User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Web Security

🐶 A curated list of Web Security materials and resources.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 4, 2020, 6:06 a.m.

Thank you qazbnm456 & contributors
View Topic on GitHub:
qazbnm456/awesome-web-security

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Digests

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Field Guide by Trails of Bits.

A weekly distillation of the best security tools, blog posts, and conference talks, covering AppSec, cloud and container security, DevSecOps, and more.

Forums

Ezine written by and for hackers.

Security in a serious way.

The security podcast network.

Biting the hand that feeds IT.

Connecting The Information Security Community.

Dig high-quality web security articles for hacker.

XSS - Cross-Site Scripting

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

2.46K
375
11m
MPL-2.0

Awesome XSS stuff

3.22K
535
9m
MIT

A XSS mind map ;)

22
134
4y 10m
n/a

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

1.45K
500
5m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Prototype Pollution

CSV Injection

SQL Injection

🎯 SQL Injection Payload List

468
179
11m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Command Injection

The Ruby Programming Language [mirror]

17.25K
4.59K
92d
n/a

🎯 Command Injection Payload List

581
169
11m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

ORM Injection

FTP Injection

XXE - XML eXternal Entity

🎯 XML External Entity (XXE) Injection Payload List

245
92
11m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

CSRF - Cross-Site Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Clickjacking

SSRF - Server-Side Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Web Cache Poisoning

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Relative Path Overwrite

Open Redirect

🎯 Open Redirect Payload List

184
74
10m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Security Assertion Markup Language (SAML)

Upload

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
93d
MIT

Rails

AngularJS

ReactJS

SSL/TLS

Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, Kohttp and ktor. Also other server examples are available such as jersey with grizzly.

119
44
12d
Apache-2.0

Webmail

NFS

AWS

Azure

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

XXE

CSP

WAF

JSMVC

Authentication

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

Database

A collection of JavaScript engine CVEs with PoCs

1.91K
383
1y 93d
n/a

✍️ A curated list of CVE PoCs.

2.5K
614
4m
n/a

各种漏洞poc、Exp的收集或编写

1.33K
788
31d
n/a

🔪Browser logic vulnerabilities

535
84
2y 56d
MIT

Exploits & Tools Search Engine by @i_bo0om.

Cheetsheets

Auditing

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.

2.84K
534
3d
n/a

Auto Scanning to SSL Vulnerability

496
146
8d
MIT

Command Injection

Automated All-in-One OS command injection and exploitation tool.

2.45K
572
7d
n/a

OSINT - Open-Source Intelligence

Incredibly fast crawler designed for OSINT.

7.33K
1.01K
12m
GPL-3.0

Tool to find metadata and hidden information in the documents.

1.34K
343
7m
GPL-3.0

XRay is a tool for recon, mapping and OSINT gathering from public networks.

1.49K
236
2y 36d
GPL-3.0

Reconnaissance tool for GitHub organizations

4.89K
703
2y 5m
MIT

GitHub Sensitive Information Leakage(GitHub敏感信息泄露监控)

1.58K
413
1y 6m
GPL-3.0

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.

721
163
6m
n/a

Reconnaissance Swiss Army Knife

999
260
1y 7m
Apache-2.0

The most complete open-source tool for Twitter intelligence analysis

1.42K
213
2y 7m
CC-BY-SA-4.0

A high performance offensive security tool for reconnaissance and vulnerability scanning

1.94K
295
2y 11d
MIT

A Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf)

2.97K
696
80d
GPL-3.0
33
3
2y 102d
n/a

Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

Free URL Scanner & domain information.

Cyberspace Search Engine by @zoomeye_team.

Cyberspace Search Engine by BAIMAOHUI.

THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

Open source footprinting and intelligence-gathering tool by @binarypool.

Various databases which you can use for your OSINT research by @technisette.

the easy way to find people on Facebook by postkassen.

Sub Domain Enumeration

Fast subdomains enumeration tool for penetration testers

5.4K
1.37K
4m
GPL-2.0

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

2.74K
605
44d
GPL-3.0

A fast sub domain brute tool for pentesters

2.22K
864
36d
n/a

A Tool for Domain Flyovers

3.8K
681
1y 6m
MIT

Analyze the security of any domain by finding all the information possible. Made in python.

1.6K
227
3y 88d
n/a

Auditing for TLS certificates.

756
299
1y 4m
Apache-2.0

A domain searcher named GoogleSSLdomainFinder - 基于谷歌SSL透明证书的子域名查询工具

153
54
2y 10m
Apache-2.0

Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

Code Generating

Vulnerable Web applications Generator

72
15
2y 12m
n/a

Fuzzing

Web application fuzzer

3.28K
833
6d
GPL-2.0

A script that inspects multi-byte character sets looking for characters with specific user-defined properties

22
8
4y 5m
n/a

A simple tool to convert the IP to a DWORD IP

101
37
4y 7m
n/a

DOM fuzzer

1.27K
246
57d
Apache-2.0

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

5.2K
1.55K
9m
n/a

Find web directories without bruteforce

932
165
16d
MIT

Potentially dangerous files

1.31K
242
22d
n/a

Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.

Scanning

WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.

5.33K
952
4d
n/a

A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

132
53
81d
GPL-3.0

WAScan - Web Application Scanner

1.85K
474
10m
GPL-3.0

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

1.43K
209
60d
MIT

Penetration Testing

The Offensive Manual Web Application Penetration Testing Framework.

1.21K
314
30d
GPL-3.0

Automated Security Testing For REST API's

1.67K
264
1y 8m
Apache-2.0

A collection of AWS penetration testing junk

861
141
3y 52d
n/a

Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

XSS - Cross-Site Scripting

The Browser Exploitation Framework Project

5.37K
1.29K
40d
n/a

JShell - Get a JavaScript shell with XSS.

373
113
1y 7m
n/a

Most advanced XSS scanner.

8.68K
1.25K
11m
GPL-3.0

XSS'OR - Hack with JavaScript.

1.85K
361
107d
BSD-2-Clause

A tool for evaluating content-security-policies by Csper.

SQL Injection

Automatic SQL injection and database takeover tool

18.79K
4.07K
2d
n/a

Template Injection

Server-Side Template Injection and Code Injection Detection and Exploitation Tool

2K
450
37d
GPL-3.0

XXE

List DTDs and generate XXE payloads using those local DTDs.

320
63
49d
n/a

Cross Site Request Forgery

The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

418
113
117d
GPL-3.0

Server-Side Request Forgery

Leaking

HTTPLeaks - All possible ways, a website can leak HTTP requests

1.3K
160
4m
BSD-2-Clause

Rip web accessible (distributed) version control systems: SVN/GIT/HG...

1.18K
265
109d
GPL-2.0

Pillage web accessible GIT, HG and BZR repositories

278
61
3y 10m
n/a

Tool for advanced mining for content on Github

1.77K
408
11m
GPL-3.0

Scan git repos for secrets using regex and entropy 🔑

6.77K
570
13d
MIT

Chrome extension and Express server that exploits keylogging abilities of CSS.

2.98K
429
2y 9m
n/a

Git manager for pentesters

101
23
4y 6m
n/a

Tool to scan for secret files on HTTP servers

1.74K
200
29d
CC0-1.0

A python script that finds endpoints in JavaScript files

1.69K
356
5m
MIT

Detecting

scanner detecting the use of JavaScript libraries with known vulnerabilities

2.6K
314
38d
n/a

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js

345
91
1y 119d
MIT

Scan your code for security misconfiguration, search for passwords and secrets.

459
79
43d
MIT

bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.

315
58
10m
MIT

🔥Open source RASP solution

1.64K
403
3d
Apache-2.0

SQL injection detection engine by chaitin.

XSS detection engine by chaitin.

Preventing

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

6.22K
407
8d
n/a

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

3.77K
509
39d
n/a

Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.

662
77
31d
Apache-2.0

A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Proxy

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

20.78K
2.67K
5d
MIT

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

Webshell

Nano is a family of PHP web shells which are code golfed for stealth.

384
88
1y 7m
n/a

This is a webshell open source project

6.29K
4.51K
16d
GPL-3.0

Weaponized web shell

2.12K
495
90d
GPL-3.0

Manage your website via terminal

351
104
1y 8m
GPL-3.0

A multiple reverse shell session/client manager via terminal

165
55
67d
n/a

Reverse Shell as a Service

1.2K
156
45d
MIT

Full-featured C2 framework which silently persists on webserver via evil PHP oneliner

981
302
94d
GPL-3.0

Disassembler

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.

2.89K
302
1y 9m
GPL-3.0

UNIX-like reverse engineering framework and command-line toolset

13.49K
2.35K
5d
LGPL-3.0

This project has been moved to:

1.52K
133
3y 71d
GPL-3.0

Decompiler

CFR

Another java decompiler by @LeeAtBenf.

DNS Rebinding

A front-end JavaScript toolkit for creating DNS rebinding attacks.

427
80
2y 5m
MIT

DNS Rebinding Exploitation Framework

414
61
64d
n/a

A DNS rebinding attack framework.

584
94
6m
MIT

A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)

507
82
2y 5m
MIT

Others

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

10.65K
1.4K
5m
Apache-2.0

Parse NTLM challenge messages over HTTP and SMB

104
16
8m
MIT

Minimal code to connect to a CEF debugger.

119
18
5m
Apache-2.0

Interactive CTF Exploration Tool

1.5K
261
1y 113d
Apache-2.0

Social Engineering Database

Check if you have an account that has been compromised in a data breach by Troy Hunt.

Blogs

Taiwan's talented web penetrator.

China's talented web penetrator.

Fun with Browser Vulnerabilities.

Internet Security through Web Browsers by Dhiraj Mishra.

Vulnerability disclosures and rambles on application security.

n0tr00t Security Team.

Open Mind Security!

Write-ups for PHP vulnerabilities.

Awesome bug-bounty and challenges writeups.

Security Researching and Reverse Engineering.

Twitter Users

Initiative to showcase open source hacking tools for hackers and pentesters

Active penetrator often tweets and writes useful articles

Cure53](https://cure53.de/) is a German cybersecurity firm.

The wonderland of JavaScript unexpected usages, and more.

Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

Japanese javascript security researcher.

Web and Browsers Security Researcher.

Application

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

4.03K
2.71K
12d
MIT

vulnerable web application for training

51
4
2y 7m
MIT

Realistic web application hacking game - Written by @albinowax.

Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

AWS

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

1.01K
201
23d
BSD-3-Clause

Amazon AWS CTF challenge - Written by @0xdabbad00.

XSS

Google XSS Challenge - Written by Google.

Series of XSS challenges - Written by @steike.

Series of XSS challenges - Written by yamagata21.

ModSecurity / OWASP ModSecurity Core Rule Set

Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

Community

Miscellaneous

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

2.56K
666
9m
CC0-1.0

Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

2.3K
782
40d
n/a

Decrypted content of eqgrp-auction-file.tar.xz

3.67K
2.11K
3y 7m
n/a

Some public notes

1.24K
86
1y 4m
n/a

An Information Security Reference That Doesn't Suck

3.4K
813
26d
MIT

Penetration Testing and Exploit Dev CheatSheet.

Check if your internet-connected devices at home are public on Shodan by BullGuard.