Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

WebHackersWeapons

⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
https://github.com/hahwul/WebHackersWeapons

Last synced: 5 days ago
JSON representation

  • Family project

  • Weapons

    • Tools

      • BurpSuite - audit`](/categorize/tags/live-audit.md) [`crawl`](/categorize/tags/crawl.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • Caido
      • Echo Mirage
      • Shodan - connected devices||[`osint`](/categorize/tags/osint.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)|
      • Phoenix
      • axiom
      • jaeles - project/jaeles?label=%20)|[`live-audit`](/categorize/tags/live-audit.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • Metasploit - framework?label=%20)|[`pentest`](/categorize/tags/pentest.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Ruby](/images/ruby.png)](/categorize/langs/Ruby.md)|
      • ZAP - audit`](/categorize/tags/live-audit.md) [`crawl`](/categorize/tags/crawl.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • proxify
      • hetty
      • Glorp - based HTTP intercept and replay proxy|![](https://img.shields.io/github/stars/denandz/glorp?label=%20)|[`mitmproxy`](/categorize/tags/mitmproxy.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • mitmproxy - capable intercepting HTTP proxy for penetration testers and software developers.|![](https://img.shields.io/github/stars/mitmproxy/mitmproxy?label=%20)|[`mitmproxy`](/categorize/tags/mitmproxy.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • EvilProxy - proxy?label=%20)|[`mitmproxy`](/categorize/tags/mitmproxy.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Ruby](/images/ruby.png)](/categorize/langs/Ruby.md)|
      • knock
      • meg - without killing the hosts |![](https://img.shields.io/github/stars/tomnomnom/meg?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • xnLinkFinder - h4ck3r/xnLinkFinder?label=%20)|[`js-analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • dnsprobe
      • noir - cr/noir?label=%20)|[`endpoint`](/categorize/tags/endpoint.md) [`url`](/categorize/tags/url.md) [`attack-surface`](/categorize/tags/attack-surface.md)|![linux](/images/linux.png)![macos](/images/apple.png)[![Crystal](/images/crystal.png)](/categorize/langs/Crystal.md)|
      • gowitness - a golang, web screenshot utility using Chrome Headless |![](https://img.shields.io/github/stars/sensepost/gowitness?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • recon_profile
      • hakrawler
      • htcat
      • subfinder
      • Silver
      • Smap - in replacement for Nmap powered by shodan.io|![](https://img.shields.io/github/stars/s0md3v/smap/?label=%20)|[`port`](/categorize/tags/port.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • graphw00f
      • JSFScan.sh - analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Shell](/images/shell.png)](/categorize/langs/Shell.md)|
      • gau
      • ParamSpider
      • subgen - to pipe into your favourite resolver!|![](https://img.shields.io/github/stars/pry0cc/subgen?label=%20)|[`subdomains`](/categorize/tags/subdomains.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • Sub404 - pr0xy/sub404?label=%20)|[`subdomains`](/categorize/tags/subdomains.md) [`takeover`](/categorize/tags/takeover.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • gobuster
      • fhc
      • aquatone
      • shosubgo
      • haktrails
      • intrigue-core - core?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Ruby](/images/ruby.png)](/categorize/langs/Ruby.md)|
      • github-endpoints - endpoints?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • goverview - Get an overview of the list of URLs|![](https://img.shields.io/github/stars/j3ssie/goverview?label=%20)|[`url`](/categorize/tags/url.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • assetfinder
      • waybackurls
      • findomain - platform subdomain enumerator, do not waste your time. |![](https://img.shields.io/github/stars/Edu4rdSHL/findomain?label=%20)|[`subdomains`](/categorize/tags/subdomains.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Rust](/images/rust.png)](/categorize/langs/Rust.md)|
      • cc.py
      • shuffledns - output support. |![](https://img.shields.io/github/stars/projectdiscovery/shuffledns?label=%20)|[`dns`](/categorize/tags/dns.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • getJS - analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • subs_all
      • csprecon
      • puredns
      • jsluice - analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • cariddi
      • subjack
      • Photon
      • dirsearch
      • bbot
      • parameth - /parameth?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • spiderfoot
      • zdns
      • SubOver
      • lazyrecon
      • katana - generation crawling and spidering framework.|![](https://img.shields.io/github/stars/projectdiscovery/katana?label=%20)|[`crawl`](/categorize/tags/crawl.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • dnsx - purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.|![](https://img.shields.io/github/stars/projectdiscovery/dnsx?label=%20)|[`dns`](/categorize/tags/dns.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • gauplus
      • BLUTO
      • HostHunter
      • BugBountyScanner
      • gitrob
      • rengine
      • HydraRecon
      • rusolver
      • apkleaks
      • longtongue
      • reconftw
      • masscan
      • chaos-client - client?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • megplus
      • Hunt3r
      • subjs
      • dnsvalidator
      • github-subdomains - subdomains?label=%20)|[`subdomains`](/categorize/tags/subdomains.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • crawlergo
      • favirecon
      • GitMiner
      • hakrevdns
      • LinkFinder - analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • Osmedeus
      • FavFreak
      • STEWS
      • naabu
      • dmut
      • OneForAll
      • x8
      • urlhunter
      • sn0int - automatic OSINT framework and package manager|![](https://img.shields.io/github/stars/kpcyrd/sn0int?label=%20)|[`osint`](/categorize/tags/osint.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Rust](/images/rust.png)](/categorize/langs/Rust.md)|
      • CT_subdomains
      • scilla
      • 3klCon
      • uncover
      • Lepus
      • Arjun
      • go-dork - dork?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • subzy
      • pagodo - Automate Google Hacking Database scraping and searching|![](https://img.shields.io/github/stars/opsdisk/pagodo?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • Sudomy
      • gospider - Fast web spider written in Go |![](https://img.shields.io/github/stars/jaeles-project/gospider?label=%20)|[`crawl`](/categorize/tags/crawl.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • httpx - purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads. |![](https://img.shields.io/github/stars/projectdiscovery/httpx?label=%20)|[`url`](/categorize/tags/url.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files |![](https://img.shields.io/github/stars/m4ll0k/SecretFinder?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • altdns - au/altdns?label=%20)|[`dns`](/categorize/tags/dns.md) [`subdomains`](/categorize/tags/subdomains.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • Parth
      • uro
      • feroxbuster
      • BatchQL
      • jwt-cracker - cracker?label=%20)|[`jwt`](/categorize/tags/jwt.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • GraphQLmap
      • CrackQL - force and fuzzing utility.|![](https://img.shields.io/github/stars/nicholasaleks/CrackQL?label=%20)|[`graphql`](/categorize/tags/graphql.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • medusa
      • crlfuzz
      • c-jwt-cracker - rius/c-jwt-cracker?label=%20)|[`jwt`](/categorize/tags/jwt.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![C](/images/c.png)](/categorize/langs/C.md)|
      • jwt-hack - hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)|![](https://img.shields.io/github/stars/hahwul/jwt-hack?label=%20)|[`jwt`](/categorize/tags/jwt.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • ffuf
      • BruteX
      • SmuggleFuzz
      • SSRFire
      • fuzzparam
      • headerpwn
      • ParamPamPam - vuln`](/categorize/tags/cache-vuln.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • dotdotpwn - The Directory Traversal Fuzzer |![](https://img.shields.io/github/stars/wireghoul/dotdotpwn?label=%20)|[`path-traversal`](/categorize/tags/path-traversal.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Perl](/images/perl.png)](/categorize/langs/Perl.md)|
      • kiterunner
      • thc-hydra - thc/thc-hydra?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![C](/images/c.png)](/categorize/langs/C.md)|
      • SSRFmap
      • wfuzz
      • Clairvoyance
      • SSTImap
      • LFISuite
      • xsscrapy
      • hinject
      • DSSS
      • httprobe
      • rapidscan - Tool Web Vulnerability Scanner. |![](https://img.shields.io/github/stars/skavngr/rapidscan?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • XSStrike
      • confused - prodsec/confused?label=%20)|[`dependency-confusion`](/categorize/tags/dependency-confusion.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • sqliv - robot/sqliv?label=%20)|[`sqli`](/categorize/tags/sqli.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • Chromium-based-XSS-Taint-Tracking - based xss detection that used to find the flows from a source to a sink.|![](https://img.shields.io/github/stars/v8blink/Chromium-based-XSS-Taint-Tracking?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)|
      • NoSQLMap
      • FockCache - vuln`](/categorize/tags/cache-vuln.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • autopoisoner - vuln`](/categorize/tags/cache-vuln.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • dalfox - source XSS scanner and utility focused on automation.|![](https://img.shields.io/github/stars/hahwul/dalfox?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • plution - pollution`](/categorize/tags/prototype-pollution.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • nikto
      • PPScan - pollution`](/categorize/tags/prototype-pollution.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • xsser - framework- to detect, exploit and report XSS vulnerabilities in web-based applications. |![](https://img.shields.io/github/stars/epsylon/xsser?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • SQLiDetector
      • web_cache_poison - Top 1 web hacking technique of 2019|![](https://img.shields.io/github/stars/fngoo/web_cache_poison?label=%20)|[`cache-vuln`](/categorize/tags/cache-vuln.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Shell](/images/shell.png)](/categorize/langs/Shell.md)|
      • nuclei
      • xsinator.com - Leak Browser Test Suite|![](https://img.shields.io/github/stars/RUB-NDS/xsinator.com?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • XSpear
      • domdig
      • h2csmuggler
      • dontgo403
      • http-request-smuggling - request-smuggling?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3 |![](https://img.shields.io/github/stars/defparam/smuggler?label=%20)|[`smuggle`](/categorize/tags/smuggle.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • VHostScan - all scenarios, work around wildcards, aliases and dynamic default pages. |![](https://img.shields.io/github/stars/codingo/VHostScan?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • pphack - Side Prototype Pollution Scanner|![](https://img.shields.io/github/stars/edoardottt/pphack?label=%20)|[`prototypepollution`](/categorize/tags/prototypepollution.md) [`prototype-pollution`](/categorize/tags/prototype-pollution.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • Striker
      • CorsMe
      • Corsy
      • Oralyzer
      • ditto
      • Web-Cache-Vulnerability-Scanner - based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/).|![](https://img.shields.io/github/stars/Hackmanit/Web-Cache-Vulnerability-Scanner?label=%20)|[`cache-vuln`](/categorize/tags/cache-vuln.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • github-search - search?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:|![](https://img.shields.io/github/stars/cure53/DOMPurify?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • V3n0M-Scanner - Scanner/V3n0M-Scanner?label=%20)|[`sqli`](/categorize/tags/sqli.md) [`xss`](/categorize/tags/xss.md) [`lfi`](/categorize/tags/lfi.md) [`rfi`](/categorize/tags/rfi.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • nmap - the Network Mapper. Github mirror of official SVN repository. |![](https://img.shields.io/github/stars/nmap/nmap?label=%20)|[`portscan`](/categorize/tags/portscan.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![C](/images/c.png)](/categorize/langs/C.md)|
      • a2sv
      • testssl.sh
      • jsprime - analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • headi
      • sqlmap
      • AWSBucketDump
      • http2smugl - > HTTP/1.1 conversion by the frontend server.|![](https://img.shields.io/github/stars/neex/http2smugl?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • DeepViolet
      • gitGraber
      • deadlinks - link`](/categorize/tags/broken-link.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • commix - in-One OS Command Injection Exploitation Tool.|![](https://img.shields.io/github/stars/commixproject/commix?label=%20)|[`exploit`](/categorize/tags/exploit.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • findom-xss - xss?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Shell](/images/shell.png)](/categorize/langs/Shell.md)|
      • HRS - Labs/HRS?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Perl](/images/perl.png)](/categorize/langs/Perl.md)|
      • websocket-connection-smuggler - connection-smuggler|![](https://img.shields.io/github/stars/hahwul/websocket-connection-smuggler?label=%20)|[`smuggle`](/categorize/tags/smuggle.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • corsair_scan - Origin Resource Sharing (CORS).|![](https://img.shields.io/github/stars/Santandersecurityresearch/corsair_scan?label=%20)|[`cors`](/categorize/tags/cors.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • tplmap - Side Template Injection and Code Injection Detection and Exploitation Tool|![](https://img.shields.io/github/stars/epinna/tplmap?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • DeadFinder - links (broken links)|![](https://img.shields.io/github/stars/hahwul/deadfinder?label=%20)|[`broken-link`](/categorize/tags/broken-link.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Ruby](/images/ruby.png)](/categorize/langs/Ruby.md)|
      • ppmap - side Prototype Pollution to XSS by exploiting known gadgets.|![](https://img.shields.io/github/stars/kleiton0x00/ppmap?label=%20)|[`prototypepollution`](/categorize/tags/prototypepollution.md) [`prototype-pollution`](/categorize/tags/prototype-pollution.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • OpenRedireX
      • S3cret Scanner
      • ws-smuggler - smuggler?label=%20)|[`smuggle`](/categorize/tags/smuggle.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • ssrf-sheriff - testing sheriff written in Go |![](https://img.shields.io/github/stars/teknogeek/ssrf-sheriff?label=%20)|[`ssrf`](/categorize/tags/ssrf.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • zap-cli - cli?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • DirDar - Forbidden) directories to break it and get dir listing on it|![](https://img.shields.io/github/stars/M4DM0e/DirDar?label=%20)|[`403`](/categorize/tags/403.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • Taipan
      • wpscan - commercial use, black box WordPress Vulnerability Scanner written for security professionals and blog maintainers to test the security of their WordPress websites. |![](https://img.shields.io/github/stars/wpscanteam/wpscan?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Ruby](/images/ruby.png)](/categorize/langs/Ruby.md)|
      • S3Scanner
      • arachni
      • ghauri - platform tool that automates the process of detecting and exploiting SQL injection security flaws|![](https://img.shields.io/github/stars/r0oth3x49/ghauri?label=%20)|[`sqli`](/categorize/tags/sqli.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • SQLNinja
      • of-CORS - CORS?label=%20)|[`cors`](/categorize/tags/cors.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • beef
      • Gopherus
      • Sn1per
      • BaRMIe
      • XXEinjector
      • toxssin - line interface and payload generator.|![](https://img.shields.io/github/stars/t3l3machus/toxssin?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • xxeserv
      • Liffy
      • ropr - Lichtman/ropr?label=%20)|[`rop`](/categorize/tags/rop.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Rust](/images/rust.png)](/categorize/langs/Rust.md)|
      • XXExploiter
      • singularity
      • XSRFProbe
      • weaponised-XSS-payloads - XSS-payloads?label=%20)|[`xss`](/categorize/tags/xss.md) [`documents`](/categorize/tags/documents.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • hurl - OpenSource/hurl?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Rust](/images/rust.png)](/categorize/langs/Rust.md)|
      • pentest-tools - tools?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • dnsobserver - of-band DNS interactions and sends lookup notifications via Slack. |![](https://img.shields.io/github/stars/allyomalley/dnsobserver?label=%20)|[`oast`](/categorize/tags/oast.md) [`dns`](/categorize/tags/dns.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • missing-cve-nuclei-templates - cve-nuclei-templates?label=%20)|[`nuclei-templates`](/categorize/tags/nuclei-templates.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Txt](/images/txt.png)](/categorize/langs/Txt.md)|
      • curl
      • xss-cheatsheet-data - cheatsheet-data?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)|
      • cent - templates`](/categorize/tags/nuclei-templates.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • grc
      • interactsh
      • CyberChef - a web app for encryption, encoding, compression and data analysis |![](https://img.shields.io/github/stars/gchq/CyberChef?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • grex - line tool and library for generating regular expressions from user-provided test cases|![](https://img.shields.io/github/stars/pemistahl/grex?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Rust](/images/rust.png)](/categorize/langs/Rust.md)|
      • gitls
      • jsfuck
      • github-regexp - regexp?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • bat
      • XSS-Catcher - Catcher?label=%20)|[`xss`](/categorize/tags/xss.md) [`blind-xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • ysoserial.net
      • ZipBomb
      • wuzz
      • IntruderPayloads
      • unfurl
      • wssip
      • gotestwaf - source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses|![](https://img.shields.io/github/stars/wallarm/gotestwaf?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • gron
      • gotator
      • ezXSS - xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![PHP](/images/php.png)](/categorize/langs/PHP.md)|
      • Atlas
      • fzf - line fuzzy finder|![](https://img.shields.io/github/stars/junegunn/fzf?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • blistener - XSS listener with payloads|![](https://img.shields.io/github/stars/fyxme/blistener?label=%20)|[`xss`](/categorize/tags/xss.md) [`blind-xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • TukTuk
      • hacks - off scripts |![](https://img.shields.io/github/stars/tomnomnom/hacks?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • oxml_xxe
      • template-generator - generator?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • Findsploit
      • hbxss - xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Ruby](/images/ruby.png)](/categorize/langs/Ruby.md)|
      • reverse-shell-generator - - (Great for CTFs)|![](https://img.shields.io/github/stars/0dayCTF/reverse-shell-generator?label=%20)|[`payload`](/categorize/tags/payload.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • security-research-pocs - of-concept codes created as part of security research done by Google Security Team.|![](https://img.shields.io/github/stars/google/security-research-pocs?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![C++](/images/c++.png)](/categorize/langs/C++.md)|
      • httptoolkit - source tool for debugging, testing and building with HTTP(S) on Windows, Linux & Mac|![](https://img.shields.io/github/stars/httptoolkit/httptoolkit?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)|
      • gee
      • PayloadsAllTheThings
      • Redcloud
      • GadgetProbe
      • ysoserial - of-concept tool for generating payloads that exploit unsafe Java object deserialization. |![](https://img.shields.io/github/stars/frohoff/ysoserial?label=%20)|[`deserialize`](/categorize/tags/deserialize.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • Gf-Patterns - Patterns?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)|
      • eoyc
      • SecLists
      • gxss - xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • mubeng
      • bountyplz
      • Assetnote Wordlists
      • Clipboard
      • dsieve
      • GQLSpection
      • gf
      • cf-check - check?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • docem
      • hoppscotch
      • Emissary
      • pet - line snippet manager, written in Go.|![](https://img.shields.io/github/stars/knqyf263/pet?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • s3reverse
      • PoC-in-GitHub - sec/PoC-in-GitHub?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)|
      • hakcheckurl
      • bruteforce-lists - robbie/bruteforce-lists?label=%20)|[`wordlist`](/categorize/tags/wordlist.md) [`documents`](/categorize/tags/documents.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Txt](/images/txt.png)](/categorize/langs/Txt.md)|
      • can-i-take-over-xyz - i-take-over-xyz?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)|
      • qsreplace - supplied value |![](https://img.shields.io/github/stars/tomnomnom/qsreplace?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • slackcat
      • REcollapse - box regex fuzzing to bypass validations and discover normalizations in web applications|![](https://img.shields.io/github/stars/0xacb/recollapse?label=%20)|[`fuzz`](/categorize/tags/fuzz.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • fff
      • nuclei-templates - templates?label=%20)|[`nuclei-templates`](/categorize/tags/nuclei-templates.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • Blacklist3r - blacklist3r |![](https://img.shields.io/github/stars/NotSoSecure/Blacklist3r?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![C#](/images/c%23.png)](/categorize/langs/C%23.md)|
      • SerializationDumper
      • xless - xss`](/categorize/tags/blind-xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • security-crawl-maze - crawl-maze?label=%20)|[`crawl`](/categorize/tags/crawl.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![HTML](/images/html.png)](/categorize/langs/HTML.md)|
      • anew
      • urlprobe
      • difftastic
      • autochrome
      • quickjack - and-click tool for intuitively producing advanced clickjacking and frame slicing attacks.|![](https://img.shields.io/github/stars/samyk/quickjack?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • nuclei-wordfence-cve - wordfence-cve?label=%20)|[`nuclei-templates`](/categorize/tags/nuclei-templates.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • boast
      • xssor2 - Hack with JavaScript.|![](https://img.shields.io/github/stars/evilcos/xssor2?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • ob_hacky_slack - a bash script that sends beautiful messages to Slack|![](https://img.shields.io/github/stars/openbridge/ob_hacky_slack?label=%20)|[`notify`](/categorize/tags/notify.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Shell](/images/shell.png)](/categorize/langs/Shell.md)|
      • pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE) |![](https://img.shields.io/github/stars/cytopia/pwncat?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Shell](/images/shell.png)](/categorize/langs/Shell.md)|
      • tiscripts
      • 230-OOB - of-Band XXE server for retrieving file contents over FTP.|![](https://img.shields.io/github/stars/lc/230-OOB?label=%20)|[`xxe`](/categorize/tags/xxe.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • urlgrab
      • burl - URL Checker |![](https://img.shields.io/github/stars/tomnomnom/burl?label=%20)|[`url`](/categorize/tags/url.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • godeclutter
      • zip-bomb - bomb?label=%20)|[`zipbomb`](/categorize/tags/zipbomb.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • Crimson
      • pentest-env - env?label=%20)|[`pentest`](/categorize/tags/pentest.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Ruby](/images/ruby.png)](/categorize/langs/Ruby.md)|
      • Glue
      • ConfusedDotnet - prodsec/ConfusedDotnet?label=%20)|[`dependency-confusion`](/categorize/tags/dependency-confusion.md)|![windows](/images/windows.png)[![C#](/images/c%23.png)](/categorize/langs/C%23.md)|
      • nosqli - belmer/nosqli?label=%20)|[`nosqli`](/categorize/tags/nosqli.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • wprecon
      • depenfusion - mauss/depenfusion?label=%20)|[`dependency-confusion`](/categorize/tags/dependency-confusion.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • dependency-confusion-scanner - git/dependency-confusion-scanner?label=%20)|[`dependency-confusion`](/categorize/tags/dependency-confusion.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • Sublist3r
      • subzy
      • scan4all
      • SecurityTrails
      • ppfuzz - side prototype pollution vulnerability written in Rust. 🦀|![](https://img.shields.io/github/stars/dwisiswant0/ppfuzz?label=%20)|[`prototypepollution`](/categorize/tags/prototypepollution.md) [`prototype-pollution`](/categorize/tags/prototype-pollution.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Rust](/images/rust.png)](/categorize/langs/Rust.md)|
      • PwnXSS
      • NoXss - xss and dom-xss|![](https://img.shields.io/github/stars/lwzSoviet/?label=%20)|[`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • XssPy
      • xsssniper
      • ParamWizard - based tool designed for extracting and identifying URLs with parameters from a specified website.|![](https://img.shields.io/github/stars/iamunixtz/ParamWizard?label=%20)|[`param`](/categorize/tags/param.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • dontgo403
      • Deadsniper - link checker|![](https://img.shields.io/github/stars/port19x/deadsniper?label=%20)|[`broken-link`](/categorize/tags/broken-link.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Go](/images/go.png)](/categorize/langs/Go.md)|
      • DNSDumpster
      • gitleaks
      • httpie - friendly command-line HTTP client for the API era|![](https://img.shields.io/github/stars/httpie/httpie?label=%20)|[`http`](/categorize/tags/http.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • graphql-voyager - guru/graphql-voyager?label=%20)|[`graphql`](/categorize/tags/graphql.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![TypeScript](/images/typescript.png)](/categorize/langs/TypeScript.md)|
    • Browser Addons

      • Wayback Machine
      • MM3 ProxySwitch
      • Dark Reader for Safari
      • User-Agent Switcher - agents.|||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)|
      • DotGit
      • DOMLogger++ - mizu/domloggerpp?label=%20)|[`dom`](/categorize/tags/dom.md) [`xss`](/categorize/tags/xss.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)![chrome](/images/chrome.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • cookie-quick-manager - quick-manager?label=%20)|[`cookie`](/categorize/tags/cookie.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • firefox-container-proxy - container-proxy?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • ZAP Browser Extension - extension/?label=%20)|[`browser-record`](/categorize/tags/browser-record.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)![chrome](/images/chrome.png)![zap](/images/zap.png)[![TypeScript](/images/typescript.png)](/categorize/langs/TypeScript.md)|
      • postMessage-tracker - icon|![](https://img.shields.io/github/stars/fransr/postMessage-tracker?label=%20)|[`js-analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![chrome](/images/chrome.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • Edit-This-Cookie - This-Cookie?label=%20)|[`cookie`](/categorize/tags/cookie.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![chrome](/images/chrome.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • clear-cache - on to clear browser cache with a single click or via the F9 key.|![](https://img.shields.io/github/stars/TenSoja/clear-cache?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)![chrome](/images/chrome.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • eval_villain
      • Dark Reader
      • PwnFox
      • jsonwebtoken.github.io
      • Firefox Multi-Account Containers - Account Containers lets you keep parts of your online life separated into color-coded tabs|![](https://img.shields.io/github/stars/mozilla/multi-account-containers?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • Hack-Tools - in-one Red Team extension for Web Pentester 🛠|![](https://img.shields.io/github/stars/LasCC/Hack-Tools?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![firefox](/images/firefox.png)![chrome](/images/chrome.png)![safari](/images/safari.png)[![TypeScript](/images/typescript.png)](/categorize/langs/TypeScript.md)|
    • Burpsuite, Caido and ZAP Addons

      • Dr. Watson - Watson?label=%20)|[`param`](/categorize/tags/param.md) [`subdomains`](/categorize/tags/subdomains.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • HUNT
      • attack-surface-detector-burp - surface-detector-burp?label=%20)|[`endpoint`](/categorize/tags/endpoint.md) [`url`](/categorize/tags/url.md) [`attack-surface`](/categorize/tags/attack-surface.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • BurpJSLinkFinder - analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • reflected-parameters - parameters?label=%20)|[`param`](/categorize/tags/param.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • attack-surface-detector-zap - surface-detector-zap?label=%20)|[`endpoint`](/categorize/tags/endpoint.md) [`url`](/categorize/tags/url.md) [`attack-surface`](/categorize/tags/attack-surface.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • burp-retire-js - retire-js?label=%20)|[`js-analysis`](/categorize/tags/js-analysis.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • param-miner - miner?label=%20)|[`param`](/categorize/tags/param.md) [`cache-vuln`](/categorize/tags/cache-vuln.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • GAP - h4ck3r/GAP-Burp-Extension?label=%20)|[`param`](/categorize/tags/param.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • AuthMatrix
      • Autorize
      • http-request-smuggler - request-smuggler?label=%20)|[`smuggle`](/categorize/tags/smuggle.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • collaborator-everywhere - everywhere?label=%20)|[`oast`](/categorize/tags/oast.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • BurpSuiteHTTPSmuggler
      • csp-auditor - auditor?label=%20)|[`csp`](/categorize/tags/csp.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • argumentinjectionhammer
      • taborator
      • zap-hud - hud?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • blackboxprotobuf
      • Map Local - on which allows mapping of responses to content of a chosen local file.|![](https://img.shields.io/github/stars/Keindel/owasp-zap-maplocal-addon?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • EvenBetter
      • notebook - community/notebook?label=%20)|[`note`](/categorize/tags/note.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![caido](/images/caido.png)[![TypeScript](/images/typescript.png)](/categorize/langs/TypeScript.md)|
      • safecopy
      • Decoder-Improved - Improved?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • CaidoReflector
      • burp-send-to - send-to?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • BurpCustomizer
      • HTTPSignatures - ietf-httpbis-message-signatures-01 draft.|![](https://img.shields.io/github/stars/nccgroup/HTTPSignatures?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • reflect
      • EvenBetterExtensions
      • caidope - caido plugin|![](https://img.shields.io/github/stars/skitttles-berry/caidope?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![caido](/images/caido.png)[![TypeScript](/images/typescript.png)](/categorize/langs/TypeScript.md)|
      • burp-piper - piper?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Kotlin](/images/kotlin.png)](/categorize/langs/Kotlin.md)|
      • Berserko
      • community-scripts - scripts?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)[![JavaScript](/images/javascript.png)](/categorize/langs/JavaScript.md)|
      • turbo-intruder - intruder?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Kotlin](/images/kotlin.png)](/categorize/langs/Kotlin.md)|
      • gRPC-Web Pentest Suite - Pentest-Suite is set of tools for pentesting / hacking gRPC Web (gRPC-Web) applications.|![](https://img.shields.io/github/stars/nxenon/grpc-pentest-suite?label=%20)|[`gRPC-Web`](/categorize/tags/gRPC-Web.md)|![burp](/images/burp.png)![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • burp-exporter - exporter?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • Stepper
      • AWSSigner
      • Web3 Decoder - decoder?label=%20)|[`web3`](/categorize/tags/web3.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • pcap-burp - burp?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • inql
      • knife
      • femida - i-was/femida?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)[![Python](/images/python.png)](/categorize/langs/Python.md)|
      • http-script-generator - script-generator?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)![burp](/images/burp.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • Neonmarker
      • BurpBounty
      • owasp-zap-jwt-addon - zap-jwt-addon?label=%20)|[`jwt`](/categorize/tags/jwt.md)|![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![zap](/images/zap.png)[![Java](/images/java.png)](/categorize/langs/Java.md)|
      • BurpSuite-Secret_Finder - Secret_Finder?label=%20)||![linux](/images/linux.png)![macos](/images/apple.png)![windows](/images/windows.png)![burp](/images/burp.png)|
      • BurpSuiteLoggerPlusPlus