User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Web Security

🐶 A curated list of Web Security materials and resources.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 4, 2021, 3:06 p.m.

Thank you qazbnm456 & contributors
View Topic on GitHub:
qazbnm456/awesome-web-security

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Digests

Forums

XSS - Cross-Site Scripting

HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors

2.57K
403
1y 5m
MPL-2.0

Awesome XSS stuff

3.62K
625
10m
MIT

A XSS mind map ;)

24
138
5y 10m
n/a

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

2.48K
833
63d
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

31.72K
8.67K
32d
MIT

Prototype Pollution

CSV Injection

SQL Injection

Command Injection

The Ruby Programming Language [mirror]

18.58K
4.92K
30d
n/a

🎯 Command Injection Payload List

911
249
7m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

31.72K
8.67K
32d
MIT

ORM Injection

FTP Injection

XXE - XML eXternal Entity

CSRF - Cross-Site Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

31.72K
8.67K
32d
MIT

Clickjacking

SSRF - Server-Side Request Forgery

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

31.72K
8.67K
32d
MIT

Web Cache Poisoning

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

31.72K
8.67K
32d
MIT

Relative Path Overwrite

Open Redirect

🎯 Open Redirect Payload List

281
119
1y 10m
MIT

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

31.72K
8.67K
32d
MIT

Security Assertion Markup Language (SAML)

Upload

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

31.72K
8.67K
32d
MIT

Rails

AngularJS

ReactJS

SSL/TLS

🔐 Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k, Kohttp and ktor. Also other server examples are available such as jersey with grizzly. Also gRPC, WebSocket and ElasticSearch examples are included

232
76
31d
Apache-2.0

Webmail

NFS

AWS

Azure

Sub Domain Enumeration

Crypto

Web Shell

OSINT

DNS Rebinding

Deserialization

OAuth

JWT

XXE

CSP

WAF

JSMVC

Authentication

CSRF

Clickjacking

Remote Code Execution

XSS

SQL Injection

NoSQL Injection

FTP Injection

XXE

SSRF

Web Cache Poisoning

Header Injection

URL

Deserialization

OAuth

Others

Frontend (like SOP bypass, URL spoofing, and something like that)

Backend (core of Browser implementation, and often refers to C or C++ part)

Database

A collection of JavaScript engine CVEs with PoCs

2.06K
408
2y 93d
n/a

✍️ A curated list of CVE PoCs.

2.78K
681
9m
n/a

各种漏洞poc、Exp的收集或编写

1.63K
882
33d
n/a

🔪Browser logic vulnerabilities

600
91
10m
MIT

Cheetsheets

Auditing

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls and many more additional checks that help on GDPR, HIPAA and other security frameworks.

4.16K
773
31d
n/a

Auto Scanning to SSL Vulnerability

544
163
11m
MIT

Command Injection

Automated All-in-One OS Command Injection Exploitation Tool.

2.96K
655
30d
n/a

OSINT - Open-Source Intelligence

Incredibly fast crawler designed for OSINT.

8.26K
1.21K
7m
GPL-3.0

Tool to find metadata and hidden information in the documents.

1.73K
421
59d
GPL-3.0

XRay is a tool for recon, mapping and OSINT gathering from public networks.

1.65K
260
40d
GPL-3.0

Reconnaissance tool for GitHub organizations

5.22K
781
4m
MIT

GitHub Sensitive Information Leakage(GitHub敏感信息泄露监控)

1.74K
452
47d
GPL-3.0

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.

742
171
1y 6m
n/a

Reconnaissance Swiss Army Knife

1.23K
294
10m
Apache-2.0

The most complete open-source tool for Twitter intelligence analysis

1.57K
249
2y 10m
CC-BY-SA-4.0

A high performance offensive security tool for reconnaissance and vulnerability scanning

2.26K
342
63d
MIT

A Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf)

3.21K
757
30d
GPL-3.0
34
3
3y 102d
n/a

Sub Domain Enumeration

Fast subdomains enumeration tool for penetration testers

6.45K
1.65K
77d
GPL-2.0

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

3.25K
657
31d
GPL-3.0

A fast sub domain brute tool for pentesters

2.54K
922
6m
n/a

A Tool for Domain Flyovers

4.35K
765
7m
MIT

Analyze the security of any domain by finding all the information possible. Made in python.

1.66K
241
4y 23d
n/a

Auditing for TLS certificates.

797
311
1y 5m
Apache-2.0

A domain searcher named GoogleSSLdomainFinder - 基于谷歌SSL透明证书的子域名查询工具

160
54
3y 10m
Apache-2.0

Code Generating

Vulnerable Web applications Generator

76
18
3y 12m
n/a

Fuzzing

Web application fuzzer

4.04K
1.05K
36d
GPL-2.0

A script that inspects multi-byte character sets looking for characters with specific user-defined properties

26
8
5y 5m
n/a

A simple tool to convert the IP to a DWORD IP

104
40
5y 4m
n/a

DOM fuzzer

1.38K
261
65d
Apache-2.0

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

6.18K
1.85K
89d
n/a

Find web directories without bruteforce

1.11K
177
8m
MIT

Potentially dangerous files

1.49K
299
4m
n/a

Scanning

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

6.13K
1.06K
31d
n/a

A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

150
63
1y 81d
GPL-3.0

Fast and customizable vulnerability scanner based on simple YAML based DSL.

5.69K
760
30d
MIT

Penetration Testing

The Offensive Manual Web Application Penetration Testing Framework.

1.44K
360
9m
GPL-3.0

Automated Security Testing For REST API's

1.86K
310
104d
Apache-2.0

A collection of AWS penetration testing junk

961
162
2y 8m
n/a

XSS - Cross-Site Scripting

The Browser Exploitation Framework Project

6.09K
1.46K
37d
n/a

JShell - Get a JavaScript shell with XSS.

419
127
2y 7m
n/a

Most advanced XSS scanner.

9.71K
1.46K
46d
GPL-3.0

XSS'OR - Hack with JavaScript.

1.96K
381
1y 107d
BSD-2-Clause

SQL Injection

Automatic SQL injection and database takeover tool

21.8K
4.6K
1d
n/a

Template Injection

Server-Side Template Injection and Code Injection Detection and Exploitation Tool

2.59K
543
31d
GPL-3.0

XXE

List DTDs and generate XXE payloads using those local DTDs.

431
83
73d
n/a

Cross Site Request Forgery

The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

655
156
111d
GPL-3.0

Server-Side Request Forgery

Leaking

HTTPLeaks - All possible ways, a website can leak HTTP requests

1.52K
182
56d
BSD-2-Clause

Rip web accessible (distributed) version control systems: SVN/GIT/HG...

1.35K
287
6m
GPL-2.0

Pillage web accessible GIT, HG and BZR repositories

289
61
4y 10m
n/a

Tool for advanced mining for content on Github

1.86K
426
1y 97d
GPL-3.0

Scan git repos (or files) for secrets using regex and entropy 🔑

8.56K
772
30d
MIT

Chrome extension and Express server that exploits keylogging abilities of CSS.

3.04K
437
3y 9m
n/a

Git manager for pentesters

104
22
5y 6m
n/a

Tool to scan for secret files on HTTP servers

1.87K
215
48d
CC0-1.0

A python script that finds endpoints in JavaScript files

2.21K
451
11m
MIT

Detecting

scanner detecting the use of JavaScript libraries with known vulnerabilities

2.86K
361
54d
n/a

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js

382
99
2y 119d
MIT

Scan your code for security misconfiguration, search for passwords and secrets.

531
88
114d
MIT

bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.

347
60
31d
MIT

🔥Open source RASP solution

1.97K
477
36d
Apache-2.0

Preventing

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

8.11K
523
7d
n/a

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

4.33K
574
57d
n/a

Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.

830
94
10d
Apache-2.0

Proxy

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

25.07K
3.11K
31d
MIT

Webshell

Nano is a family of PHP web shells which are code golfed for stealth.

398
96
1y 9m
n/a

This is a webshell open source project

7.42K
5.03K
30d
MIT

Weaponized web shell

2.38K
530
1y 87d
GPL-3.0

Manage your website via terminal

379
113
6m
GPL-3.0

A multiple reverse shell session/client manager via terminal

193
59
1y 67d
n/a

Reverse Shell as a Service

1.4K
205
1y 45d
MIT

Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor

1.48K
373
33d
GPL-3.0

Disassembler

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.

2.95K
305
95d
GPL-3.0

UNIX-like reverse engineering framework and command-line toolset

15.2K
2.56K
30d
LGPL-3.0

This project has been moved to:

1.52K
132
8m
GPL-3.0

Decompiler

DNS Rebinding

A front-end JavaScript toolkit for creating DNS rebinding attacks.

448
86
63d
MIT

DNS Rebinding Exploitation Framework

436
71
7m
n/a

A DNS rebinding attack framework.

698
104
7m
MIT

A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)

548
93
3y 5m
MIT

Others

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

13.29K
1.75K
36d
Apache-2.0

Parse NTLM challenge messages over HTTP and SMB

116
20
1y 8m
MIT

Minimal code to connect to a CEF debugger.

134
19
1y 5m
Apache-2.0

Interactive CTF Exploration Tool

1.55K
273
78d
Apache-2.0

Social Engineering Database

Blogs

Twitter Users

Application

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

6.15K
3.84K
32d
MIT

vulnerable web application for training

53
5
3y 7m
MIT

AWS

CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool

1.32K
281
39d
BSD-3-Clause

XSS

ModSecurity / OWASP ModSecurity Core Rule Set

Community

Miscellaneous

A comprehensive curated list of available Bug Bounty & Disclosure Programs and Write-ups.

3.05K
794
34d
CC0-1.0

Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

2.65K
856
63d
n/a

Decrypted content of eqgrp-auction-file.tar.xz

3.74K
2.1K
4y 6m
n/a

Some public notes

1.26K
85
2y 4m
n/a

An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.

4.09K
1.01K
31d
MIT