSQL Injection Through JSON Types Written by

Awesome Web Security / Tricks / FTP Injection

XML Out-Of-Band Data Retrieval Written by and Alexey Osipov
XXE OOB exploitation at Java 1.7+ Written by

Awesome Web Security / Tricks / XXE

Evil XML with two encodings Written by
XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites) Written by
XML Out-Of-Band Data Retrieval Written by Timur Yunusov and Alexey Osipov
XXE OOB exploitation at Java 1.7+ (2014) : Exfiltration using FTP protocol - Written by
XXE OOB extracting via HTTP+FTP using single opened port Written by
What You Didn't Know About XML External Entities Attacks Written by
Pre-authentication XXE vulnerability in the Services Drupal module Written by
Forcing XXE Reflection through Server Error Messages Written by
Exploiting XXE with local DTD files Written by
Automating local DTD discovery for XXE exploitation Written by

Awesome Web Security / Tricks / SSRF

AWS takeover through SSRF in JavaScript Written by
SSRF in Exchange leads to ROOT access in all instances Written by
SSRF to ROOT Access A $25k bounty for SSRF leading to ROOT Access in all instances by
PHP SSRF Techniques Written by
SSRF in https://imgur.com/vidgif/url Written by
All you need to know about SSRF and how may we write tools to do auto-detect Written by
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! Written by
SSRF Tips Written by
Into the Borg – SSRF inside Google production network Written by
Piercing the Veil: Server Side Request Forgery to NIPRNet access Written by

Awesome Web Security / Tricks / Web Cache Poisoning

Bypassing Web Cache Poisoning Countermeasures Written by
Cache poisoning and other dirty tricks Written by

Awesome Web Security / Tricks / Header Injection

Java/Python FTP Injections Allow for Firewall Bypass Written by

Awesome Web Security / Tricks / URL

Some Problems Of URLs Written by
Phishing with Unicode Domains Written by
Unicode Domains are bad and you should feel bad for supporting them Written by
[dev.twitter.com] XSS Written by

Awesome Web Security / Tricks / Deserialization

ASP.NET resource files (.RESX) and deserialisation issues Written by

Awesome Web Security / Tricks / OAuth

Facebook OAuth Framework Vulnerability Written by

Awesome Web Security / Tricks / Others

How I hacked Google’s bug tracking system itself for $15,600 in bounties Written by
Some Tricks From My Secret Group Written by
Inducing DNS Leaks in Onion Web Services 42 about 6 years ago Written by
Stored XSS, and SSRF in Google using the Dataset Publishing Language Written by

Awesome Web Security / Browser Exploitation / Frontend (like SOP bypass, URL spoofing, and something like that)

The world of Site Isolation and compromised renderer Written by
The Cookie Monster in Your Browsers Written by
Bypassing Mobile Browser Security For Fun And Profit Written by
The inception bar: a new phishing method Written by
JSON hijacking for the modern web Written by
IE11 Information disclosure - local file detection Written by James Lee
SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) Written by
ĐžŃĐŸĐ±Đ”ĐœĐœĐŸŃŃ‚Đž Safari ĐČ client-side атаĐșах Written by
How do we Stop Spilling the Beans Across Origins? Written by and
Setting arbitrary request headers in Chromium via CRLF injection Written by
I’m harvesting credit card numbers and passwords from your site. Here’s how. Written by
Sending arbitrary IPC messages via overriding Function.prototype.apply Written by
Take Advantage of Out-of-Scope Domains in Bug Bounty Programs Written by

Awesome Web Security / Browser Exploitation / Backend (core of Browser implementation, and often refers to C or C++ part)

Breaking UC Browser Written by
Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622 Written by
Three roads lead to Rome Written by
Exploiting a V8 OOB write. Written by
SSD Advisory – Chrome Turbofan Remote Code Execution Written by
Look Mom, I don't use Shellcode - Browser Exploitation Case Study for Internet Explorer 11 Written by
PUSHING WEBKIT'S BUTTONS WITH A MOBILE PWN2OWN EXPLOIT Written by
A Methodical Approach to Browser Exploitation Written by
CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime. Written by
CLEANLY ESCAPING THE CHROME SANDBOX Written by
A Methodical Approach to Browser Exploitation Written by , and

Awesome Web Security / PoCs / Database

js-vuln-db 2,276 about 5 years ago Collection of JavaScript engine CVEs with PoCs by
awesome-cve-poc 3,301 almost 3 years ago Curated list of CVE PoCs by
Some-PoC-oR-ExP 2,371 8 months ago ć„ç§æŒæŽžpoc、Expçš„æ”¶é›†æˆ–çŒ–ć†™ by
uxss-db 684 over 3 years ago Collection of UXSS CVEs with PoCs by
SPLOITUS Exploits & Tools Search Engine by
Exploit Database ultimate archive of Exploits, Shellcode, and Security Papers by

Awesome Web Security / Cheetsheets

XSS Cheat Sheet - 2018 Edition Written by
Capture the Flag CheatSheet 42 4 months ago Written by

Awesome Web Security / Tools / Auditing

prowler 10,641 5 days ago Tool for AWS security assessment, auditing and hardening by
slurp 2 about 2 years ago Evaluate the security of S3 buckets by
A2SV 618 almost 4 years ago Auto Scanning to SSL Vulnerability by

Awesome Web Security / Tools / Command Injection

commix 4,531 4 days ago Automated All-in-One OS command injection and exploitation tool by

Awesome Web Security / Tools / Reconnaissance

Shodan Shodan is the world's first search engine for Internet-connected devices by
Censys Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by
urlscan.io Service which analyses websites and the resources they request by
ZoomEye Cyberspace Search Engine by
FOFA Cyberspace Search Engine by
NSFOCUS THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL
Photon 10,931 about 2 months ago Incredibly fast crawler designed for OSINT by
FOCA 2,916 almost 2 years ago FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by
SpiderFoot Open source footprinting and intelligence-gathering tool by
xray 2,190 3 months ago XRay is a tool for recon, mapping and OSINT gathering from public networks by
gitrob 5,902 about 2 years ago Reconnaissance tool for GitHub organizations by
GSIL 2,119 10 months ago Github Sensitive Information LeakageGithubæ•æ„ŸäżĄæŻæł„éœČby
raven 773 over 4 years ago raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by
ReconDog 1,793 over 3 years ago Reconnaissance Swiss Army Knife by
Databases - start.me Various databases which you can use for your OSINT research by
peoplefindThor the easy way to find people on Facebook by [postkassen](mailto: ?subject=peoplefindthor.dk comments)
tinfoleak 1,919 over 5 years ago The most complete open-source tool for Twitter intelligence analysis by
Raccoon 3,075 4 months ago High performance offensive security tool for reconnaissance and vulnerability scanning by
Social Mapper 3,772 over 2 years ago Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by
espi0n/Dockerfiles 38 about 6 years ago Dockerfiles for various OSINT tools by
Sublist3r 9,713 2 months ago Sublist3r is a multi-threaded sub-domain enumeration tool for penetration testers by
EyeWitness 11 4 months ago EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by
subDomainsBrute 3,460 about 2 years ago A simple and fast sub domain brute tool for pentesters by
AQUATONE 5,605 over 2 years ago Tool for Domain Flyovers by
domain_analyzer 1,842 almost 2 years ago Analyze the security of any domain by finding all the information possible by
VirusTotal domain information Searching for domain information by
Certificate Transparency 869 about 1 year ago Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system by
Certificate Search Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by
GSDF 175 over 6 years ago Domain searcher named GoogleSSLdomainFinder by

Awesome Web Security / Tools / Code Generating

VWGen 83 almost 7 years ago Vulnerable Web applications Generator by

Awesome Web Security / Tools / Fuzzing

wfuzz 5,879 about 2 months ago Web application bruteforcer by
charsetinspect 25 over 8 years ago Script that inspects multi-byte character sets looking for characters with specific user-defined properties by
IPObfuscator 137 about 2 years ago Simple tool to convert the IP to a DWORD IP by
domato 1,673 about 1 month ago DOM fuzzer by
FuzzDB 8,160 11 months ago Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery
dirhunt 1,750 11 months ago Web crawler optimized for searching and analyzing the directory structure of a site by
ssltest Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by
fuzz.txt 2,853 about 2 months ago Potentially dangerous files by

Awesome Web Security / Tools / Scanning

wpscan 8,520 27 days ago WPScan is a black box WordPress vulnerability scanner by
JoomlaScan 210 about 1 year ago Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by
WAScan Is an open source web application security scanner that uses "black-box" method, created by
Nuclei 20,069 9 days ago Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by

Awesome Web Security / Tools / Penetration Testing

Burp Suite Burp Suite is an integrated platform for performing security testing of web applications by
TIDoS-Framework 1,768 over 1 year ago A comprehensive web application audit framework to cover up everything from Reconnaissance and OSINT to Vulnerability Analysis by
Astra 2,486 4 months ago Automated Security Testing For REST API's by
aws_pwn 1,165 about 1 year ago A collection of AWS penetration testing junk by
grayhatwarfare Public buckets by

Awesome Web Security / Tools / Offensive

beef 9,717 21 days ago The Browser Exploitation Framework Project by
JShell 508 over 5 years ago Get a JavaScript shell with XSS by
XSStrike 13,203 2 months ago XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by
xssor2 2,122 almost 3 years ago XSS'OR - Hack with JavaScript by
csp evaluator A tool for evaluating content-security-policies by
sqlmap 32,113 11 days ago Automatic SQL injection and database takeover tool
tplmap 3,746 6 months ago Code and Server-Side Template Injection Detection and Exploitation Tool by
dtd-finder 601 8 months ago List DTDs and generate XXE payloads using those local DTDs by
XSRFProbe 1,100 5 months ago The Prime CSRF Audit & Exploitation Toolkit by
Open redirect/SSRF payload generator Open redirect/SSRF payload generator by

Awesome Web Security / Tools / Leaking

HTTPLeaks 1,966 17 days ago All possible ways, a website can leak HTTP requests by
dvcs-ripper 1,694 3 months ago Rip web accessible (distributed) version control systems: SVN/GIT/HG... by
DVCS-Pillage 312 over 7 years ago Pillage web accessible GIT, HG and BZR repositories by
GitMiner 2,086 about 4 years ago Tool for advanced mining for content on Github by
gitleaks 17,494 10 days ago Searches full repo history for secrets and keys by
CSS-Keylogging 3,211 over 6 years ago Chrome extension and Express server that exploits keylogging abilities of CSS by
pwngitmanager 106 over 8 years ago Git manager for pentesters by
snallygaster 2,053 2 months ago Tool to scan for secret files on HTTP servers by
LinkFinder 3,647 6 months ago Python script that finds endpoints in JavaScript files by

Awesome Web Security / Tools / Detecting

sqlchop SQL injection detection engine by
xsschop XSS detection engine by
retire.js 3,663 10 days ago Scanner detecting the use of JavaScript libraries with known vulnerabilities by
malware-jail 458 over 1 year ago Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by
repo-supervisor 633 over 1 year ago Scan your code for security misconfiguration, search for passwords and secrets
bXSS 501 over 1 year ago bXSS is a simple Blind XSS application adapted from by
OpenRASP 2,771 4 months ago An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load
GuardRails A GitHub App that provides security feedback in Pull Requests

Awesome Web Security / Tools / Preventing

DOMPurify 13,749 10 days ago DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by
js-xss 5,206 7 months ago Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by
Acra 1,350 19 days ago Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by
Csper A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by

Awesome Web Security / Tools / Proxy

Charles HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet
mitmproxy 36,030 14 days ago Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by

Awesome Web Security / Tools / Webshell

nano 432 over 4 years ago Family of code golfed PHP shells by
webshell 10,038 6 months ago This is a webshell open source project by
Weevely 3,167 5 months ago Weaponized web shell by
Webshell-Sniper 419 over 3 years ago Manage your website via terminal by
Reverse-Shell-Manager 237 over 1 year ago Reverse Shell Manager via Terminal 
reverse-shell 1,842 9 months ago Reverse Shell as a Service by
PhpSploit 2,195 5 months ago Full-featured C2 framework which silently persists on webserver via evil PHP oneliner by

Awesome Web Security / Tools / Disassembler

plasma 3,050 about 3 years ago Plasma is an interactive disassembler for x86/ARM/MIPS by
radare2 20,462 3 days ago Unix-like reverse engineering framework and commandline tools by
Iaitƍ 1,465 over 3 years ago Qt and C++ GUI for radare2 reverse engineering framework by

Awesome Web Security / Tools / Decompiler

CFR Another java decompiler by

Awesome Web Security / Tools / DNS Rebinding

DNS Rebind Toolkit 482 about 3 years ago DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by
dref 479 over 3 years ago DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by
Singularity of Origin 1,025 4 months ago It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by
Whonow DNS Server 620 almost 3 years ago A malicious DNS server for executing DNS Rebinding attacks on the fly by

Awesome Web Security / Tools / Others

Dnslogger DNS Logger by
CyberChef 28,680 about 2 months ago The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by
ntlm_challenger 140 almost 2 years ago Parse NTLM over HTTP challenge messages by
cefdebug 194 over 4 years ago Minimal code to connect to a CEF debugger by
ctftool 1,640 about 3 years ago Interactive CTF Exploration Tool by

Awesome Web Security / Social Engineering Database

haveibeenpwned Check if you have an account that has been compromised in a data breach by

Awesome Web Security / Blogs

Orange Taiwan's talented web penetrator
leavesongs China's talented web penetrator
James Kettle Head of Research at
Broken Browser Fun with Browser Vulnerabilities
Scrutiny Internet Security through Web Browsers by Dhiraj Mishra
BRETT BUERHAUS Vulnerability disclosures and rambles on application security
n0tr00t ~# n0tr00t Security Team
OpnSec Open Mind Security!
RIPS Technologies Write-ups for PHP vulnerabilities
0Day Labs Awesome bug-bounty and challenges writeups
Blog of Osanda Security Researching and Reverse Engineering

Awesome Web Security / Twitter Users

@HackwithGitHub Initiative to showcase open source hacking tools for hackers and pentesters
@filedescriptor Active penetrator often tweets and writes useful articles
@cure53berlin is a German cybersecurity firm
@XssPayloads The wonderland of JavaScript unexpected usages, and more
@kinugawamasato Japanese web penetrator
@h3xstream Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero
@garethheyes English web penetrator
@hasegawayosuke Japanese javascript security researcher
@shhnjk Web and Browsers Security Researcher

Awesome Web Security / Practices / Application

OWASP Juice Shop 10,213 14 days ago Probably the most modern and sophisticated insecure web application - Written by and the team
BadLibrary 57 9 months ago Vulnerable web application for training - Written by
Hackxor Realistic web application hacking game - Written by
SELinux Game Learn SELinux by doing. Solve Puzzles, show skillz - Written by
Portswigger Web Security Academy Free trainings and labs - Written by

Awesome Web Security / Practices / AWS

FLAWS Amazon AWS CTF challenge - Written by
CloudGoat 2,910 10 days ago Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool - Written by

Awesome Web Security / Practices / XSS

XSS game Google XSS Challenge - Written by Google
prompt(1) to win Complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels) - Written by
alert(1) to win Series of XSS challenges - Written by
XSS Challenges Series of XSS challenges - Written by yamagata21

Awesome Web Security / Practices / ModSecurity / OWASP ModSecurity Core Rule Set

ModSecurity / OWASP ModSecurity Core Rule Set Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by

Awesome Web Security / Community

Reddit
Stack Overflow

Awesome Web Security / Miscellaneous

awesome-bug-bounty 4,579 9 months ago Comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by
bug-bounty-reference 3,710 2 months ago List of bug bounty write-up that is categorized by the bug nature by
Google VRP and Unicorns Written by
Brute Forcing Your Facebook Email and Phone Number Written by
Pentest + Exploit dev Cheatsheet wallpaper Penetration Testing and Exploit Dev CheatSheet
The Definitive Security Data Science and Machine Learning Guide Written by JASON TROS
EQGRP 4,093 over 7 years ago Decrypted content of eqgrp-auction-file.tar.xz by
notes 1,265 about 5 years ago Some public notes by
A glimpse into GitHub's Bug Bounty workflow Written by
Cybersecurity Campaign Playbook Written by
Infosec_Reference 5,535 4 months ago Information Security Reference That Doesn't Suck by
Internet of Things Scanner Check if your internet-connected devices at home are public on Shodan by
The Bug Hunters Methodology v2.1 Written by
$7.5k Google services mix-up Written by
How I exploited ACME TLS-SNI-01 issuing Let's Encrypt SSL-certs for any domain using shared hosting Written by
TL:DR: VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%) Written by
Escape and Evasion Egressing Restricted Networks Written by
Be careful what you copy: Invisibly inserting usernames into text with Zero-Width Characters Written by
Domato Fuzzer's Generation Engine Internals Written by
CSS Is So Overpowered It Can Deanonymize Facebook Users Written by
Introduction to Web Application Security Written by , and
Finding The Real Origin IPs Hiding Behind CloudFlare or TOR Written by
Why Facebook's api starts with a for loop Written by
How I could have stolen your photos from Google - my first 3 bug bounty writeups Written by
An example why NAT is NOT security Written by
WEB APPLICATION PENETRATION TESTING NOTES Written by
Hacking with a Heads Up Display Written by
Alexa Top 1 Million Security - Hacking the Big Ones Written by
The bug bounty program that changed my life Written by
List of bug bounty writeups Written by
Implications of Loading .NET Assemblies Written by
WCTF2019: Gyotaku The Flag Written by
How we abused Slack's TURN servers to gain access to internal services Written by
DOS File Path Magic Tricks Written by
How I got my first big bounty payout with Tesla Written by

Backlinks from these awesome lists: