Curated list of awesome lists
Awesome Web Security
🐶 Curated list of Web Security materials and resources.
Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities. Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineers' security skills, etc. To combat this, here is a curated list of Web Security materials and resources for learning cutting edge penetration techniques, and I highly encourage you to read this article "So you want to be a web security researcher?" first.
Please read the contribution guidelines before contributing.
If you enjoy this awesome list and would like to support it, check out my Patreon page :)Also, don't forget to check out my repos 🐾 or say hi on my Twitter!
XSS - Cross-Site Scripting
XXE - XML eXternal Entity
CSRF - Cross-Site Request Forgery
SSRF - Server-Side Request Forgery
Sub Domain Enumeration
Remote Code Execution
Frontend (like SOP bypass, URL spoofing, and something like that)
Backend (core of Browser implementation, and often refers to C or C++ part)
prowler - Tool for AWS security assessment, auditing and hardening by @Alfresco.
A2SV - Auto Scanning to SSL Vulnerability by @hahwul.
dirhunt - Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.
OSINT - Open-Source Intelligence
Shodan - Shodan is the world's first search engine for Internet-connected devices by @shodanhq.
Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
urlscan.io - Service which analyses websites and the resources they request by @heipei.
ZoomEye - Cyberspace Search Engine by @zoomeye_team.
FOFA - Cyberspace Search Engine by BAIMAOHUI.
NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.
FOCA - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.
SpiderFoot - Open source footprinting and intelligence-gathering tool by @binarypool.
xray - XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.
gitrob - Reconnaissance tool for GitHub organizations by @michenriksen.
GSIL - Github Sensitive Information Leakage（Github敏感信息泄露）by @FeeiCN.
raven - raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.
ReconDog - Recon Dog is an all in one tool for all your basic information gathering needs by @UltimateHackers.
Databases - start.me - Various databases which you can use for your OSINT research by @technisette.
peoplefindThor - the easy way to find people on Facebook by [postkassen](mailto:[email protected]?subject=peoplefindthor.dk comments).
tinfoleak - The most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.
OSINT TOOLKIT - OSINT TOOLKIT by the OSINT Toolkit Admin Team.
Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning
Sub Domain Enumeration
XSS - Cross-Site Scripting
XSStrike - XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.
sqlmap - Automatic SQL injection and database takeover tool.
tplmap - Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.
sqlchop - SQL injection detection engine by chaitin.
xsschop - XSS detection engine by chaitin.
repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
bXSS - bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.
OpenRASP - An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.
DOMPurify - DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.
js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.
Acra - Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.
Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.
Social Engineering Database
use at your own risk
@HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters
@filedescriptor - Active penetrator often tweets and writes useful articles
@cure53berlin - Cure53 is a German cybersecurity firm.
@kinugawamasato - Japanese web penetrator.
@h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
@garethheyes - English web penetrator.
ModSecurity / OWASP ModSecurity Core Rule Set
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
To the extent possible under law, @qazbnm456 has waived all copyright and related or neighboring rights to this work.