User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Web Security

🐶 A curated list of Web Security materials and resources.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Oct. 20, 2021, 12:04 p.m.

Thank you qazbnm456 & contributors
View Topic on GitHub:
qazbnm456/awesome-web-security

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Digests

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Field Guide by Trails of Bits.

A weekly distillation of the best security tools, blog posts, and conference talks, covering AppSec, cloud and container security, DevSecOps, and more.

Forums

Ezine written by and for hackers.

Security in a serious way.

The security podcast network.

Biting the hand that feeds IT.

Connecting The Information Security Community.

Dig high-quality web security articles for hacker.

XSS - Cross-Site Scripting

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

2.49K
382
1y 9m
MPL-2.0

Awesome XSS stuff

3.32K
559
9m
MIT

A XSS mind map ;)

23
136
5y 9m
n/a

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

1.72K
577
8m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Prototype Pollution

CSV Injection

SQL Injection

🎯 SQL Injection Payload List

683
237
1y 9m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Command Injection

The Ruby Programming Language [mirror]

17.25K
4.59K
1y 47d
n/a

🎯 Command Injection Payload List

639
188
1y 9m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

ORM Injection

FTP Injection

XXE - XML eXternal Entity

🎯 XML External Entity (XXE) Injection Payload List

282
106
1y 9m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

CSRF - Cross-Site Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Clickjacking

SSRF - Server-Side Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Web Cache Poisoning

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Relative Path Overwrite

Open Redirect

🎯 Open Redirect Payload List

204
87
1y 9m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Security Assertion Markup Language (SAML)

Upload

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

16.33K
5.23K
1y 48d
MIT

Rails

AngularJS

ReactJS

SSL/TLS

🔐 Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k, Kohttp and ktor. Also other server examples are available such as jersey with grizzly.

157
56
8m
Apache-2.0

Webmail

NFS

AWS

Azure

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

XXE

CSP

WAF

JSMVC

Authentication

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

Database

A collection of JavaScript engine CVEs with PoCs

1.94K
387
2y 48d
n/a

✍️ A curated list of CVE PoCs.

2.57K
629
8m
n/a

各种漏洞poc、Exp的收集或编写

1.36K
798
8m
n/a

🔪Browser logic vulnerabilities

546
87
9m
MIT

Exploits & Tools Search Engine by @i_bo0om.

Cheetsheets

Auditing

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.

3.08K
581
8m
n/a

Auto Scanning to SSL Vulnerability

518
155
10m
MIT

Command Injection

Automated All-in-One OS command injection and exploitation tool.

2.54K
591
8m
n/a

OSINT - Open-Source Intelligence

Incredibly fast crawler designed for OSINT.

7.62K
1.07K
1y 10m
GPL-3.0

Tool to find metadata and hidden information in the documents.

1.43K
364
1y 6m
GPL-3.0

XRay is a tool for recon, mapping and OSINT gathering from public networks.

1.54K
242
2y 11m
GPL-3.0

Reconnaissance tool for GitHub organizations

5.02K
725
3y 108d
MIT

GitHub Sensitive Information Leakage(GitHub敏感信息泄露监控)

1.62K
424
2y 5m
GPL-3.0

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.

727
162
1y 5m
n/a

Reconnaissance Swiss Army Knife

1.05K
274
2y 5m
Apache-2.0

The most complete open-source tool for Twitter intelligence analysis

1.45K
222
3y 6m
CC-BY-SA-4.0

A high performance offensive security tool for reconnaissance and vulnerability scanning

2.01K
304
2y 11m
MIT

A Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf)

3.04K
712
10m
GPL-3.0
33
3
3y 57d
n/a

Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

Free URL Scanner & domain information.

Cyberspace Search Engine by @zoomeye_team.

Cyberspace Search Engine by BAIMAOHUI.

THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

Open source footprinting and intelligence-gathering tool by @binarypool.

Various databases which you can use for your OSINT research by @technisette.

the easy way to find people on Facebook by postkassen.

Sub Domain Enumeration

Fast subdomains enumeration tool for penetration testers

5.69K
1.44K
1y 83d
GPL-2.0

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

2.86K
614
8m
GPL-3.0

A fast sub domain brute tool for pentesters

2.3K
883
11m
n/a

A Tool for Domain Flyovers

3.95K
713
2y 5m
MIT

Analyze the security of any domain by finding all the information possible. Made in python.

1.61K
230
4y 43d
n/a

Auditing for TLS certificates.

771
303
2y 101d
Apache-2.0

A domain searcher named GoogleSSLdomainFinder - 基于谷歌SSL透明证书的子域名查询工具

154
55
3y 8m
Apache-2.0

Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

Code Generating

Vulnerable Web applications Generator

75
17
3y 10m
n/a

Fuzzing

Web application fuzzer

3.52K
885
10m
GPL-2.0

A script that inspects multi-byte character sets looking for characters with specific user-defined properties

23
8
5y 4m
n/a

A simple tool to convert the IP to a DWORD IP

101
37
5y 5m
n/a

DOM fuzzer

1.29K
248
9m
Apache-2.0

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

5.44K
1.62K
1y 7m
n/a

Find web directories without bruteforce

970
168
10m
MIT

Potentially dangerous files

1.37K
255
10m
n/a

Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.

Scanning

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

5.56K
987
8m
n/a

A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

142
59
1y 36d
GPL-3.0

WAScan - Web Application Scanner

1.9K
490
1y 9m
GPL-3.0

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

1.43K
209
1y 15d
MIT

Penetration Testing

The Offensive Manual Web Application Penetration Testing Framework.

1.28K
333
8m
GPL-3.0

Automated Security Testing For REST API's

1.72K
273
2y 6m
Apache-2.0

A collection of AWS penetration testing junk

883
142
4y 7d
n/a

Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

XSS - Cross-Site Scripting

The Browser Exploitation Framework Project

5.52K
1.33K
8m
n/a

JShell - Get a JavaScript shell with XSS.

384
118
2y 5m
n/a

Most advanced XSS scanner.

8.92K
1.31K
1y 10m
GPL-3.0

XSS'OR - Hack with JavaScript.

1.89K
360
1y 62d
BSD-2-Clause

A tool for evaluating content-security-policies by Csper.

SQL Injection

Automatic SQL injection and database takeover tool

19.42K
4.19K
8m
n/a

Template Injection

Server-Side Template Injection and Code Injection Detection and Exploitation Tool

2.12K
469
9m
GPL-3.0

XXE

List DTDs and generate XXE payloads using those local DTDs.

344
71
1y 4d
n/a

Cross Site Request Forgery

The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

521
132
1y 72d
GPL-3.0

Server-Side Request Forgery

Leaking

HTTPLeaks - All possible ways, a website can leak HTTP requests

1.34K
164
1y 103d
BSD-2-Clause

Rip web accessible (distributed) version control systems: SVN/GIT/HG...

1.22K
268
1y 64d
GPL-2.0

Pillage web accessible GIT, HG and BZR repositories

283
61
4y 9m
n/a

Tool for advanced mining for content on Github

1.8K
415
1y 9m
GPL-3.0

Scan git repos (or files) for secrets using regex and entropy 🔑

7.19K
624
8m
MIT

Chrome extension and Express server that exploits keylogging abilities of CSS.

3K
430
3y 8m
n/a

Git manager for pentesters

101
22
5y 4m
n/a

Tool to scan for secret files on HTTP servers

1.77K
203
11m
CC0-1.0

A python script that finds endpoints in JavaScript files

1.82K
384
9m
MIT

Detecting

scanner detecting the use of JavaScript libraries with known vulnerabilities

2.68K
325
8m
n/a

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js

347
91
2y 74d
MIT

Scan your code for security misconfiguration, search for passwords and secrets.

469
81
8m
MIT

bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.

329
57
8m
MIT

🔥Open source RASP solution

1.71K
419
8m
Apache-2.0

SQL injection detection engine by chaitin.

XSS detection engine by chaitin.

Preventing

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

6.69K
437
8m
n/a

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

3.91K
524
11m
n/a

Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.

719
82
8m
Apache-2.0

A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Proxy

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

21.55K
2.77K
8m
MIT

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

Webshell

Nano is a family of PHP web shells which are code golfed for stealth.

387
89
2y 5m
n/a

This is a webshell open source project

6.56K
4.62K
8m
GPL-3.0

Weaponized web shell

2.19K
511
1y 45d
GPL-3.0

Manage your website via terminal

359
106
2y 6m
GPL-3.0

A multiple reverse shell session/client manager via terminal

170
57
1y 22d
n/a

Reverse Shell as a Service

1.25K
170
1y 0d
MIT

Full-featured C2 framework which silently persists on webserver via evil PHP oneliner

981
302
1y 49d
GPL-3.0

Disassembler

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.

2.91K
302
2y 7m
GPL-3.0

UNIX-like reverse engineering framework and command-line toolset

13.97K
2.41K
8m
LGPL-3.0

This project has been moved to:

1.52K
131
4y 26d
GPL-3.0

Decompiler

CFR

Another java decompiler by @LeeAtBenf.

DNS Rebinding

A front-end JavaScript toolkit for creating DNS rebinding attacks.

434
83
3y 4m
MIT

DNS Rebinding Exploitation Framework

423
63
1y 19d
n/a

A DNS rebinding attack framework.

613
97
1y 5m
MIT

A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)

527
88
3y 4m
MIT

Others

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

11.31K
1.47K
8m
Apache-2.0

Parse NTLM challenge messages over HTTP and SMB

106
17
1y 7m
MIT

Minimal code to connect to a CEF debugger.

123
18
1y 4m
Apache-2.0

Interactive CTF Exploration Tool

1.52K
264
2y 68d
Apache-2.0

Social Engineering Database

Check if you have an account that has been compromised in a data breach by Troy Hunt.

Blogs

Taiwan's talented web penetrator.

China's talented web penetrator.

Fun with Browser Vulnerabilities.

Internet Security through Web Browsers by Dhiraj Mishra.

Vulnerability disclosures and rambles on application security.

n0tr00t Security Team.

Open Mind Security!

Write-ups for PHP vulnerabilities.

Awesome bug-bounty and challenges writeups.

Security Researching and Reverse Engineering.

Twitter Users

Initiative to showcase open source hacking tools for hackers and pentesters

Active penetrator often tweets and writes useful articles

Cure53](https://cure53.de/) is a German cybersecurity firm.

The wonderland of JavaScript unexpected usages, and more.

Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

Japanese javascript security researcher.

Web and Browsers Security Researcher.

Application

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

4.28K
2.95K
8m
MIT

vulnerable web application for training

51
4
3y 5m
MIT

Realistic web application hacking game - Written by @albinowax.

Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

AWS

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

1.07K
208
11m
BSD-3-Clause

Amazon AWS CTF challenge - Written by @0xdabbad00.

XSS

Google XSS Challenge - Written by Google.

Series of XSS challenges - Written by @steike.

Series of XSS challenges - Written by yamagata21.

ModSecurity / OWASP ModSecurity Core Rule Set

Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

Community

Miscellaneous

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

2.7K
704
1y 8m
CC0-1.0

Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

2.4K
797
12m
n/a

Decrypted content of eqgrp-auction-file.tar.xz

3.69K
2.1K
4y 6m
n/a

Some public notes

1.25K
86
2y 100d
n/a

An Information Security Reference That Doesn't Suck

3.6K
877
8m
MIT

Penetration Testing and Exploit Dev CheatSheet.

Check if your internet-connected devices at home are public on Shodan by BullGuard.