User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Web Security

🐶 A curated list of Web Security materials and resources.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Feb. 26, 2021, 6:08 a.m.

Thank you qazbnm456 & contributors
View Topic on GitHub:
qazbnm456/awesome-web-security

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Digests

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Field Guide by Trails of Bits.

A weekly distillation of the best security tools, blog posts, and conference talks, covering AppSec, cloud and container security, DevSecOps, and more.

Forums

Ezine written by and for hackers.

Security in a serious way.

The security podcast network.

Biting the hand that feeds IT.

Connecting The Information Security Community.

Dig high-quality web security articles for hacker.

XSS - Cross-Site Scripting

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

2.49K
382
1y 55d
MPL-2.0

Awesome XSS stuff

3.32K
559
45d
MIT

A XSS mind map ;)

23
136
5y 43d
n/a

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

1.72K
577
16d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Prototype Pollution

CSV Injection

SQL Injection

🎯 SQL Injection Payload List

683
237
1y 50d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Command Injection

The Ruby Programming Language [mirror]

17.25K
4.59K
5m
n/a

🎯 Command Injection Payload List

639
188
1y 56d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

ORM Injection

FTP Injection

XXE - XML eXternal Entity

🎯 XML External Entity (XXE) Injection Payload List

282
106
1y 52d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

CSRF - Cross-Site Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Clickjacking

SSRF - Server-Side Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Web Cache Poisoning

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Relative Path Overwrite

Open Redirect

🎯 Open Redirect Payload List

204
87
1y 48d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Security Assertion Markup Language (SAML)

Upload

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
5m
MIT

Rails

AngularJS

ReactJS

SSL/TLS

🔐 Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k, Kohttp and ktor. Also other server examples are available such as jersey with grizzly.

157
56
14d
Apache-2.0

Webmail

NFS

AWS

Azure

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

XXE

CSP

WAF

JSMVC

Authentication

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

Database

A collection of JavaScript engine CVEs with PoCs

1.94K
387
1y 5m
n/a

✍️ A curated list of CVE PoCs.

2.57K
629
17d
n/a

各种漏洞poc、Exp的收集或编写

1.36K
798
24d
n/a

🔪Browser logic vulnerabilities

546
87
34d
MIT

Exploits & Tools Search Engine by @i_bo0om.

Cheetsheets

Auditing

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.

3.08K
581
21d
n/a

Auto Scanning to SSL Vulnerability

518
155
92d
MIT

Command Injection

Automated All-in-One OS command injection and exploitation tool.

2.54K
591
7d
n/a

OSINT - Open-Source Intelligence

Incredibly fast crawler designed for OSINT.

7.62K
1.07K
1y 83d
GPL-3.0

Tool to find metadata and hidden information in the documents.

1.43K
364
10m
GPL-3.0

XRay is a tool for recon, mapping and OSINT gathering from public networks.

1.54K
242
2y 4m
GPL-3.0

Reconnaissance tool for GitHub organizations

5.02K
725
2y 7m
MIT

GitHub Sensitive Information Leakage(GitHub敏感信息泄露监控)

1.62K
424
1y 9m
GPL-3.0

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.

727
162
9m
n/a

Reconnaissance Swiss Army Knife

1.05K
274
1y 9m
Apache-2.0

The most complete open-source tool for Twitter intelligence analysis

1.45K
222
2y 10m
CC-BY-SA-4.0

A high performance offensive security tool for reconnaissance and vulnerability scanning

2.01K
304
2y 95d
MIT

A Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf)

3.04K
712
73d
GPL-3.0
33
3
2y 6m
n/a

Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

Free URL Scanner & domain information.

Cyberspace Search Engine by @zoomeye_team.

Cyberspace Search Engine by BAIMAOHUI.

THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

Open source footprinting and intelligence-gathering tool by @binarypool.

Various databases which you can use for your OSINT research by @technisette.

the easy way to find people on Facebook by postkassen.

Sub Domain Enumeration

Fast subdomains enumeration tool for penetration testers

5.69K
1.44K
7m
GPL-2.0

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

2.86K
614
21d
GPL-3.0

A fast sub domain brute tool for pentesters

2.3K
883
4m
n/a

A Tool for Domain Flyovers

3.95K
713
1y 9m
MIT

Analyze the security of any domain by finding all the information possible. Made in python.

1.61K
230
3y 5m
n/a

Auditing for TLS certificates.

771
303
1y 7m
Apache-2.0

A domain searcher named GoogleSSLdomainFinder - 基于谷歌SSL透明证书的子域名查询工具

154
55
3y 26d
Apache-2.0

Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

Code Generating

Vulnerable Web applications Generator

75
17
3y 79d
n/a

Fuzzing

Web application fuzzer

3.52K
885
90d
GPL-2.0

A script that inspects multi-byte character sets looking for characters with specific user-defined properties

23
8
4y 8m
n/a

A simple tool to convert the IP to a DWORD IP

101
37
4y 10m
n/a

DOM fuzzer

1.29K
248
49d
Apache-2.0

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

5.44K
1.62K
1y 1d
n/a

Find web directories without bruteforce

970
168
74d
MIT

Potentially dangerous files

1.37K
255
65d
n/a

Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.

Scanning

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

5.56K
987
10d
n/a

A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

142
59
5m
GPL-3.0

WAScan - Web Application Scanner

1.9K
490
1y 35d
GPL-3.0

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

1.43K
209
4m
MIT

Penetration Testing

The Offensive Manual Web Application Penetration Testing Framework.

1.28K
333
14d
GPL-3.0

Automated Security Testing For REST API's

1.72K
273
1y 10m
Apache-2.0

A collection of AWS penetration testing junk

883
142
3y 4m
n/a

Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

XSS - Cross-Site Scripting

The Browser Exploitation Framework Project

5.52K
1.33K
15d
n/a

JShell - Get a JavaScript shell with XSS.

384
118
1y 9m
n/a

Most advanced XSS scanner.

8.92K
1.31K
1y 70d
GPL-3.0

XSS'OR - Hack with JavaScript.

1.89K
360
6m
BSD-2-Clause

A tool for evaluating content-security-policies by Csper.

SQL Injection

Automatic SQL injection and database takeover tool

19.42K
4.19K
5d
n/a

Template Injection

Server-Side Template Injection and Code Injection Detection and Exploitation Tool

2.12K
469
40d
GPL-3.0

XXE

List DTDs and generate XXE payloads using those local DTDs.

344
71
4m
n/a

Cross Site Request Forgery

The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

521
132
6m
GPL-3.0

Server-Side Request Forgery

Leaking

HTTPLeaks - All possible ways, a website can leak HTTP requests

1.34K
164
7m
BSD-2-Clause

Rip web accessible (distributed) version control systems: SVN/GIT/HG...

1.22K
268
6m
GPL-2.0

Pillage web accessible GIT, HG and BZR repositories

283
61
4y 39d
n/a

Tool for advanced mining for content on Github

1.8K
415
1y 50d
GPL-3.0

Scan git repos (or files) for secrets using regex and entropy 🔑

7.19K
624
7d
MIT

Chrome extension and Express server that exploits keylogging abilities of CSS.

3K
430
3y 7d
n/a

Git manager for pentesters

101
22
4y 8m
n/a

Tool to scan for secret files on HTTP servers

1.77K
203
113d
CC0-1.0

A python script that finds endpoints in JavaScript files

1.82K
384
52d
MIT

Detecting

scanner detecting the use of JavaScript libraries with known vulnerabilities

2.68K
325
26d
n/a

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js

347
91
1y 6m
MIT

Scan your code for security misconfiguration, search for passwords and secrets.

469
81
10d
MIT

bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.

329
57
31d
MIT

🔥Open source RASP solution

1.71K
419
7d
Apache-2.0

SQL injection detection engine by chaitin.

XSS detection engine by chaitin.

Preventing

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

6.66K
435
10d
n/a

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

3.91K
524
4m
n/a

Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.

719
82
15d
Apache-2.0

A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Proxy

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

21.55K
2.77K
7d
MIT

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

Webshell

Nano is a family of PHP web shells which are code golfed for stealth.

387
89
1y 9m
n/a

This is a webshell open source project

6.56K
4.62K
7d
GPL-3.0

Weaponized web shell

2.19K
511
5m
GPL-3.0

Manage your website via terminal

359
106
1y 10m
GPL-3.0

A multiple reverse shell session/client manager via terminal

170
57
5m
n/a

Reverse Shell as a Service

1.25K
170
4m
MIT

Full-featured C2 framework which silently persists on webserver via evil PHP oneliner

981
302
5m
GPL-3.0

Disassembler

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.

2.91K
302
1y 12m
GPL-3.0

UNIX-like reverse engineering framework and command-line toolset

13.97K
2.41K
7d
LGPL-3.0

This project has been moved to:

1.52K
131
3y 5m
GPL-3.0

Decompiler

CFR

Another java decompiler by @LeeAtBenf.

DNS Rebinding

A front-end JavaScript toolkit for creating DNS rebinding attacks.

434
83
2y 8m
MIT

DNS Rebinding Exploitation Framework

423
63
4m
n/a

A DNS rebinding attack framework.

613
97
9m
MIT

A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)

527
88
2y 8m
MIT

Others

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

11.31K
1.47K
9d
Apache-2.0

Parse NTLM challenge messages over HTTP and SMB

106
17
11m
MIT

Minimal code to connect to a CEF debugger.

123
18
8m
Apache-2.0

Interactive CTF Exploration Tool

1.52K
264
1y 6m
Apache-2.0

Social Engineering Database

Check if you have an account that has been compromised in a data breach by Troy Hunt.

Blogs

Taiwan's talented web penetrator.

China's talented web penetrator.

Fun with Browser Vulnerabilities.

Internet Security through Web Browsers by Dhiraj Mishra.

Vulnerability disclosures and rambles on application security.

n0tr00t Security Team.

Open Mind Security!

Write-ups for PHP vulnerabilities.

Awesome bug-bounty and challenges writeups.

Security Researching and Reverse Engineering.

Twitter Users

Initiative to showcase open source hacking tools for hackers and pentesters

Active penetrator often tweets and writes useful articles

Cure53](https://cure53.de/) is a German cybersecurity firm.

The wonderland of JavaScript unexpected usages, and more.

Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

Japanese javascript security researcher.

Web and Browsers Security Researcher.

Application

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

4.28K
2.95K
15d
MIT

vulnerable web application for training

51
4
2y 10m
MIT

Realistic web application hacking game - Written by @albinowax.

Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

AWS

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

1.07K
208
107d
BSD-3-Clause

Amazon AWS CTF challenge - Written by @0xdabbad00.

XSS

Google XSS Challenge - Written by Google.

Series of XSS challenges - Written by @steike.

Series of XSS challenges - Written by yamagata21.

ModSecurity / OWASP ModSecurity Core Rule Set

Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

Community

Miscellaneous

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

2.7K
704
1y 12d
CC0-1.0

Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

2.4K
797
4m
n/a

Decrypted content of eqgrp-auction-file.tar.xz

3.69K
2.1K
3y 10m
n/a

Some public notes

1.25K
86
1y 7m
n/a

An Information Security Reference That Doesn't Suck

3.6K
877
15d
MIT

Penetration Testing and Exploit Dev CheatSheet.

Check if your internet-connected devices at home are public on Shodan by BullGuard.