Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-web-security

https://github.com/Muhammd/awesome-web-security

Last synced: 3 days ago
JSON representation

Forums
- Phrack Magazine - Ezine written by and for hackers.
- The Hacker News - Security in a serious way.
- HackDig - Dig high-quality web security articles for hacker.
Resources
- Tips
  - Hacker101 - Written by [hackerone](https://www.hackerone.com/start-hacking).
  - The Daily Swig - Web security digest - Written by [PortSwigger](https://portswigger.net/).
  - Infosec Newbie - Written by [Mark Robinson](https://www.sneakymonkey.net/).
  - The Magic of Learning - Written by [@bitvijays](https://bitvijays.github.io/aboutme.html).
- XSS - Cross-Site Scripting
  - XSS.png - Written by [@jackmasa](https://github.com/jackmasa).
  - C.XSS Guide - Written by [@JakobKallin](https://github.com/JakobKallin) and [Irene Lobo Valbuena](https://www.linkedin.com/in/irenelobovalbuena/).
  - A talk about XSS thousand knocks - Written by [Yu Yagihashi](https://speakerdeck.com/yagihashoo).
  - クロスサイトスクリプティングの仕組みと攻撃を回避する７つの対策 - Written by [McAfee Blog](https://blogs.mcafee.jp/).
- CSV Injection
  - CSV Injection -> Meterpreter on Pornhub - Written by [Andy](https://blog.zsec.uk/).
  - The Absurdly Underestimated Dangers of CSV Injection - Written by [George Mauer](http://georgemauer.net/).
- SQL Injection
  - SQL Injection Wiki - Written by [NETSPI](https://www.netspi.com/).
  - SQL Injection Pocket Reference - Written by [@LightOS](https://twitter.com/LightOS).
- Command Injection
  - Potential command injection in resolv.rb - Written by [@drigg3r](https://github.com/drigg3r).
- ORM Injection
  - HQL for pentesters - Written by [@h3xstream](https://twitter.com/h3xstream/).
  - HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) - Written by [@_m0bius](https://twitter.com/_m0bius).
  - ORM2Pwn: Exploiting injections in Hibernate ORM - Written by [Mikhail Egorov](https://0ang3el.blogspot.tw/).
  - ORM Injection - Written by [Simone Onofri](https://onofri.org/).
- FTP Injection
  - SMTP over XXE − how to send emails using Java's XML parser - Written by [Alexander Klink](https://shiftordie.de/).
- XXE - XML eXternal Entity
  - XXE - Written by [@phonexicum](https://twitter.com/phonexicum).
- CSRF - Cross-Site Request Forgery
  - Wiping Out CSRF - Written by [@jrozner](https://medium.com/@jrozner).
- SSRF - Server-Side Request Forgery
  - SSRF bible. Cheatsheet - Written by [Wallarm](https://wallarm.com/).
- ReactJS
  - XSS via a spoofed React element - Written by [Daniel LeCheminant](http://danlec.com/).
- SSL/TLS
  - SSL & TLS Penetration Testing - Written by [APTIVE](https://www.aptive.co.uk/).
- AWS
  - PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET - Written by Dwight Hohnstein from [Rhino Security Labs](https://rhinosecuritylabs.com/).
- Crypto
  - Applied Crypto Hardening - Written by [The bettercrypto.org Team](https://bettercrypto.org/).
- Web Shell
  - Hunting for Web Shells - Written by [Jacob Baines](https://www.tenable.com/profile/jacob-baines).
- OSINT
  - OSINT x UCCU Workshop on Open Source Intelligence - Written by [Philippe Lin](https://www.slideshare.net/miaoski).
  - 102 Deep Dive in the Dark Web OSINT Style Kirby Plessas - Presented by [@kirbstr](https://twitter.com/kirbstr).
- Books
  - XSS Cheat Sheet - 2018 Edition - Written by [@brutelogic](https://twitter.com/brutelogic).
Tools
- Reconnaissance
  - ZoomEye - Cyberspace Search Engine by [@zoomeye_team](https://twitter.com/zoomeye_team).
  - FOFA - Cyberspace Search Engine by [BAIMAOHUI](http://baimaohui.net/).
  - NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.
  - Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by [University of Michigan](https://umich.edu/).
  - Shodan - Shodan is the world's first search engine for Internet-connected devices by [@shodanhq](https://twitter.com/shodanhq).
  - urlscan.io - Service which analyses websites and the resources they request by [@heipei](https://twitter.com/heipei).
  - OSINT TOOLKIT - OSINT TOOLKIT by [the OSINT Toolkit Admin Team](https://osinttoolkit.github.io/).
  - Certificate Search - Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by [@crtsh](https://github.com/crtsh).
  - Databases - start.me - Various databases which you can use for your OSINT research by [@technisette](https://twitter.com/technisette).
  - peoplefindThor - the easy way to find people on Facebook by [postkassen](mailto:[email protected]?subject=peoplefindthor.dk comments).
  - EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by [@ChrisTruncer](https://github.com/ChrisTruncer).
  - gitrob - Reconnaissance tool for GitHub organizations by [@michenriksen](https://github.com/michenriksen).
- Penetration Testing
  - grayhatwarfare - Public buckets by [grayhatwarfare](http://www.grayhatwarfare.com/).
  - Astra - Automated Security Testing For REST API's by [@flipkart-incubator](https://github.com/flipkart-incubator).
- Detecting
  - sqlchop - SQL injection detection engine by [chaitin](http://chaitin.com).
  - xsschop - XSS detection engine by [chaitin](http://chaitin.com).
- Proxy
  - Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
- Decompiler
  - CFR - Another java decompiler by [@LeeAtBenf](https://twitter.com/LeeAtBenf).
- Others
  - Dnslogger - DNS Logger by [@iagox86](https://github.com/iagox86).
Tricks
- CSRF
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Neat tricks to bypass CSRF-protection - Written by [Twosecurity](https://twosecurity.io/).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
  - Exploiting CSRF on JSON endpoints with Flash and redirects - Written by [@riyazwalikar](https://blog.appsecco.com/@riyazwalikar).
- Remote Code Execution
  - Exploiting Node.js deserialization bug for Remote Code Execution - Written by [OpSecX](https://opsecx.com/index.php/author/ajinabraham/).
  - DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE - Written by [Ambionics Security](https://www.ambionics.io/).
  - How we exploited a remote code execution vulnerability in math.js - Written by [@capacitorset](https://github.com/capacitorset).
  - GitHub Enterprise Remote Code Execution - Written by [@iblue](https://github.com/iblue).
  - $36k Google App Engine RCE - Written by [Ezequiel Pereira](https://sites.google.com/site/testsitehacking/).
  - Poor RichFaces - Written by [CODE WHITE](https://www.code-white.com/).
  - How i Hacked into a PayPal's Server - Unrestricted File Upload to Remote Code Execution - Written by [Vikas Anil Sharma](http://blog.pentestbegins.com/).
  - How i Hacked into a PayPal's Server - Unrestricted File Upload to Remote Code Execution - Written by [Vikas Anil Sharma](http://blog.pentestbegins.com/).
- XSS
  - Query parameter reordering causes redirect page to render unsafe URL - Written by [kenziy](https://hackerone.com/kenziy).
  - How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Written by [@marin_m](https://medium.com/@marin_m).
  - DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS - Written by [Sebastian Lekies](https://twitter.com/slekies), [Krzysztof Kotowicz](https://twitter.com/kkotowicz), and [Eduardo Vela](https://twitter.com/sirdarckcat).
  - Uber XSS via Cookie - Written by [zhchbin](http://zhchbin.github.io/).
  - Stored XSS on Facebook - Written by [Enguerran Gillier](https://opnsec.com/).
  - DOM XSS – auth.uber.com - Written by [StamOne_](http://stamone-bug-bounty.blogspot.tw/).
  - 5文字で書くJavaScript - Shibuya.XSS techtalk #10 by [Masato Kinugawa](https://twitter.com/kinugawamasato).
- SQL Injection
  - MySQL Error Based SQL Injection Using EXP - Written by [@osandamalith](https://twitter.com/osandamalith).
  - SQL injection in an UPDATE query - a bug bounty story! - Written by [Zombiehelp54](http://zombiehelp54.blogspot.jp/).
- FTP Injection
  - XML Out-Of-Band Data Retrieval - Written by [@a66at](https://twitter.com/a66at) and Alexey Osipov.
- XXE
  - Evil XML with two encodings - Written by [Arseniy Sharoglazov](https://mohemiv.com/).
- SSRF
  - SSRF to ROOT Access - A $25k bounty for SSRF leading to ROOT Access in all instances by [0xacb](https://hackerone.com/0xacb).
  - PHP SSRF Techniques - Written by [@themiddleblue](https://medium.com/@themiddleblue).
  - SSRF in https://imgur.com/vidgif/url - Written by [aesteral](https://hackerone.com/aesteral).
  - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Written by [Orange](http://blog.orange.tw/).
  - SSRF Tips - Written by [xl7dev](http://blog.safebuff.com/).
- URL
  - Some Problems Of URLs - Written by [Chris Palmer](https://noncombatant.org/about/).
  - Phishing with Unicode Domains - Written by [Xudong Zheng](https://www.xudongz.com/).
  - Unicode Domains are bad and you should feel bad for supporting them - Written by [VRGSEC](https://www.vgrsec.com/).
- Others
  - Some Tricks From My Secret Group - Written by [PHITHON](https://www.leavesongs.com/).
  - Inducing DNS Leaks in Onion Web Services - Written by [@epidemics-scepticism](https://github.com/epidemics-scepticism).
  - Stored XSS, and SSRF in Google using the Dataset Publishing Language - Written by [@signalchaos](https://twitter.com/signalchaos).
- Header Injection
  - Java/Python FTP Injections Allow for Firewall Bypass - Written by [Timothy Morgan](https://plus.google.com/105917618099766831589).
Browser Exploitation
- Backend (core of Browser implementation, and often refers to C or C++ part)
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622 - Written by [[email protected]]([email protected]).
  - Three roads lead to Rome - Written by [Luke Viruswalker](http://blogs.360.cn/360safe/author/xsecure/).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Look Mom, I don't use Shellcode - Browser Exploitation Case Study for Internet Explorer 11 - Written by [@moritzj](http://twitter.com/moritzj).
  - PUSHING WEBKIT'S BUTTONS WITH A MOBILE PWN2OWN EXPLOIT - Written by [@wanderingglitch](https://twitter.com/wanderingglitch).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - FROM CRASH TO EXPLOIT: CVE-2015-6086 – OUT OF BOUND READ/ASLR BYPASS - Written by [payatu](http://payatu.com/).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
  - Exploiting a V8 OOB write. - Written by [@halbecaf](https://twitter.com/halbecaf).
- Frontend (like CSP bypass, URL spoofing, and something like that)
  - SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - Written by [Manuel](https://twitter.com/magicmac2000).
  - ブラウザの脆弱性とそのインパクト - Written by [Muneaki Nishimura](https://speakerdeck.com/nishimunea) and [Masato Kinugawa](https://twitter.com/kinugawamasato).
  - Особенности Safari в client-side атаках - Written by [Bo0oM](https://bo0om.ru/author/admin).
Evasions
- WAF
  - Web Application Firewall (WAF) Evasion Techniques - Written by [@secjuice](https://twitter.com/secjuice).
  - Web Application Firewall (WAF) Evasion Techniques #2 - Written by [@secjuice](https://twitter.com/secjuice).
  - Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Written by [@Brett Buerhaus](https://twitter.com/bbuerhaus).
- Authentication
  - Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) - Written by [@malerisch](https://twitter.com/malerisch) and [@steventseeley](https://twitter.com/steventseeley).
Social Engineering Database
- Others
  - haveibeenpwned - Check if you have an account that has been compromised in a data breach by [Troy Hunt](https://www.troyhunt.com/).
  - mysql-password - Database of MySQL hashes.
  - databases.today - The biggest free-to-download collection of publicly available website databases for security researchers and journalists by [@publicdbhost](https://twitter.com/publicdbhost).
Practices
- Application
  - SELinux Game - Learn SELinux by doing. Solve Puzzles, show skillz - Written by [@selinuxgame](https://twitter.com/selinuxgame).
- AWS
  - FLAWS - Amazon AWS CTF challenge - Written by [@0xdabbad00](https://twitter.com/0xdabbad00).
- XSS
  - XSS Thousand Knocks - XSS Thousand Knocks - Written by [@yagihashoo](https://twitter.com/yagihashoo).
  - XSS game - Google XSS Challenge - Written by Google.
  - alert(1) to win - Series of XSS challenges - Written by [@steike](https://twitter.com/steike).
  - XSS Challenges - Series of XSS challenges - Written by yamagata21.
- ModSecurity / OWASP ModSecurity Core Rule Set
  - ModSecurity / OWASP ModSecurity Core Rule Set - Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by [@ChrFolini](https://twitter.com/ChrFolini).
Blogs
- Others
  - leavesongs - China's talented web penetrator.
  - Broken Browser - Fun with Browser Vulnerabilities.
  - Blog of Osanda - Security Researching and Reverse Engineering.
  - BRETT BUERHAUS - Vulnerability disclosures and rambles on application security.
  - n0tr00t - ~# n0tr00t Security Team.
  - OpnSec - Open Mind Security!
  - Wfox - 技术宅，热衷各种方面。
  - LoRexxar - 带着对技术的敬畏之心成长，不安于一隅...
Twitter Users
- Others
  - @HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters
  - @filedescriptor - Active penetrator often tweets and writes useful articles
  - @cure53berlin - [Cure53](https://cure53.de/) is a German cybersecurity firm.
  - @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
  - @kinugawamasato - Japanese web penetrator.
  - @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
  - @garethheyes - English web penetrator.
  - @hasegawayosuke - Japanese javascript security researcher.
Community
- ModSecurity / OWASP ModSecurity Core Rule Set
  - Reddit
Miscellaneous
- ModSecurity / OWASP ModSecurity Core Rule Set
  - Google VRP and Unicorns - Written by [Daniel Stelter-Gliese](https://www.linkedin.com/in/daniel-stelter-gliese-170a70a2/).
  - The Definitive Security Data Science and Machine Learning Guide - Written by JASON TROS.
  - Browser Extension and Login-Leak Experiment - Browser Extension and Login-Leak Experiment.
  - A glimpse into GitHub's Bug Bounty workflow - Written by [@gregose](https://github.com/gregose).
  - Internet of Things Scanner - Check if your internet-connected devices at home are public on Shodan by [BullGuard](https://www.bullguard.com/).
  - The Bug Hunters Methodology v2.1 - Written by [@jhaddix](https://twitter.com/jhaddix).
  - $7.5k Google services mix-up - Written by [Ezequiel Pereira](https://sites.google.com/site/testsitehacking/).
  - Be careful what you copy: Invisibly inserting usernames into text with Zero-Width Characters - Written by [@umpox](https://medium.com/@umpox).
  - Domato Fuzzer's Generation Engine Internals - Written by [sigpwn](https://www.sigpwn.io/).
  - CSS Is So Overpowered It Can Deanonymize Facebook Users - Written by [Ruslan Habalov](https://www.evonide.com/).
  - TL:DR: VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%) - Written by [voidsec](https://voidsec.com/).
  - notes - Some public notes by [@ChALkeR](https://github.com/ChALkeR).
PoCs
- JavaScript
  - Some-PoC-oR-ExP - 各种漏洞poc、Exp的收集或编写 by [@coffeehb](https://github.com/coffeehb).

Programming Languages

Python 3 Go 1

Ecosyste.ms: Awesome

awesome-web-security

Forums

Resources

Tips

XSS - Cross-Site Scripting

CSV Injection

SQL Injection

Command Injection

ORM Injection

FTP Injection

XXE - XML eXternal Entity

CSRF - Cross-Site Request Forgery

SSRF - Server-Side Request Forgery

ReactJS

SSL/TLS

AWS

Crypto

Web Shell

OSINT

Books

Tools

Reconnaissance

Penetration Testing

Detecting

Proxy

Decompiler

Others

Tricks

CSRF

Remote Code Execution

XSS

SQL Injection

FTP Injection

XXE

SSRF

URL

Others

Header Injection

Browser Exploitation

Backend (core of Browser implementation, and often refers to C or C++ part)

Frontend (like CSP bypass, URL spoofing, and something like that)

Evasions

WAF

Authentication

Social Engineering Database

Others

Practices

Application

AWS

XSS

ModSecurity / OWASP ModSecurity Core Rule Set

Blogs

Others

Twitter Users

Others

Community

ModSecurity / OWASP ModSecurity Core Rule Set

Miscellaneous

ModSecurity / OWASP ModSecurity Core Rule Set

PoCs

JavaScript