User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Web Security

🐶 A curated list of Web Security materials and resources.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: None

Thank you qazbnm456 & contributors
View Topic on GitHub:
qazbnm456/awesome-web-security

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Digests

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Field Guide by Trails of Bits.

A weekly distillation of the best security tools, blog posts, and conference talks, covering AppSec, cloud and container security, DevSecOps, and more.

Forums

Ezine written by and for hackers.

Security in a serious way.

The security podcast network.

Biting the hand that feeds IT.

Connecting The Information Security Community.

Dig high-quality web security articles for hacker.

XSS - Cross-Site Scripting

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

2.49K
382
1y 4m
MPL-2.0

Awesome XSS stuff

3.32K
559
116d
MIT

A XSS mind map ;)

23
136
5y 114d
n/a

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

1.72K
577
87d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Prototype Pollution

CSV Injection

SQL Injection

🎯 SQL Injection Payload List

683
237
1y 4m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Command Injection

The Ruby Programming Language [mirror]

17.25K
4.59K
8m
n/a

🎯 Command Injection Payload List

639
188
1y 4m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

ORM Injection

FTP Injection

XXE - XML eXternal Entity

🎯 XML External Entity (XXE) Injection Payload List

282
106
1y 4m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

CSRF - Cross-Site Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Clickjacking

SSRF - Server-Side Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Web Cache Poisoning

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Relative Path Overwrite

Open Redirect

🎯 Open Redirect Payload List

204
87
1y 119d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Security Assertion Markup Language (SAML)

Upload

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
8m
MIT

Rails

AngularJS

ReactJS

SSL/TLS

🔐 Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k, Kohttp and ktor. Also other server examples are available such as jersey with grizzly.

157
56
85d
Apache-2.0

Webmail

NFS

AWS

Azure

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

XXE

CSP

WAF

JSMVC

Authentication

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

Database

A collection of JavaScript engine CVEs with PoCs

1.94K
387
1y 8m
n/a

✍️ A curated list of CVE PoCs.

2.57K
629
88d
n/a

各种漏洞poc、Exp的收集或编写

1.36K
798
95d
n/a

🔪Browser logic vulnerabilities

546
87
105d
MIT

Exploits & Tools Search Engine by @i_bo0om.

Cheetsheets

Auditing

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.

3.08K
581
92d
n/a

Auto Scanning to SSL Vulnerability

518
155
5m
MIT

Command Injection

Automated All-in-One OS command injection and exploitation tool.

2.54K
591
78d
n/a

OSINT - Open-Source Intelligence

Incredibly fast crawler designed for OSINT.

7.62K
1.07K
1y 5m
GPL-3.0

Tool to find metadata and hidden information in the documents.

1.43K
364
1y 23d
GPL-3.0

XRay is a tool for recon, mapping and OSINT gathering from public networks.

1.54K
242
2y 6m
GPL-3.0

Reconnaissance tool for GitHub organizations

5.02K
725
2y 10m
MIT

GitHub Sensitive Information Leakage(GitHub敏感信息泄露监控)

1.62K
424
1y 12m
GPL-3.0

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.

727
162
11m
n/a

Reconnaissance Swiss Army Knife

1.05K
274
2y 4d
Apache-2.0

The most complete open-source tool for Twitter intelligence analysis

1.45K
222
3y 29d
CC-BY-SA-4.0

A high performance offensive security tool for reconnaissance and vulnerability scanning

2.01K
304
2y 5m
MIT

A Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf)

3.04K
712
4m
GPL-3.0
33
3
2y 8m
n/a

Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

Free URL Scanner & domain information.

Cyberspace Search Engine by @zoomeye_team.

Cyberspace Search Engine by BAIMAOHUI.

THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

Open source footprinting and intelligence-gathering tool by @binarypool.

Various databases which you can use for your OSINT research by @technisette.

the easy way to find people on Facebook by postkassen.

Sub Domain Enumeration

Fast subdomains enumeration tool for penetration testers

5.69K
1.44K
9m
GPL-2.0

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

2.86K
614
92d
GPL-3.0

A fast sub domain brute tool for pentesters

2.3K
883
6m
n/a

A Tool for Domain Flyovers

3.95K
713
1y 11m
MIT

Analyze the security of any domain by finding all the information possible. Made in python.

1.61K
230
3y 8m
n/a

Auditing for TLS certificates.

771
303
1y 10m
Apache-2.0

A domain searcher named GoogleSSLdomainFinder - 基于谷歌SSL透明证书的子域名查询工具

154
55
3y 97d
Apache-2.0

Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

Code Generating

Vulnerable Web applications Generator

75
17
3y 5m
n/a

Fuzzing

Web application fuzzer

3.52K
885
5m
GPL-2.0

A script that inspects multi-byte character sets looking for characters with specific user-defined properties

23
8
4y 10m
n/a

A simple tool to convert the IP to a DWORD IP

101
37
5y 6d
n/a

DOM fuzzer

1.29K
248
4m
Apache-2.0

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

5.44K
1.62K
1y 72d
n/a

Find web directories without bruteforce

970
168
4m
MIT

Potentially dangerous files

1.37K
255
4m
n/a

Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.

Scanning

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

5.56K
987
81d
n/a

A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

142
59
7m
GPL-3.0

WAScan - Web Application Scanner

1.9K
490
1y 106d
GPL-3.0

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

1.43K
209
7m
MIT

Penetration Testing

The Offensive Manual Web Application Penetration Testing Framework.

1.28K
333
85d
GPL-3.0

Automated Security Testing For REST API's

1.72K
273
2y 34d
Apache-2.0

A collection of AWS penetration testing junk

883
142
3y 6m
n/a

Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

XSS - Cross-Site Scripting

The Browser Exploitation Framework Project

5.52K
1.33K
86d
n/a

JShell - Get a JavaScript shell with XSS.

384
118
2y 4d
n/a

Most advanced XSS scanner.

8.92K
1.31K
1y 4m
GPL-3.0

XSS'OR - Hack with JavaScript.

1.89K
360
8m
BSD-2-Clause

A tool for evaluating content-security-policies by Csper.

SQL Injection

Automatic SQL injection and database takeover tool

19.42K
4.19K
76d
n/a

Template Injection

Server-Side Template Injection and Code Injection Detection and Exploitation Tool

2.12K
469
111d
GPL-3.0

XXE

List DTDs and generate XXE payloads using those local DTDs.

344
71
6m
n/a

Cross Site Request Forgery

The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

521
132
9m
GPL-3.0

Server-Side Request Forgery

Leaking

HTTPLeaks - All possible ways, a website can leak HTTP requests

1.34K
164
10m
BSD-2-Clause

Rip web accessible (distributed) version control systems: SVN/GIT/HG...

1.22K
268
8m
GPL-2.0

Pillage web accessible GIT, HG and BZR repositories

283
61
4y 110d
n/a

Tool for advanced mining for content on Github

1.8K
415
1y 4m
GPL-3.0

Scan git repos (or files) for secrets using regex and entropy 🔑

7.19K
624
78d
MIT

Chrome extension and Express server that exploits keylogging abilities of CSS.

3K
430
3y 78d
n/a

Git manager for pentesters

101
22
4y 11m
n/a

Tool to scan for secret files on HTTP servers

1.77K
203
6m
CC0-1.0

A python script that finds endpoints in JavaScript files

1.82K
384
4m
MIT

Detecting

scanner detecting the use of JavaScript libraries with known vulnerabilities

2.68K
325
97d
n/a

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js

347
91
1y 9m
MIT

Scan your code for security misconfiguration, search for passwords and secrets.

469
81
81d
MIT

bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.

329
57
102d
MIT

🔥Open source RASP solution

1.71K
419
78d
Apache-2.0

SQL injection detection engine by chaitin.

XSS detection engine by chaitin.

Preventing

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

6.69K
437
81d
n/a

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

3.91K
524
6m
n/a

Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.

719
82
86d
Apache-2.0

A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Proxy

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

21.55K
2.77K
78d
MIT

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

Webshell

Nano is a family of PHP web shells which are code golfed for stealth.

387
89
2y 4d
n/a

This is a webshell open source project

6.56K
4.62K
78d
GPL-3.0

Weaponized web shell

2.19K
511
8m
GPL-3.0

Manage your website via terminal

359
106
2y 30d
GPL-3.0

A multiple reverse shell session/client manager via terminal

170
57
7m
n/a

Reverse Shell as a Service

1.25K
170
6m
MIT

Full-featured C2 framework which silently persists on webserver via evil PHP oneliner

981
302
8m
GPL-3.0

Disassembler

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.

2.91K
302
2y 66d
GPL-3.0

UNIX-like reverse engineering framework and command-line toolset

13.97K
2.41K
78d
LGPL-3.0

This project has been moved to:

1.52K
131
3y 7m
GPL-3.0

Decompiler

CFR

Another java decompiler by @LeeAtBenf.

DNS Rebinding

A front-end JavaScript toolkit for creating DNS rebinding attacks.

434
83
2y 11m
MIT

DNS Rebinding Exploitation Framework

423
63
7m
n/a

A DNS rebinding attack framework.

613
97
12m
MIT

A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)

527
88
2y 11m
MIT

Others

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

11.31K
1.47K
80d
Apache-2.0

Parse NTLM challenge messages over HTTP and SMB

106
17
1y 49d
MIT

Minimal code to connect to a CEF debugger.

123
18
11m
Apache-2.0

Interactive CTF Exploration Tool

1.52K
264
1y 8m
Apache-2.0

Social Engineering Database

Check if you have an account that has been compromised in a data breach by Troy Hunt.

Blogs

Taiwan's talented web penetrator.

China's talented web penetrator.

Fun with Browser Vulnerabilities.

Internet Security through Web Browsers by Dhiraj Mishra.

Vulnerability disclosures and rambles on application security.

n0tr00t Security Team.

Open Mind Security!

Write-ups for PHP vulnerabilities.

Awesome bug-bounty and challenges writeups.

Security Researching and Reverse Engineering.

Twitter Users

Initiative to showcase open source hacking tools for hackers and pentesters

Active penetrator often tweets and writes useful articles

Cure53](https://cure53.de/) is a German cybersecurity firm.

The wonderland of JavaScript unexpected usages, and more.

Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

Japanese javascript security researcher.

Web and Browsers Security Researcher.

Application

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

4.28K
2.95K
86d
MIT

vulnerable web application for training

51
4
3y 12d
MIT

Realistic web application hacking game - Written by @albinowax.

Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

AWS

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

1.07K
208
5m
BSD-3-Clause

Amazon AWS CTF challenge - Written by @0xdabbad00.

XSS

Google XSS Challenge - Written by Google.

Series of XSS challenges - Written by @steike.

Series of XSS challenges - Written by yamagata21.

ModSecurity / OWASP ModSecurity Core Rule Set

Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

Community

Miscellaneous

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

2.7K
704
1y 83d
CC0-1.0

Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

2.4K
797
6m
n/a

Decrypted content of eqgrp-auction-file.tar.xz

3.69K
2.1K
4y 27d
n/a

Some public notes

1.25K
86
1y 10m
n/a

An Information Security Reference That Doesn't Suck

3.6K
877
86d
MIT

Penetration Testing and Exploit Dev CheatSheet.

Check if your internet-connected devices at home are public on Shodan by BullGuard.