Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-web-security
https://github.com/cyberheartmi9/awesome-web-security
Last synced: about 8 hours ago
JSON representation
-
Tools
-
Reconnaissance
- FOFA - 网络空间资产搜索引擎 by [白帽汇](http://baimaohui.net/).
- ZoomEye - ZoomEye 是一个针对网络空间的搜索引擎 by [@zoomeye_team](https://twitter.com/zoomeye_team).
- 傻蛋联网设备搜索 - 监测互联网基础设施安全威胁 by [@傻蛋搜索](http://weibo.com/shadansou).
- Shodan - Shodan is the world's first search engine for Internet-connected devices by [@shodanhq](https://twitter.com/shodanhq).
- urlscan.io - Service which analyses websites and the resources they request by [@heipei](https://twitter.com/heipei).
- NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.
- Certificate Search - Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by [@crtsh](https://github.com/crtsh).
- Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by [University of Michigan](https://umich.edu/).
-
Others
- Dnslogger - DNS Logger by [@iagox86](https://github.com/iagox86).
-
-
Browser Exploitation
-
Backend (core of Browser implementation, and often refers to C or C++ part)
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- FROM CRASH TO EXPLOIT: CVE-2015-6086 – OUT OF BOUND READ/ASLR BYPASS - Written by [payatu](http://payatu.com/).
- First Step to Browser Exploitation - Written by [Brian Pak](http://mashirogod.dothome.co.kr/).
- Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622 - Written by [[email protected]]([email protected]).
- Three roads lead to Rome - Written by [Luke Viruswalker](http://blogs.360.cn/360safe/author/xsecure/).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
-
Frontend (like CSP bypass, URL spoofing, and something like that)
- ブラウザの脆弱性とそのインパクト - Written by [Muneaki Nishimura](https://speakerdeck.com/nishimunea) and [Masato Kinugawa](https://twitter.com/kinugawamasato).
- SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - Written by [Manuel](https://twitter.com/magicmac2000).
-
-
Tricks
-
Others
- 隱匿的攻擊之-Domain Fronting - Written by [Evi1cg](https://evi1cg.me/).
- CTF比赛总是输?你还差点Tricks! - Written by [PHITHON](https://www.leavesongs.com/).
- Some Tricks From My Secret Group - Written by [PHITHON](https://www.leavesongs.com/).
-
Remote Code Execution
- eval长度限制绕过 && PHP5.6新特性 - Written by [PHITHON](https://www.leavesongs.com/).
- Exploiting Node.js deserialization bug for Remote Code Execution - Written by [OpSecX](https://opsecx.com/index.php/author/ajinabraham/).
- DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE - Written by [Ambionics Security](https://www.ambionics.io/).
- How we exploited a remote code execution vulnerability in math.js - Written by [@capacitorset](https://github.com/capacitorset).
- GitHub Enterprise Remote Code Execution - Written by [@iblue](https://github.com/iblue).
- How i Hacked into a PayPal's Server - Unrestricted File Upload to Remote Code Execution - Written by [Vikas Anil Sharma](http://blog.pentestbegins.com/).
-
XSS
- - Written by [Marin Moulinier](https://medium.com/@marin_m).
- DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS - Written by [Sebastian Lekies](https://twitter.com/slekies), [Krzysztof Kotowicz](https://twitter.com/kkotowicz), and [Eduardo Vela](https://twitter.com/sirdarckcat).
- Uber XSS via Cookie - Written by [zhchbin](http://zhchbin.github.io/).
-
SQL Injection
- 屌智硬之mysql不用逗号注入 - Written by [jinglingshu](http://www.jinglingshu.org/?p=2220).
- MySQL Error Based SQL Injection Using EXP - Written by [@osandamalith](https://twitter.com/osandamalith).
- SQL injection in an UPDATE query - a bug bounty story! - Written by [Zombiehelp54](http://zombiehelp54.blogspot.jp/).
-
SSRF
- SSRF in https://imgur.com/vidgif/url - Written by [aesteral](https://hackerone.com/aesteral).
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Written by [Orange](http://blog.orange.tw/).
- SSRF Tips - Written by [xl7dev](http://blog.safebuff.com/).
-
Header Injection
- Java/Python FTP Injections Allow for Firewall Bypass - Written by [Timothy Morgan](https://plus.google.com/105917618099766831589).
-
URL
- URL Hacking - 前端猥琐流 - Written by [0x_Jin](http://xssec.lofter.com/).
- Phishing with Unicode Domains - Written by [Xudong Zheng](https://www.xudongz.com/).
- Unicode Domains are bad and you should feel bad for supporting them - Written by [VRGSEC](https://www.vgrsec.com/).
-
-
Resources
-
XSS
- H5SC - HTML5 Security Cheatsheet - Collection of HTML5 related XSS attack vectors by [@cure53](https://github.com/cure53).
- XSS.png - XSS mind map by [@jackmasa](https://github.com/jackmasa).
- C.XSS Guide - Comprehensive tutorial on cross-site scripting by [@JakobKallin](https://github.com/JakobKallin) and [Irene Lobo Valbuena](https://www.linkedin.com/in/irenelobovalbuena/).
-
Books
- Security Geek 2017 - Q2 - Written by [360网络攻防实验室](http://bobao.360.cn/).
- Security Geek 2017 - Q1 - Written by [360网络攻防实验室](http://bobao.360.cn/).
- Security Geek 2016 - Part. A - Written by [360网络攻防实验室](http://bobao.360.cn/).
- Security Geek 2016 - Part. B - Written by [360网络攻防实验室](http://bobao.360.cn/).
-
Tips
- Infosec Newbie - Written by [Mark Robinson](https://www.sneakymonkey.net/).
- Got Your PW - Written by [@s3131212](https://github.com/s3131212).
-
CSV Injection
- CSV Injection -> Meterpreter on Pornhub - Written by [Andy](https://blog.zsec.uk/).
- The Absurdly Underestimated Dangers of CSV Injection - Written by [George Mauer](http://georgemauer.net/).
-
ORM Injection
- HQL for pentesters - Written by [@h3xstream](https://twitter.com/h3xstream/).
- HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) - Written by [@_m0bius](https://twitter.com/_m0bius).
- ORM2Pwn: Exploiting injections in Hibernate ORM - Written by [Mikhail Egorov](https://0ang3el.blogspot.tw/).
- ORM Injection - Written by [Simone Onofri](https://onofri.org/).
-
XXE
- XXE - Written by [@phonexicum](https://twitter.com/phonexicum).
-
SSRF
- SSRF bible. Cheatsheet - Written by [@Wallarm](https://twitter.com/wallarm).
-
SSL/TLS
- SSL & TLS Penetration Testing - Written by [APTIVE](https://www.aptive.co.uk/).
-
AWS
- PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET - Written by Dwight Hohnstein from [Rhino Security Labs](https://rhinosecuritylabs.com/).
-
Crypto
- Applied Crypto Hardening - Written by [The bettercrypto.org Team](https://bettercrypto.org/).
-
CSRF
- 讓我們來談談 CSRF - Written by [TechBridge](http://blog.techbridge.cc/).
- 讓我們來談談 CSRF - Written by [TechBridge](http://blog.techbridge.cc/).
-
-
Blogs
-
Others
- LoRexxar - 带着对技术的敬畏之心成长,不安于一隅...
- Wfox - 技术宅,热衷各种方面。
- leavesongs - China's talented web penetrator.
- Broken Browser - Fun with Browser Vulnerabilities.
- Blog of Osanda - Security Researching and Reverse Engineering.
- BRETT BUERHAUS - Vulnerability disclosures and rambles on application security.
- n0tr00t - ~# n0tr00t Security Team.
- OpnSec - Open Mind Security!
-
-
Twitter Users
-
Others
- @kinugawamasato - Japanese web penetrator.
- @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
- @garethheyes - English web penetrator.
- @hasegawayosuke - Japanese javascript security researcher.
- @filedescriptor - Active penetrator often tweets and writes useful articles
- @cure53berlin - [Cure53](https://cure53.de/) is a German cybersecurity firm.
- @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
-
-
Practices
-
AWS
- FLAWS - Amazon AWS CTF challenge - Written by [@0xdabbad00](https://twitter.com/0xdabbad00).
-
XSS
- alert(1) to win - Series of XSS challenges - Written by [@steike](https://twitter.com/steike).
-
-
Community
-
XSS
-
-
Forums
- Drops (backup) - Drops was known as a famous knowledge base for hacking technology.
- Paper from Seebug - Knowledge base for hacking technology built by [Seebug](http://seebug.org/).
- 安全脉搏 - Blog for Security things.
- HackDig - Dig high-quality web security articles for hacker.
- Freebuf - Freebuf is the most popular forum in China for exchanging and sharing hacking technology.
-
Evasions
-
WAF
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Written by [@Brett Buerhaus](https://twitter.com/bbuerhaus).
-
Authentication
- Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) - Written by [@malerisch](https://twitter.com/malerisch) and [@steventseeley](https://twitter.com/steventseeley).
-
-
Social Engineering Database
-
Others
- haveibeenpwned - Check if you have an account that has been compromised in a data breach by [Troy Hunt](https://www.troyhunt.com/).
- mysql-password - Database of MySQL hashes.
- 70 SECURITY TEAM Social Engineering Data - 70 SECURITY TEAM 社工库 by [70 Security Team](http://70sec.com/).
-
-
Miscellaneous
-
XSS
- Google VRP and Unicorns - Written by [Daniel Stelter-Gliese](https://www.linkedin.com/in/daniel-stelter-gliese-170a70a2/).
- Hunting for Web Shells - Written by [Jacob Baines](https://www.tenable.com/profile/jacob-baines).
- The Definitive Security Data Science and Machine Learning Guide - Written by JASON TROS.
- Browser Extension and Login-Leak Experiment - Browser Extension and Login-Leak Experiment.
-
Programming Languages
Categories
Sub Categories
Backend (core of Browser implementation, and often refers to C or C++ part)
24
Others
22
XSS
13
Reconnaissance
8
Remote Code Execution
6
SSRF
4
ORM Injection
4
Books
4
URL
3
SQL Injection
3
Tips
2
AWS
2
CSRF
2
CSV Injection
2
Frontend (like CSP bypass, URL spoofing, and something like that)
2
WAF
1
Authentication
1
Header Injection
1
XXE
1
Crypto
1
SSL/TLS
1