Awesome Web Security
š¶ Curated list of Web Security materials and resources.
Needless to say, most websites suffer from various types of bugs which may eventually lead to vulnerabilities. Why would this happen so often? There can be many factors involved including misconfiguration, shortage of engineersā security skills, etc. To combat this, here is a curated list of Web Security materials and resources for learning cutting edge penetration techniques, and I highly encourage you to read this article āSo you want to be a web security researcher?ā first.
Please read the contribution guidelines before contributing.
š Want to strengthen your penetration skills?
I would recommend playing some awesome-ctfs.
If you enjoy this awesome list and would like to support it, check out my Patreon page :)
Also, donāt forget to check out my repos š¾ or say hi on my Twitter!
Contents
Digests
Forums
Introduction
XSS - Cross-Site Scripting
Prototype Pollution
CSV Injection
SQL Injection
Command Injection
ORM Injection
FTP Injection
XXE - XML eXternal Entity
CSRF - Cross-Site Request Forgery
Clickjacking
SSRF - Server-Side Request Forgery
Web Cache Poisoning
Relative Path Overwrite
Open Redirect
Security Assertion Markup Language (SAML)
Upload
Rails
AngularJS
ReactJS
SSL/TLS
Webmail
NFS
-
[NFS |
PENETRATION TESTING ACADEMY](https://pentestacademy.wordpress.com/2017/09/20/nfs/?t=1&cn=ZmxleGlibGVfcmVjc18y&refsrc=email&iid=b34422ce15164e99a193fea0ccc7a02f&uid=1959680352&nid=244+289476616) - Written by PENETRATION ACADEMY. |
AWS
Azure
Fingerprint
Sub Domain Enumeration
Crypto
Web Shell
OSINT
DNS Rebinding
Deserialization
OAuth
JWT
Evasions
XXE
CSP
WAF
JSMVC
Authentication
Tricks
CSRF
Clickjacking
Remote Code Execution
XSS
SQL Injection
NoSQL Injection
FTP Injection
XXE
SSRF
Web Cache Poisoning
URL
Deserialization
OAuth
Others
Browser Exploitation
Frontend (like SOP bypass, URL spoofing, and something like that)
Backend (core of Browser implementation, and often refers to C or C++ part)
PoCs
Database
Cheetsheets
Auditing
Command Injection
Reconnaissance
OSINT - Open-Source Intelligence
-
Shodan - Shodan is the worldās first search engine for Internet-connected devices by @shodanhq.
-
Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
-
urlscan.io - Service which analyses websites and the resources they request by @heipei.
-
ZoomEye - Cyberspace Search Engine by @zoomeye_team.
-
FOFA - Cyberspace Search Engine by BAIMAOHUI.
-
NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.
-
Photon - Incredibly fast crawler designed for OSINT by @s0md3v.
-
FOCA - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.
-
SpiderFoot - Open source footprinting and intelligence-gathering tool by @binarypool.
-
xray - XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.
-
gitrob - Reconnaissance tool for GitHub organizations by @michenriksen.
-
GSIL - Github Sensitive Information Leakageļ¼Githubęęäæ”ęÆę³é²ļ¼by @FeeiCN.
-
raven - raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.
-
ReconDog - Reconnaissance Swiss Army Knife by @s0md3v.
-
Databases - start.me - Various databases which you can use for your OSINT research by @technisette.
-
peoplefindThor - the easy way to find people on Facebook by postkassen.
-
tinfoleak - The most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.
-
Raccoon - High performance offensive security tool for reconnaissance and vulnerability scanning by @evyatarmeged.
-
Social Mapper - Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by @SpiderLabs.
-
espi0n/Dockerfiles - Dockerfiles for various OSINT tools by @espi0n.
Sub Domain Enumeration
Code Generating
Fuzzing
-
wfuzz - Web application bruteforcer by @xmendez.
-
charsetinspect - Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.
-
IPObfuscator - Simple tool to convert the IP to a DWORD IP by @OsandaMalith.
-
domato - DOM fuzzer by @google.
-
FuzzDB - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
-
dirhunt - Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.
-
ssltest - Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.
-
fuzz.txt - Potentially dangerous files by @Bo0oM.
Scanning
-
wpscan - WPScan is a black box WordPress vulnerability scanner by @wpscanteam.
-
JoomlaScan - Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.
-
WAScan - Is an open source web application security scanner that uses āblack-boxā method, created by @m4ll0k.
-
Nuclei - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.
Penetration Testing
Offensive
XSS - Cross-Site Scripting
-
beef - The Browser Exploitation Framework Project by beefproject.
-
JShell - Get a JavaScript shell with XSS by @s0md3v.
-
XSStrike - XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.
-
xssor2 - XSSāOR - Hack with JavaScript by @evilcos.
-
csp evaluator - A tool for evaluating content-security-policies by Csper.
SQL Injection
-
sqlmap - Automatic SQL injection and database takeover tool.
Template Injection
-
tplmap - Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.
XXE
Cross Site Request Forgery
Server-Side Request Forgery
Leaking
Detecting
-
sqlchop - SQL injection detection engine by chaitin.
-
xsschop - XSS detection engine by chaitin.
-
retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.
-
malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.
-
repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
-
bXSS - bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.
-
OpenRASP - An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.
-
GuardRails - A GitHub App that provides security feedback in Pull Requests.
Preventing
-
DOMPurify - DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.
-
js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.
-
Acra - Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.
-
Csper - A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.
Proxy
-
Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
-
mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.
Webshell
Disassembler
Decompiler
DNS Rebinding
-
DNS Rebind Toolkit - DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey
-
dref - DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs
-
Singularity of Origin - It includes the necessary components to rebind the IP address of the attack server DNS name to the target machineās IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup
-
Whonow DNS Server - A malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey
Others
Social Engineering Database
Blogs
-
@HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters
-
@filedescriptor - Active penetrator often tweets and writes useful articles
-
@cure53berlin - Cure53 is a German cybersecurity firm.
-
@XssPayloads - The wonderland of JavaScript unexpected usages, and more.
-
@kinugawamasato - Japanese web penetrator.
-
@h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
-
@garethheyes - English web penetrator.
-
@hasegawayosuke - Japanese javascript security researcher.
-
@shhnjk - Web and Browsers Security Researcher.
Practices
Application
AWS
XSS
ModSecurity / OWASP ModSecurity Core Rule Set
Miscellaneous
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
License
To the extent possible under law, @qazbnm456 has waived all copyright and related or neighboring rights to this work.