Web Security

Written by hackerone.

Written by PortSwigger.

Written by Netsparker.

Written by Mark Robinson.

Written by @bitvijays.

Written by Trail of Bits.

Written by @swisskyrepo.

Weekly summary of top security tools, blog posts, and security research.

Ezine written by and for hackers.

Security in a serious way.

The security podcast network.

Biting the hand that feeds IT.

Connecting The Information Security Community.

Dig high-quality web security articles for hacker.

Written by Google.

Written by @cure53.

Written by @s0md3v.

Written by @jackmasa.

Written by @JakobKallin and Irene Lobo Valbuena.

Written by Paulos Yibelo.

Written by @payloadbox.

Written by @swisskyrepo.

Written by @HoLyVieR.

Written by @securitymb.

Written by @po6ix.

Written by Andy.

Written by George Mauer.

Written by @swisskyrepo.

Written by @netsparker.

Written by NETSPI.

Written by @LightOS.

Written by @payloadbox.

Written by @swisskyrepo.

Written by @drigg3r.

Written by @payloadbox.

Written by @swisskyrepo.

Written by @h3xstream.

Written by @_m0bius.

Written by Mikhail Egorov.

Written by Simone Onofri.

Written by Timothy Morgan.

Written by Alexander Klink.

Written by @phonexicum.

Written by portswigger.

Written by Timothy D. Morgan and Omar Al Ibrahim.

Written by @payloadbox

Written by various contributors.

Written by @jrozner.

Written by @swisskyrepo.

Written by Imperva.

Written by Mario Heiderich.

Written by Wallarm.

Written by @swisskyrepo.

Written by @albinowax.

Written by @swisskyrepo.

Written by The Morning Paper.

Written by Mitsui Bussan Secure Directions, Inc..

Written by s0cket7.

Written by @payloadbox.

Written by @swisskyrepo.

Written by epi.

Written by epi.

Written by epi.

Written by @swisskyrepo.

Written by Haboob Team.

Written by @swisskyrepo.

Written by @qazbnm456.

Written by @brunofacca.

Written by @presidentbeef.

Written by Rails team.

Written by Gareth Heyes.

Written by @garethheyes

Written by Daniel LeCheminant.

Written by APTIVE.

Written by @Hakky54.

Written by Robin Peraglie.

Written by PENETRATION ACADEMY.

Written by Dwight Hohnstein from Rhino Security Labs.

Written by VirtueSecurity.

Written by VirtueSecurity.

Written by Christian Demko

Written by @rhinobenjamin.

Written by @spengietz.

Written by Bharath.

Written by Patrik Hudak.

Written by The bettercrypto.org Team.

Written by J.M Porup.

Written by Jacob Baines.

Written by @_nullbind.

Written by @s3yfullah.

Written by Philippe Lin.

Presented by @kirbstr.

Written by Timur Daudpota.

Written by @brannondorsey

Written by @radekk

Written by @breenmachine.

Written by @pwntester.

Written by @noperator.

Written by CRISTIAN CORNEA.

Written by @synacktiv.

Written by @PhilippeDeRyck.

Written by @damianrusinek.

Written by @ermil0v.

Written by @SpiderSec.

Written by @shhnjk.

Written by Detectify Labs.

Written by Paulos Yibelo.

Written by Wallarm.

Written by portswigger.

Written by @ptoomey3.

Written by @ptoomey3.

Written by @secjuice.

Written by @secjuice.

Written by @Brett Buerhaus.

Written by @d0znpp.

Written by Mario Heiderich.

Written by @malerisch and @steventseeley.

Written by Twosecurity.

Written by @riyazwalikar.

Written by @dxa4481.

Written by @rramgattie.

Written by @GraphX.

Written by @raushanraj_65039.

Written by @yu5k3.

Written by Badcode@Knownsec 404 Team.

Written by @breenmachine.

Written by OpSecX.

Written by Ambionics Security.

Written by @capacitorset.

Written by @iblue.

Written by RIPS Technologies.

Written by Orange.

Written by Ezequiel Pereira.

Written by CODE WHITE.

Written by @blaklis_.

Written by Jorge Lajara.

Written by HAHWUL.

Written by @garethheyes.

Written by @terjanq.

Written by kenziy.

Written by Mario Heiderich.

Written by @marin_m.

Written by Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela.

Written by zhchbin.

Written by StamOne_.

Written by Enguerran Gillier.

Written by Michał Bentkowski.

Written by Michał Bentkowski.

Written by @strukt93.

Written by @vinodsparrow.

Written by @osandamalith.

Written by Zombiehelp54.

Written by Orange.

Written by TomNomNom.

Written by Tarlogic.

Written by @denandz.

Written by Pete.

Written by @a66at and Alexey Osipov.

Written by Ivan Novikov.

Written by Arseniy Sharoglazov.

Written by Rose Jackcode.

Written by Timur Yunusov and Alexey Osipov.

Exfiltration using FTP protocol - Written by Ivan Novikov.

Written by skavans.

Written by Timothy D. Morgan.

Written by Renaud Dubourguais.

Written by Antti Rantasaari.

Written by Arseniy Sharoglazov.

Written by Philippe Arteau.

Written by Gwen.

A $25k bounty for SSRF leading to ROOT Access in all instances by 0xacb.

Written by @themiddleblue.

Written by aesteral.

Written by @Auxy233.

Written by Orange.

Written by xl7dev.

Written by opnsec.

Written by Alyssa Herrera.

Written by @albinowax.

Written by Wallarm.

Written by Timothy Morgan.

Written by Chris Palmer.

Written by Xudong Zheng.

Written by VRGSEC.

Written by Sergey Bobrov.

Written by @irsdl.

Written by @AmolBaikar.

Written by @alex.birsan.

Written by phithon.

Written by @epidemics-scepticism.

Written by @signalchaos.

Written by @shhnjk.

Written by @filedescriptor.

Written by @rafaybaloch.

Written by jameshfisher.

Written by portswigger.

Written by James Lee.

Written by Manuel.

Written by Bo0oM.

Written by aaj at google.com and mkwst at google.com.

Written by Michał Bentkowski.

Written by David Gilbertson.

Written by @kinugawamasato.

Written by @Abdulahhusam.

Written by Доктор Веб.

Written by phrack@saelo.net.

Written by @holynop.

Written by @halbecaf.

Written by SecuriTeam Secure Disclosure (SSD).

Written by @moritzj.

Written by @wanderingglitch.

Written by @PatrickBiernat, @gaasedelen and @itszn13.

Written by Diary of a reverse-engineer.

Written by @tjbecker_.

Collection of JavaScript engine CVEs with PoCs by @tunz.

Curated list of CVE PoCs by @qazbnm456.

各种漏洞poc、Exp的收集或编写 by @coffeehb.

Collection of UXSS CVEs with PoCs by @Metnew.

Exploits & Tools Search Engine by @i_bo0om.

ultimate archive of Exploits, Shellcode, and Security Papers by Offensive Security.

Written by @brutelogic.

Written by @uppusaikiran.

Tool for AWS security assessment, auditing and hardening by @Alfresco.

Evaluate the security of S3 buckets by @hehnope.

Auto Scanning to SSL Vulnerability by @hahwul.

Automated All-in-One OS command injection and exploitation tool by @commixproject.

Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

Service which analyses websites and the resources they request by @heipei.

Cyberspace Search Engine by @zoomeye_team.

Cyberspace Search Engine by BAIMAOHUI.

THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

Incredibly fast crawler designed for OSINT by @s0md3v.

FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.

Open source footprinting and intelligence-gathering tool by @binarypool.

XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.

Reconnaissance tool for GitHub organizations by @michenriksen.

Github Sensitive Information Leakage（Github敏感信息泄露）by @FeeiCN.

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.

Reconnaissance Swiss Army Knife by @s0md3v.

Various databases which you can use for your OSINT research by @technisette.

the easy way to find people on Facebook by [postkassen](mailto:postkassen@oejvind.dk?subject=peoplefindthor.dk comments).

The most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.

High performance offensive security tool for reconnaissance and vulnerability scanning by @evyatarmeged.

Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by @SpiderLabs.

Dockerfiles for various OSINT tools by @espi0n.

Sublist3r is a multi-threaded sub-domain enumeration tool for penetration testers by @aboul3la.

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by @ChrisTruncer.

A simple and fast sub domain brute tool for pentesters by @lijiejie.

Tool for Domain Flyovers by @michenriksen.

Analyze the security of any domain by finding all the information possible by @eldraco.

Searching for domain information by VirusTotal.

Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system by @google.

Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

Domain searcher named GoogleSSLdomainFinder by @We5ter.

Vulnerable Web applications Generator by @qazbnm456.

Web application bruteforcer by @xmendez.

Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.

Simple tool to convert the IP to a DWORD IP by @OsandaMalith.

DOM fuzzer by @google.

Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.

Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.

Potentially dangerous files by @Bo0oM.

WPScan is a black box WordPress vulnerability scanner by @wpscanteam.

Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.

Is an open source web application security scanner that uses "black-box" method, created by @m4ll0k.

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.

Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

A comprehensive web application audit framework to cover up everything from Reconnaissance and OSINT to Vulnerability Analysis by @_tID.

Automated Security Testing For REST API's by @flipkart-incubator.

A collection of AWS penetration testing junk by @dagrz.

Public buckets by grayhatwarfare.

The Browser Exploitation Framework Project by beefproject.

Get a JavaScript shell with XSS by @s0md3v.

XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.

XSS'OR - Hack with JavaScript by @evilcos.

A tool for evaluating content-security-policies by Csper.

Automatic SQL injection and database takeover tool.

Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.

List DTDs and generate XXE payloads using those local DTDs by @GoSecure.

The Prime CSRF Audit & Exploitation Toolkit by @0xInfection.

Open redirect/SSRF payload generator by intigriti.

All possible ways, a website can leak HTTP requests by @cure53.

Rip web accessible (distributed) version control systems: SVN/GIT/HG... by @kost.

Pillage web accessible GIT, HG and BZR repositories by @evilpacket.

Tool for advanced mining for content on Github by @UnkL4b.

Searches full repo history for secrets and keys by @zricethezav.

Chrome extension and Express server that exploits keylogging abilities of CSS by @maxchehab.

Git manager for pentesters by @allyshka.

Tool to scan for secret files on HTTP servers by @hannob.

Python script that finds endpoints in JavaScript files by @GerbenJavado.

SQL injection detection engine by chaitin.

XSS detection engine by chaitin.

Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.

Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.

Scan your code for security misconfiguration, search for passwords and secrets.

bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.

An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.

A GitHub App that provides security feedback in Pull Requests.

DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.

Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.

A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Family of code golfed PHP shells by @s0md3v.

This is a webshell open source project by @tennc.

Weaponized web shell by @epinna.

Manage your website via terminal by @WangYihang.

Reverse Shell Manager via Terminal @WangYihang.

Reverse Shell as a Service by @lukechilds.

Full-featured C2 framework which silently persists on webserver via evil PHP oneliner by @nil0x42.

Plasma is an interactive disassembler for x86/ARM/MIPS by @plasma-disassembler.

Unix-like reverse engineering framework and commandline tools by @radare.

Qt and C++ GUI for radare2 reverse engineering framework by @hteso.

Another java decompiler by @LeeAtBenf.

DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey

DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs

It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup

A malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey

DNS Logger by @iagox86.

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by @GCHQ.

Parse NTLM over HTTP challenge messages by @b17zr.

Minimal code to connect to a CEF debugger by @taviso.

Interactive CTF Exploration Tool by @taviso.

Check if you have an account that has been compromised in a data breach by Troy Hunt.

Taiwan's talented web penetrator.

China's talented web penetrator.

Head of Research at PortSwigger Web Security.

Fun with Browser Vulnerabilities.

Internet Security through Web Browsers by Dhiraj Mishra.

Vulnerability disclosures and rambles on application security.

~# n0tr00t Security Team.

Open Mind Security!

Write-ups for PHP vulnerabilities.

Awesome bug-bounty and challenges writeups.

Security Researching and Reverse Engineering.

Initiative to showcase open source hacking tools for hackers and pentesters

Active penetrator often tweets and writes useful articles

Cure53 is a German cybersecurity firm.

The wonderland of JavaScript unexpected usages, and more.

Japanese web penetrator.

Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

English web penetrator.

Japanese javascript security researcher.

Web and Browsers Security Researcher.

Probably the most modern and sophisticated insecure web application - Written by @bkimminich and the @owasp_juiceshop team.

Vulnerable web application for training - Written by @SecureSkyTechnology.

Realistic web application hacking game - Written by @albinowax.

Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

Free trainings and labs - Written by PortSwigger.

Amazon AWS CTF challenge - Written by @0xdabbad00.

Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool - Written by @RhinoSecurityLabs.

Google XSS Challenge - Written by Google.

Complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels) - Written by @cure53.

Series of XSS challenges - Written by @steike.

Series of XSS challenges - Written by yamagata21.

Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

Comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by @djadmin.

List of bug bounty write-up that is categorized by the bug nature by @ngalongc.

Written by Daniel Stelter-Gliese.

Written by PwnDizzle.

Penetration Testing and Exploit Dev CheatSheet.

Written by JASON TROS.

Decrypted content of eqgrp-auction-file.tar.xz by @x0rz.

Some public notes by @ChALkeR.

Written by @gregose.

Written by Belfer Center for Science and International Affairs.

Information Security Reference That Doesn't Suck by @rmusser01.

Check if your internet-connected devices at home are public on Shodan by BullGuard.

Written by @jhaddix.

Written by Ezequiel Pereira.

Written by @fransrosen.

Written by voidsec.

Written by Chris Patten, Tom Steele.

Written by @umpox.

Written by sigpwn.

Written by Ruslan Habalov.

Written by @itsC0rg1, @jmkeads and @matir.

Written by Paul Dannewitz.

Written by @AntoGarand.

Written by @gergoturcsanyi.

Written by @0daywork.

Written by Jayson.

Written by David Scrobonia.

Written by @slashcrypto.

Written by Gwen.

Written by Mariem.

Written by Brian Wallace.

Written by @t0nk42.

Written by @sandrogauci.

Written by @clr2of8.

Written by @cj.fairhead.