https://github.com/d1nfinite/awesome-web-security-

Some resource is useful..
https://github.com/d1nfinite/awesome-web-security-

List: awesome-web-security-

Last synced: 21 days ago
JSON representation

Some resource is useful..

• Host: GitHub
• URL: https://github.com/d1nfinite/awesome-web-security-
• Owner: d1nfinite
• Created: 2017-05-24T09:22:37.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2018-06-08T09:27:50.000Z (over 6 years ago)
• Last Synced: 2024-10-21T00:57:46.368Z (4 months ago)
• Size: 4.88 KB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• ultimate-awesome - awesome-web-security- - Some resource is useful. (Other Lists / Julia Lists)

README

        
# Awesome-web-security-

Some resource is useful..

### Paper

- CDN

    - [CDN内容分发网络技术原理](http://www.it.com.cn/f/server/076/21/433995.htm)

    - [CDN流量放大攻击思路](http://www.freebuf.com/articles/network/14348.html)

    - [绕过CDN查找网站真实IP](http://xiaix.me/rao-guo-cdncha-zhao-wang-zhan-zhen-shi-ip/)

- XSS

    - [XSSer升级之路](http://xuelinf.github.io/2016/05/14/-level-5-%E8%A2%AB%E5%BF%BD%E7%95%A5%E7%9A%84%E5%8F%8D%E6%96%9C%E6%9D%A0-XSS%E5%8D%87%E7%BA%A7%E4%B9%8B%E8%B7%AF/)

    - [Flash Xss Security](http://www.joychou.org/index.php/web/flash-xss.html)

    - [XSSI](http://www.mbsd.jp/Whitepaper/xssi.pdf)(大多数方法针对最新浏览器已经失效，但是思路值得借鉴)

    - [浅谈XSS—字符编码和浏览器解析原理](https://security.yirendai.com/news/share/26)

    - [QQ邮箱反射型XSS](http://pirogue.org/2017/08/25/qqmailxss/)

    - [XSS备忘录](http://momomoxiaoxi.com/2017/10/10/XSS/)

- JSONP

    - [JSONP](https://tonghuashuo.github.io/blog/jsonp.html)

    - [JSONP导致的安全问题](http://blog.knownsec.com/2015/03/jsonp_security_technic/)

- Network

    - [实战端口转发](https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/index.html)

    - [A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/)

- Protocol

    - [数字签名是什么？](http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html)

        

- RCE

    - [浅谈RCE绕过](http://pupiles.com/shellcode.html)

    - [命令执行的tip](http://www.cnblogs.com/iamstudy/articles/some_exec_command_tip.html)

       

- NoSQL Inject

    - [NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)

    

- 架构安全

    - [Web架构中的安全问题](https://github.com/bit4woo/sharexmind/blob/master/Web%E6%9E%B6%E6%9E%84%E4%B8%AD%E7%9A%84%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98.xmind)

    - [Amazon s3](https://blog.rapid7.com/2013/03/27/open-s3-buckets/)

 

- php trick

    - [Pwnhub 第一次线下沙龙竞赛Web题解析](https://xianzhi.aliyun.com/forum/read/1983.html)

    - [文件包含漏洞](https://thief.one/2017/04/10/2/)

    - [php格式化字符串问题](https://paper.seebug.org/386/)

    - [php格式化字符串问题2](https://mp.weixin.qq.com/s/8qtFAVdnYCbsST09xTDHIg)

    - [重载中间引擎实现php_webshell检测](https://security.tencent.com/index.php/blog/msg/19)

    - [PHP Session 序列化及反序列化处理器](http://wps2015.org/drops/drops/PHP%20Session%20%E5%BA%8F%E5%88%97%E5%8C%96%E5%8F%8A%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%A4%84%E7%90%86%E5%99%A8%E8%AE%BE%E7%BD%AE%E4%BD%BF%E7%94%A8%E4%B8%8D%E5%BD%93%E5%B8%A6%E6%9D%A5%E7%9A%84%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3.html)

- http_header

    - [OWASP Secure Headers Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)

    - [http_referer](http://blog.csdn.net/u011250882/article/details/49679535)

    - [CSP的应用现状](https://segmentfault.com/a/1190000007193840) 

 

- 服务器

    - [Nginx如何处理一个请求](http://tengine.taobao.org/nginx_docs/cn/docs/http/request_processing.html)

    - [Nginx服务器安装及配置文件详解](http://www.cnblogs.com/bluestorm/p/4574688.html)

    

- CRLF注入

    - [CRLF injection on Twitter or why blacklists fail](https://blog.innerht.ml/twitter-crlf-injection/)   

    

- Linux

	 - [bash shell的用法](http://cn.linux.vbird.org/linux_basic/0320bash.php)

	 - [ssh后门命令引发的思考](https://xianzhi.aliyun.com/forum/mobile/read/790.html)

	 - [应急响应姿势之观音坐莲](http://vinc.top/2017/09/20/linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E5%A7%BF%E5%8A%BF%E4%B9%8B%E8%A7%82%E9%9F%B3%E5%9D%90%E8%8E%B2/)

	 - [auditd日志审计](https://linux.cn/article-4907-1.html)

	 

- java

	 - [利用Java反射和类加载机制绕过JSP后门检测](https://xz.aliyun.com/t/2342#toc-8)

- crypto

     - [哈希长度扩展攻击](http://www.freebuf.com/articles/web/69264.html) 

- DDOS

	 -  [HTTP慢速攻击](http://blog.nsfocus.net/cc-attack-defense/)     

	 

- other 

     - [漏洞发现的艺术](http://jackson.thuraisamy.me/finding-vulnerabilities.html)

- kerberos

     - [kerberos图解](http://www.cnblogs.com/wukenaihe/p/3732141.html)

    

### Tools

- http_header

	- [CSP_Evaluator](https://csp-evaluator.withgoogle.com/)

- XSS

    - [XSS'OR](http://xssor.io/)

    - [HTML5SEC](https://html5sec.org/)(绕过备忘录)

- 信息收集

    - [spiderfoot](http://www.spiderfoot.net/download/)

- 正则表达式

    - [regex101](https://regex101.com/)