Track Awesome Web Security Updates Daily

🐶 A curated list of Web Security materials and resources.

🏠 Home · 🔍 Search · 🔥 Feed · 📮 Subscribe · ❤️ Sponsor · 😺 qazbnm456/awesome-web-security · ⭐ 13K · 🏷️ Security

[ Daily / Weekly / Overview ]

May 14, 2026

XSS - Cross-Site Scripting

• Laravel Content Security Policy: Complete Implementation Guide - Hands-on guide to implementing Content Security Policy in Laravel — nonce lifecycle, Vite and Livewire integration, violation reporting, and a pre-enforcement checklist, by @itxshakil.

Scanning / Sub Domain Enumeration

• Fray - Open-source WAF bypass and security-testing toolkit with 6,300+ payloads across OWASP categories, AI-assisted evasion engine, 27-check reconnaissance pipeline, and OWASP hardening audit, by @dalisecurity.

Penetration Testing / Sub Domain Enumeration

• numasec (⭐349) - AI-driven penetration-testing platform that coordinates 10 agents and 38 vulnerability scanners covering OWASP Top 10, by @FrancescoStabile.

Leaking / Server-Side Request Forgery

• keyFinder (⭐665) - Chrome extension that passively scans web pages for leaked API keys, tokens, and credentials across 10 attack surfaces using 80+ detection patterns and Shannon-entropy analysis, by @momenbasel.

Preventing / Server-Side Request Forgery

• FCaptcha (⭐138) - Self-hosted CAPTCHA with behavioral analysis, vision-AI agent detection, headless-browser fingerprinting, and SHA-256 proof-of-work, maintained by WebDecoy.

• Pompelmi (⭐636) - In-process file-upload security middleware for Node.js that scans untrusted uploads before storage to detect malware, MIME spoofing, and risky archives, maintained by pompelmi.

• WebDecoy (⭐1) - Zero-configuration WordPress bot-detection plugin combining WebDriver detection, headless-browser fingerprinting, behavioral analysis, and SHA-256 proof-of-work, maintained by WebDecoy.

• CrowdSec - Open-source collaborative IPS written in Go that analyzes visitor behavior and shares threat signals across a community of operators, maintained by CrowdSec.

• Laravel CSP Generator - Interactive Content Security Policy builder for Laravel that outputs ready-to-use PHP middleware with nonce support and violation reporting, by @itxshakil.

• verifyfetch (⭐151) - Browser-side integrity verification and resumable downloads for large files using SRI hashes, defending against CDN compromise and supply-chain attacks, by @hamzaydia.

Miscellaneous / Server-Side Request Forgery

• htb-writeups (⭐75) - Comprehensive Hack The Box writeup collection covering 75+ web challenges including XSS, SQLi, SSTI, SSRF, and deserialization, by @momenbasel.

May 13, 2026

Reconnaissance / OSINT - Open-Source Intelligence

• Marshall Extensions (⭐7) - OSINT and security extensions for the Marshall privacy browser, providing reconnaissance and security-testing plugins by @bad-antics.

Scanning / Sub Domain Enumeration

• Trust Scan (⭐3) - URL security scanner combining threat intelligence (URLhaus, PhishTank, Spamhaus) with 40+ scam and phishing pattern detection by @undeadlist.

• ZeroTrust (⭐2) - Privacy-first Chrome extension that analyzes website security locally with on-device AI (WebGPU), producing trust scores from HTTPS, phishing, malicious-script, and cookie-compliance signals, by @sattyamjjain.

Application / Server-Side Request Forgery

• OopsSec Store (⭐17) - Intentionally vulnerable e-commerce application built with Next.js - Written by @kOaDT.

May 12, 2026

Reconnaissance / OSINT - Open-Source Intelligence

• OpenBuckets - Search engine for misconfigured public cloud storage buckets across any provider.

Fuzzing / Sub Domain Enumeration

• wayparam (⭐6) - Cross-platform Python CLI that fetches historical URLs from the Wayback CDX API and outputs normalized parameterized URLs for fuzzing, by @aleff-github.

Preventing / Server-Side Request Forgery

• UUSEC WAF (⭐1.6k) - An open-source web application firewall and API security gateway maintained by UUCORP.

• BunkerWeb - A next-generation open-source Web Application Firewall built on nginx, maintained by Bunkerity.

Social Engineering Database / Server-Side Request Forgery

• Hudson Rock - Check if your email or domain was compromised by infostealer malware, maintained by Hudson Rock.

Miscellaneous / Server-Side Request Forgery

• Cybersecurity Campaign Playbook - Written by Belfer Center for Science and International Affairs.

• Grokking Web Application Security - Hands-on introduction to web application security fundamentals by Malcolm McDonald (Manning).

May 11, 2026

Scanning / Sub Domain Enumeration

• ZAP by Checkmarx - Open-source web application security scanner maintained by the ZAP Core Team.

Oct 05, 2020

Crypto

• What is a Side-Channel Attack ? - Written by J.M Porup.

Scanning / Sub Domain Enumeration

• Nuclei (⭐28k) - Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.

Aug 26, 2020

Webshell / Server-Side Request Forgery

• PhpSploit (⭐2.5k) - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner by @nil0x42.

Aug 09, 2020

Prototype Pollution

• Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - Written by @securitymb.

Deserialization

• HOW TO EXPLOIT LIFERAY CVE-2020-7961 : QUICK JOURNEY TO POC - Written by @synacktiv.

Jul 29, 2020

Prototype Pollution

• Real-world JS - 1 - Written by @po6ix.

Jul 28, 2020

Digests

• tl;dr sec - Weekly summary of top security tools, blog posts, and security research.

JWT

• Hardcoded secrets, unverified tokens, and other common JWT mistakes - Written by @ermil0v.

Jun 19, 2020

Deserialization

• How to exploit the DotNetNuke Cookie Deserialization - Written by CRISTIAN CORNEA.

Backend (core of Browser implementation, and often refers to C or C++ part)

• A Methodical Approach to Browser Exploitation - Written by RET2 SYSTEMS, INC.

Miscellaneous / Server-Side Request Forgery

• DOS File Path Magic Tricks - Written by @clr2of8.

• How I got my first big bounty payout with Tesla - Written by @cj.fairhead.

May 22, 2020

Deserialization

• .NET Roulette: Exploiting Insecure Deserialization in Telerik UI - Written by @noperator.

• Attacking .NET deserialization - Written by @pwntester.

May 12, 2020

OAuth

• Introduction to OAuth 2.0 and OpenID Connect - Written by @PhilippeDeRyck.

May 11, 2020

XSS

• $20000 Facebook DOM XSS - Written by @vinodsparrow.

Miscellaneous / Server-Side Request Forgery

• How we abused Slack's TURN servers to gain access to internal services - Written by @sandrogauci.

May 10, 2020

OAuth

• What is going on with OAuth 2.0? And why you should not use it for authentication. - Written by @damianrusinek.

• Facebook OAuth Framework Vulnerability - Written by @AmolBaikar.

CSRF

• If HttpOnly You Could Still CSRF… Of CORS you can! - Written by @GraphX.

Frontend (like SOP bypass, URL spoofing, and something like that)

• Sending arbitrary IPC messages via overriding Function.prototype.apply - Written by @kinugawamasato.

• Take Advantage of Out-of-Scope Domains in Bug Bounty Programs - Written by @Abdulahhusam.

Backend (core of Browser implementation, and often refers to C or C++ part)

• CLEANLY ESCAPING THE CHROME SANDBOX - Written by @tjbecker_.

Miscellaneous / Server-Side Request Forgery

• WCTF2019: Gyotaku The Flag - Written by @t0nk42.

May 09, 2020

Digests

• CTF Field Guide - Written by Trail of Bits.

• Hacker101 - Written by hackerone.

• Infosec Newbie - Written by Mark Robinson.

• PayloadsAllTheThings (⭐78k) - Written by @swisskyrepo.

• The Daily Swig - Web security digest - Written by PortSwigger.

• The Magic of Learning - Written by @bitvijays.

• Web Application Security Zone by Netsparker - Written by Netsparker.

AWS

• Misadventures in AWS - Written by Christian Demko.

SQL Injection

• SQL INJECTION AND POSTGRES - AN ADVENTURE TO EVENTUAL RCE - Written by @denandz.

Deserialization

• ASP.NET resource files (.RESX) and deserialisation issues - Written by @irsdl.

Cheetsheets

• Capture the Flag CheatSheet (⭐135) - Written by @uppusaikiran.

• XSS Cheat Sheet - 2018 Edition - Written by @brutelogic.

Offensive / XSS - Cross-Site Scripting

• csp evaluator - A tool for evaluating content-security-policies by Csper.

Preventing / Server-Side Request Forgery

• Csper - A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.

Miscellaneous / Server-Side Request Forgery

• Implications of Loading .NET Assemblies - Written by Brian Wallace.

May 05, 2020

SSL/TLS

• Practical introduction to SSL/TLS (⭐634) - Written by @Hakky54.

Mar 22, 2020

Miscellaneous / Server-Side Request Forgery

• Why Facebook's api starts with a for loop - Written by @AntoGarand.

Dec 30, 2019

Prototype Pollution

• Prototype pollution attack in NodeJS application (⭐537) - Written by @HoLyVieR.

XSS

• Exploiting XSS with 20 characters limitation - Written by Jorge Lajara.

Others

• Some Tricks From My Secret Group - Written by phithon.

Frontend (like SOP bypass, URL spoofing, and something like that)

• The Cookie Monster in Your Browsers - Written by @filedescriptor.

• The world of Site Isolation and compromised renderer - Written by @shhnjk.

Nov 30, 2019

XSS - Cross-Site Scripting

• payloadbox/xss-payload-list - Written by @payloadbox.

SQL Injection

• payloadbox/sql-injection-payload-list - Written by @payloadbox.

Command Injection

• payloadbox/command-injection-payload-list - Written by @payloadbox.

XXE - XML eXternal Entity

• payloadbox/xxe-injection-payload-list - Written by @payloadbox.

Open Redirect

• payloadbox/open-redirect-payload-list - Written by @payloadbox.

Nov 22, 2019

Crypto

• Applied Crypto Hardening - Written by The bettercrypto.org Team.

NoSQL Injection

• GraphQL NoSQL Injection Through JSON Types - Written by Pete.

SSRF

• All you need to know about SSRF and how may we write tools to do auto-detect - Written by @Auxy233.

• AWS takeover through SSRF in JavaScript - Written by Gwen.

Others

• How I hacked Google’s bug tracking system itself for $15,600 in bounties - Written by @alex.birsan.

Backend (core of Browser implementation, and often refers to C or C++ part)

• Three roads lead to Rome - Written by @holynop.

Database

• Exploit Database - ultimate archive of Exploits, Shellcode, and Security Papers by Offensive Security.

Miscellaneous / Server-Side Request Forgery

• The bug bounty program that changed my life - Written by Gwen.

Nov 05, 2019

XSS - Cross-Site Scripting

• PayloadsAllTheThings - XSS Injection (⭐78k) - Written by @swisskyrepo.

CSV Injection

• PayloadsAllTheThings - CSV Injection (⭐78k) - Written by @swisskyrepo.

SQL Injection

• PayloadsAllTheThings - SQL Injection (⭐78k) - Written by @swisskyrepo.

• MySQL Error Based SQL Injection Using EXP - Written by @osandamalith.

Command Injection

• PayloadsAllTheThings - Command Injection (⭐78k) - Written by @swisskyrepo.

XXE - XML eXternal Entity

• PayloadsAllTheThings - XXE Injection (⭐78k) - Written by various contributors.

• XML external entity (XXE) injection - Written by portswigger.

• XML Schema, DTD, and Entity Attacks - Written by Timothy D. Morgan and Omar Al Ibrahim.

CSRF - Cross-Site Request Forgery

• PayloadsAllTheThings - CSRF Injection (⭐78k) - Written by @swisskyrepo.

SSRF - Server-Side Request Forgery

• PayloadsAllTheThings - Server-Side Request Forgery (⭐78k) - Written by @swisskyrepo.

Web Cache Poisoning

• PayloadsAllTheThings - Web Cache Deception (⭐78k) - Written by @swisskyrepo.

Open Redirect

• PayloadsAllTheThings - Open Redirect (⭐78k) - Written by @swisskyrepo.

Security Assertion Markup Language (SAML)

• PayloadsAllTheThings - SAML Injection (⭐78k) - Written by @swisskyrepo.

Upload

• PayloadsAllTheThings - Upload Insecure Files (⭐78k) - Written by @swisskyrepo.

XXE

• Bypass Fix of OOB XXE Using Different encoding - Written by @SpiderSec.

• XML Out-Of-Band Data Retrieval - Written by Timur Yunusov and Alexey Osipov.

• Automating local DTD discovery for XXE exploitation - Written by Philippe Arteau.

• Exploiting XXE with local DTD files - Written by Arseniy Sharoglazov.

• Forcing XXE Reflection through Server Error Messages - Written by Antti Rantasaari.

• Pre-authentication XXE vulnerability in the Services Drupal module - Written by Renaud Dubourguais.

• What You Didn't Know About XML External Entities Attacks - Written by Timothy D. Morgan.

• XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites) - Written by Rose Jackcode.

• XXE OOB exploitation at Java 1.7+ (2014) - Exfiltration using FTP protocol - Written by Ivan Novikov.

• XXE OOB extracting via HTTP+FTP using single opened port - Written by skavans.

Remote Code Execution

• CVE-2019-1306: ARE YOU MY INDEX? - Written by @yu5k3.

XSS

• Upgrade self XSS to Exploitable XSS an 3 Ways Technic - Written by HAHWUL.

Offensive / XXE

• dtd-finder (⭐659) - List DTDs and generate XXE payloads using those local DTDs by @GoSecure.

Others / Server-Side Request Forgery

• cefdebug (⭐210) - Minimal code to connect to a CEF debugger by @taviso.

• ctftool (⭐1.7k) - Interactive CTF Exploration Tool by @taviso.

• ntlm_challenger (⭐153) - Parse NTLM over HTTP challenge messages by @b17zr.

Oct 24, 2019

Rails

• Official Rails Security Guide - Written by Rails team.

• Rails SQL Injection - Written by @presidentbeef.

• Zen Rails Security Checklist (⭐1.8k) - Written by @brunofacca.

Oct 04, 2019

Application / Server-Side Request Forgery

• BadLibrary (⭐59) - Vulnerable web application for training - Written by @SecureSkyTechnology.

• Hackxor - Realistic web application hacking game - Written by @albinowax.

• OWASP Juice Shop - Probably the most modern and sophisticated insecure web application - Written by @bkimminich and the @owasp_juiceshop team.

• Portswigger Web Security Academy - Free trainings and labs - Written by PortSwigger.

Sep 15, 2019

DNS Rebinding

• Attacking Private Networks from the Internet with DNS Rebinding - Written by @brannondorsey.

• Hacking home routers from the Internet - Written by @radekk.

DNS Rebinding / Server-Side Request Forgery

• DNS Rebind Toolkit (⭐500) - DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey.

• dref (⭐492) - DNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs.

• Singularity of Origin (⭐1.3k) - It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup.

• Whonow DNS Server (⭐660) - A malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey.

Aug 25, 2019

Clickjacking

• Clickjacking - Written by Imperva.

• X-Frame-Options: All about Clickjacking? (⭐85) - Written by Mario Heiderich.

• Clickjackings in Google worth 14981.7$ - Written by @raushanraj_65039.

Miscellaneous / Server-Side Request Forgery

• List of bug bounty writeups - Written by Mariem.

Aug 24, 2019

Azure

• Cloud Security Risks (Part 1): Azure CSV Injection Vulnerability - Written by @spengietz.

• Common Azure Security Vulnerabilities and Misconfigurations - Written by @rhinobenjamin.

Auditing

• slurp (⭐3) - Evaluate the security of S3 buckets by @hehnope.

Fuzzing / Sub Domain Enumeration

• fuzz.txt (⭐3.3k) - Potentially dangerous files by @Bo0oM.

Leaking / Server-Side Request Forgery

• LinkFinder (⭐4.3k) - Python script that finds endpoints in JavaScript files by @GerbenJavado.

Twitter Users / Server-Side Request Forgery

• @shhnjk - Web and Browsers Security Researcher.

Miscellaneous / Server-Side Request Forgery

• Alexa Top 1 Million Security - Hacking the Big Ones - Written by @slashcrypto.

• Hacking with a Heads Up Display - Written by David Scrobonia.

• WEB APPLICATION PENETRATION TESTING NOTES - Written by Jayson.

Jun 26, 2019

Offensive / Server-Side Request Forgery

• Open redirect/SSRF payload generator - Open redirect/SSRF payload generator by intigriti.

Jun 25, 2019

Relative Path Overwrite

• Large-scale analysis of style injection by relative path overwrite - Written by The Morning Paper.

• MBSD Technical Whitepaper - A few RPO exploitation techniques - Written by Mitsui Bussan Secure Directions, Inc..

Security Assertion Markup Language (SAML)

• How to Hunt Bugs in SAML; a Methodology - Part I - Written by epi.

• How to Hunt Bugs in SAML; a Methodology - Part II - Written by epi.

• How to Hunt Bugs in SAML; a Methodology - Part III - Written by epi.

CSRF

• Cracking Java’s RNG for CSRF - Javax Faces and Why CSRF Token Randomness Matters - Written by @rramgattie.

XSS

• XSS without parentheses and semi-colons - Written by @garethheyes.

SQL Injection

• Red Team Tales 0x01: From MSSQL to RCE - Written by Tarlogic.

Frontend (like SOP bypass, URL spoofing, and something like that)

• Bypassing Mobile Browser Security For Fun And Profit - Written by @rafaybaloch.

May 26, 2019

Remote Code Execution

• What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. - Written by @breenmachine.

• WebLogic RCE (CVE-2019-2725) Debug Diary - Written by Badcode@Knownsec 404 Team.

CSP

• Any protection against dynamic module import? (⭐222) - Written by @shhnjk.

XSS

• XSS-Auditor — the protector of unprotected and the deceiver of protected. - Written by @terjanq.

Frontend (like SOP bypass, URL spoofing, and something like that)

• The inception bar: a new phishing method - Written by jameshfisher.

Backend (core of Browser implementation, and often refers to C or C++ part)

• Breaking UC Browser - Written by Доктор Веб.

Miscellaneous / Server-Side Request Forgery

• An example why NAT is NOT security - Written by @0daywork.

Dec 31, 2018

Offensive / Cross Site Request Forgery

• XSRFProbe (⭐1.3k) - The Prime CSRF Audit & Exploitation Toolkit by @0xInfection.

Dec 29, 2018

Detecting / Server-Side Request Forgery

• GuardRails - A GitHub App that provides security feedback in Pull Requests.

Dec 17, 2018

Miscellaneous / Server-Side Request Forgery

• How I could have stolen your photos from Google - my first 3 bug bounty writeups - Written by @gergoturcsanyi.

Nov 05, 2018

XSS

• is filtered ? - Written by @strukt93.

Backend (core of Browser implementation, and often refers to C or C++ part)

• CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime. - Written by Diary of a reverse-engineer.

Reconnaissance / OSINT - Open-Source Intelligence

• espi0n/Dockerfiles (⭐40) - Dockerfiles for various OSINT tools by @espi0n.

• Raccoon (⭐3.6k) - High performance offensive security tool for reconnaissance and vulnerability scanning by @evyatarmeged.

• Social Mapper (⭐4k) - Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by @SpiderLabs.

Oct 29, 2018

Upload

• File Upload Restrictions Bypass - Written by Haboob Team.

SSRF

• Piercing the Veil: Server Side Request Forgery to NIPRNet access - Written by Alyssa Herrera.

Frontend (like SOP bypass, URL spoofing, and something like that)

• I’m harvesting credit card numbers and passwords from your site. Here’s how. - Written by David Gilbertson.

Blogs / Server-Side Request Forgery

• Blog of Osanda - Security Researching and Reverse Engineering.

AWS / Server-Side Request Forgery

• CloudGoat (⭐3.6k) - Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool - Written by @RhinoSecurityLabs.

Miscellaneous / Server-Side Request Forgery

• Finding The Real Origin IPs Hiding Behind CloudFlare or TOR - Written by Paul Dannewitz.

Oct 24, 2018

Fuzzing / Sub Domain Enumeration

• ssltest - Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.

Scanning / Sub Domain Enumeration

• WAScan - Is an open source web application security scanner that uses "black-box" method, created by @m4ll0k.

Oct 23, 2018

Fuzzing / Sub Domain Enumeration

• dirhunt (⭐2k) - Web crawler optimized for searching and analyzing the directory structure of a site by @nekmo.

Scanning / Sub Domain Enumeration

• JoomlaScan (⭐256) - Free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.

• wpscan (⭐9.6k) - WPScan is a black box WordPress vulnerability scanner by @wpscanteam.

Oct 22, 2018

XSS - Cross-Site Scripting

• AwesomeXSS (⭐5.1k) - Written by @s0md3v.

• XSS.png - Written by @jackmasa.

Web Cache Poisoning

• Practical Web Cache Poisoning - Written by @albinowax.

• Bypassing Web Cache Poisoning Countermeasures - Written by @albinowax.

• Cache poisoning and other dirty tricks - Written by Wallarm.

Remote Code Execution

• Evil Teacher: Code Injection in Moodle - Written by RIPS Technologies.

XSS

• Another XSS in Google Colaboratory - Written by Michał Bentkowski.

• XSS in Google Colaboratory + CSP bypass - Written by Michał Bentkowski.

SQL Injection

• Making a Blind SQL Injection a little less blind - Written by TomNomNom.

Frontend (like SOP bypass, URL spoofing, and something like that)

• Setting arbitrary request headers in Chromium via CRLF injection - Written by Michał Bentkowski.

Reconnaissance / OSINT - Open-Source Intelligence

• Photon (⭐13k) - Incredibly fast crawler designed for OSINT by @s0md3v.

• ReconDog (⭐2k) - Reconnaissance Swiss Army Knife by @s0md3v.

Offensive / XSS - Cross-Site Scripting

• beef (⭐11k) - The Browser Exploitation Framework Project by beefproject.

• JShell (⭐533) - Get a JavaScript shell with XSS by @s0md3v.

Webshell / Server-Side Request Forgery

• nano (⭐450) - Family of code golfed PHP shells by @s0md3v.

Oct 13, 2018

Miscellaneous / Server-Side Request Forgery

• Introduction to Web Application Security - Written by @itsC0rg1, @jmkeads and @matir.

Oct 12, 2018

AWS

• AWS PENETRATION TESTING PART 1. S3 BUCKETS - Written by VirtueSecurity.

• AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - Written by VirtueSecurity.

OSINT

• The most complete guide to finding anyone’s email - Written by Timur Daudpota.

XSS

• DOM XSS – auth.uber.com - Written by StamOne_.

Oct 01, 2018

Fuzzing / Sub Domain Enumeration

• FuzzDB (⭐8.9k) - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

Sep 12, 2018

Database

• SPLOITUS - Exploits & Tools Search Engine by @i_bo0om.

Sep 09, 2018

Open Redirect

• Open Redirect Vulnerability - Written by s0cket7.

SSRF

• Into the Borg – SSRF inside Google production network - Written by opnsec.

Aug 29, 2018

SSRF

• SSRF in Exchange leads to ROOT access in all instances - Written by @0xacb.

Aug 25, 2018

Command Injection

• commix (⭐5.7k) - Automated All-in-One OS command injection and exploitation tool by @commixproject.

Aug 24, 2018

Remote Code Execution

• Remote Code Execution on a Facebook server - Written by @blaklis_.

Aug 01, 2018

CSP

• GitHub's CSP journey - Written by @ptoomey3.

• GitHub's post-CSP journey - Written by @ptoomey3.

Jul 30, 2018

Preventing / Server-Side Request Forgery

• Acra (⭐1.5k) - Client-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.

• DOMPurify (⭐17k) - DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.

Jul 19, 2018

CSP

• Evading CSP with DOM-based dangling markup - Written by portswigger.

Reconnaissance / Sub Domain Enumeration

• Sublist3r (⭐11k) - Sublist3r is a multi-threaded sub-domain enumeration tool for penetration testers by @aboul3la.

Penetration Testing / Sub Domain Enumeration

• grayhatwarfare - Public buckets by grayhatwarfare.

• TIDoS-Framework (⭐1.9k) - A comprehensive web application audit framework to cover up everything from Reconnaissance and OSINT to Vulnerability Analysis by @_tID.

Offensive / Template Injection

• tplmap (⭐4.2k) - Code and Server-Side Template Injection Detection and Exploitation Tool by @epinna.

Blogs / Server-Side Request Forgery

• 0Day Labs - Awesome bug-bounty and challenges writeups.

Jul 13, 2018

SSRF - Server-Side Request Forgery

• SSRF bible. Cheatsheet - Written by Wallarm.

CSP

• Neatly bypassing CSP - Written by Wallarm.

Jul 11, 2018

Offensive / XSS - Cross-Site Scripting

• XSStrike (⭐15k) - XSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.

Jul 05, 2018

Frontend (like SOP bypass, URL spoofing, and something like that)

• How do we Stop Spilling the Beans Across Origins? - Written by aaj at google.com and mkwst at google.com.

Backend (core of Browser implementation, and often refers to C or C++ part)

• PUSHING WEBKIT'S BUTTONS WITH A MOBILE PWN2OWN EXPLOIT - Written by @wanderingglitch.

Jun 28, 2018

ReactJS

• XSS via a spoofed React element - Written by Daniel LeCheminant.

Jun 18, 2018

Webmail

• Why mail() is dangerous in PHP - Written by Robin Peraglie.

Blogs / Server-Side Request Forgery

• RIPS Technologies - Write-ups for PHP vulnerabilities.

Jun 08, 2018

XSS - Cross-Site Scripting

• C.XSS Guide - Written by @JakobKallin and Irene Lobo Valbuena.

• Cross-Site Scripting – Application Security – Google - Written by Google.

• H5SC (⭐2.9k) - Written by @cure53.

• THE BIG BAD WOLF - XSS AND MAINTAINING ACCESS - Written by Paulos Yibelo.

Jun 02, 2018

Miscellaneous / Server-Side Request Forgery

• CSS Is So Overpowered It Can Deanonymize Facebook Users - Written by Ruslan Habalov.

May 31, 2018

Remote Code Execution

• $36k Google App Engine RCE - Written by Ezequiel Pereira.

• Poor RichFaces - Written by CODE WHITE.

May 25, 2018

Detecting / Server-Side Request Forgery

• OpenRASP (⭐3k) - An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.

May 02, 2018

Database

• uxss-db (⭐702) - Collection of UXSS CVEs with PoCs by @Metnew.

Apr 23, 2018

Reconnaissance / OSINT - Open-Source Intelligence

• tinfoleak (⭐2k) - The most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.

Fuzzing / Sub Domain Enumeration

• domato (⭐1.8k) - DOM fuzzer by @google.

Penetration Testing / Sub Domain Enumeration

• aws_pwn (⭐1.2k) - A collection of AWS penetration testing junk by @dagrz.

Miscellaneous / Server-Side Request Forgery

• Domato Fuzzer's Generation Engine Internals - Written by sigpwn.

Apr 15, 2018

Penetration Testing / Sub Domain Enumeration

• Astra (⭐2.6k) - Automated Security Testing For REST API's by @flipkart-incubator.

Leaking / Server-Side Request Forgery

• snallygaster (⭐2.1k) - Tool to scan for secret files on HTTP servers by @hannob.

Miscellaneous / Server-Side Request Forgery

• Be careful what you copy: Invisibly inserting usernames into text with Zero-Width Characters - Written by @umpox.

• Escape and Evasion Egressing Restricted Networks - Written by Chris Patten, Tom Steele.

Mar 29, 2018

Miscellaneous / Server-Side Request Forgery

• TL:DR: VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%) - Written by voidsec.

Mar 21, 2018

Leaking / Server-Side Request Forgery

• pwngitmanager (⭐109) - Git manager for pentesters by @allyshka.

Mar 20, 2018

Backend (core of Browser implementation, and often refers to C or C++ part)

• Look Mom, I don't use Shellcode - Browser Exploitation Case Study for Internet Explorer 11 - Written by @moritzj.

Mar 19, 2018

XSS

• Stored XSS on Facebook - Written by Enguerran Gillier.

Miscellaneous / Server-Side Request Forgery

• How I exploited ACME TLS-SNI-01 issuing Let's Encrypt SSL-certs for any domain using shared hosting - Written by @fransrosen.

Mar 16, 2018

Others

• Stored XSS, and SSRF in Google using the Dataset Publishing Language - Written by @signalchaos.

Mar 12, 2018

Decompiler / Server-Side Request Forgery

• CFR - Another java decompiler by @LeeAtBenf.

Miscellaneous / Server-Side Request Forgery

• $7.5k Google services mix-up - Written by Ezequiel Pereira.

• The Bug Hunters Methodology v2.1 - Written by @jhaddix.

Mar 02, 2018

SSRF

• PHP SSRF Techniques - Written by @themiddleblue.

Reconnaissance / OSINT - Open-Source Intelligence

• peoplefindThor - the easy way to find people on Facebook by postkassen.

Feb 28, 2018

OSINT

• 102 Deep Dive in the Dark Web OSINT Style Kirby Plessas - Presented by @kirbstr.

Reconnaissance / OSINT - Open-Source Intelligence

• Databases - start.me - Various databases which you can use for your OSINT research by @technisette.

Feb 26, 2018

XXE

• Evil XML with two encodings - Written by Arseniy Sharoglazov.

Feb 23, 2018

Forums

• Dark Reading - Connecting The Information Security Community.

• HackDig - Dig high-quality web security articles for hacker.

• Phrack Magazine - Ezine written by and for hackers.

• Security Weekly - The security podcast network.

• The Hacker News - Security in a serious way.

• The Register - Biting the hand that feeds IT.

CSV Injection

• CSV Injection -> Meterpreter on Pornhub - Written by Andy.

• The Absurdly Underestimated Dangers of CSV Injection - Written by George Mauer.

SQL Injection

• SQL Injection Cheat Sheet - Written by @netsparker.

• SQL Injection Pocket Reference - Written by @LightOS.

• SQL Injection Wiki - Written by NETSPI.

• GitHub Enterprise SQL Injection - Written by Orange.

• SQL injection in an UPDATE query - a bug bounty story! - Written by Zombiehelp54.

Command Injection

• Potential command injection in resolv.rb (⭐24k) - Written by @drigg3r.

ORM Injection

• HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?) - Written by @_m0bius.

• HQL for pentesters - Written by @h3xstream.

• ORM Injection - Written by Simone Onofri.

• ORM2Pwn: Exploiting injections in Hibernate ORM - Written by Mikhail Egorov.

FTP Injection

• Advisory: Java/Python FTP Injections Allow for Firewall Bypass - Written by Timothy Morgan.

• SMTP over XXE − how to send emails using Java's XML parser - Written by Alexander Klink.

• XXE OOB exploitation at Java 1.7+ - Written by Ivan Novikov.

XXE - XML eXternal Entity

• XXE - Written by @phonexicum.

CSRF - Cross-Site Request Forgery

• Wiping Out CSRF - Written by @jrozner.

Rails

• Rails Security - First part - Written by @qazbnm456.

AngularJS

• DOM based Angular sandbox escapes - Written by @garethheyes.

• XSS without HTML: Client-Side Template Injection with AngularJS - Written by Gareth Heyes.

SSL/TLS

• SSL & TLS Penetration Testing - Written by APTIVE.

NFS

• NFS | PENETRATION TESTING ACADEMY - Written by PENETRATION ACADEMY.

AWS

• PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET - Written by Dwight Hohnstein from Rhino Security Labs.

Sub Domain Enumeration

• A penetration tester’s guide to sub-domain enumeration - Written by Bharath.

• The Art of Subdomain Enumeration - Written by Patrik Hudak.

Web Shell

• Hacking with JSP Shells - Written by @_nullbind.

• Hunting for Web Shells - Written by Jacob Baines.

OSINT

• Hacking Cryptocurrency Miners with OSINT Techniques - Written by @s3yfullah.

• OSINT x UCCU Workshop on Open Source Intelligence - Written by Philippe Lin.

CSP

• CSP: bypassing form-action with reflected XSS - Written by Detectify Labs.

• TWITTER XSS + CSP BYPASS - Written by Paulos Yibelo.

WAF

• Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Written by @Brett Buerhaus.

• How to bypass libinjection in many WAF/NGWAF - Written by @d0znpp.

• Web Application Firewall (WAF) Evasion Techniques - Written by @secjuice.

• Web Application Firewall (WAF) Evasion Techniques #2 - Written by @secjuice.

JSMVC

• JavaScript MVC and Templating Frameworks - Written by Mario Heiderich.

Authentication

• Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584) - Written by @malerisch and @steventseeley.

CSRF

• Exploiting CSRF on JSON endpoints with Flash and redirects - Written by @riyazwalikar.

• Neat tricks to bypass CSRF-protection - Written by Twosecurity.

• Stealing CSRF tokens with CSS injection (without iFrames) (⭐324) - Written by @dxa4481.

Remote Code Execution

• DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE - Written by Ambionics Security.

• Exploiting Node.js deserialization bug for Remote Code Execution - Written by OpSecX.

• GitHub Enterprise Remote Code Execution - Written by @iblue.

• How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! - Written by Orange.

• How we exploited a remote code execution vulnerability in math.js - Written by @capacitorset.

XSS

• DON'T TRUST THE DOM: BYPASSING XSS MITIGATIONS VIA SCRIPT GADGETS - Written by Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela.

• ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else - Written by Mario Heiderich.

• How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Written by @marin_m.

• Query parameter reordering causes redirect page to render unsafe URL - Written by kenziy.

• Uber XSS via Cookie - Written by zhchbin.

SSRF

• A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Written by Orange.

• SSRF in https://imgur.com/vidgif/url - Written by aesteral.

• SSRF Tips - Written by xl7dev.

Header Injection

• Java/Python FTP Injections Allow for Firewall Bypass - Written by Timothy Morgan.

URL

• [dev.twitter.com] XSS - Written by Sergey Bobrov.

• Phishing with Unicode Domains - Written by Xudong Zheng.

• Some Problems Of URLs - Written by Chris Palmer.

• Unicode Domains are bad and you should feel bad for supporting them - Written by VRGSEC.

Others

• Inducing DNS Leaks in Onion Web Services (⭐42) - Written by @epidemics-scepticism.

Frontend (like SOP bypass, URL spoofing, and something like that)

• IE11 Information disclosure - local file detection - Written by James Lee.

• JSON hijacking for the modern web - Written by portswigger.

• SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge) - Written by Manuel.

• Особенности Safari в client-side атаках - Written by Bo0oM.

Backend (core of Browser implementation, and often refers to C or C++ part)

• Attacking JavaScript Engines - A case study of JavaScriptCore and CVE-2016-4622 - Written by [email protected].

• Exploiting a V8 OOB write. - Written by @halbecaf.

• SSD Advisory – Chrome Turbofan Remote Code Execution - Written by SecuriTeam Secure Disclosure (SSD).

Database

• awesome-cve-poc (⭐3.5k) - Curated list of CVE PoCs by @qazbnm456.

• js-vuln-db (⭐2.3k) - Collection of JavaScript engine CVEs with PoCs by @tunz.

• Some-PoC-oR-ExP (⭐2.5k) - 各种漏洞poc、Exp的收集或编写 by @coffeehb.

Auditing

• A2SV (⭐635) - Auto Scanning to SSL Vulnerability by @hahwul.

• prowler (⭐14k) - Tool for AWS security assessment, auditing and hardening by @Alfresco.

Reconnaissance / OSINT - Open-Source Intelligence

• Censys - Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.

• FOCA (⭐3.5k) - FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.

• FOFA - Cyberspace Search Engine by BAIMAOHUI.

• gitrob (⭐6.2k) - Reconnaissance tool for GitHub organizations by @michenriksen.

• GSIL (⭐2.1k) - Github Sensitive Information Leakage（Github敏感信息泄露）by @FeeiCN.

• NSFOCUS - THREAT INTELLIGENCE PORTAL by NSFOCUS GLOBAL.

• raven (⭐797) - raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.

• Shodan - Shodan is the world's first search engine for Internet-connected devices by @shodanhq.

• SpiderFoot - Open source footprinting and intelligence-gathering tool by @binarypool.

• urlscan.io - Service which analyses websites and the resources they request by @heipei.

• xray (⭐2.3k) - XRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.

• ZoomEye - Cyberspace Search Engine by @zoomeye_team.

Reconnaissance / Sub Domain Enumeration

• AQUATONE (⭐5.9k) - Tool for Domain Flyovers by @michenriksen.

• Certificate Search - Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.

• Certificate Transparency (⭐887) - Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system by @google.

• domain_analyzer (⭐1.9k) - Analyze the security of any domain by finding all the information possible by @eldraco.

• EyeWitness (⭐62) - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by @ChrisTruncer.

• GSDF (⭐184) - Domain searcher named GoogleSSLdomainFinder by @We5ter.

• subDomainsBrute (⭐3.6k) - A simple and fast sub domain brute tool for pentesters by @lijiejie.

• VirusTotal domain information - Searching for domain information by VirusTotal.

Code Generating / Sub Domain Enumeration

• VWGen (⭐85) - Vulnerable Web applications Generator by @qazbnm456.

Fuzzing / Sub Domain Enumeration

• charsetinspect (⭐28) - Script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.

• IPObfuscator (⭐146) - Simple tool to convert the IP to a DWORD IP by @OsandaMalith.

• wfuzz (⭐6.5k) - Web application bruteforcer by @xmendez.

Penetration Testing / Sub Domain Enumeration

• Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications by portswigger.

Offensive / XSS - Cross-Site Scripting

• xssor2 (⭐2.2k) - XSS'OR - Hack with JavaScript by @evilcos.

Offensive / SQL Injection

• sqlmap (⭐37k) - Automatic SQL injection and database takeover tool.

Leaking / Server-Side Request Forgery

• CSS-Keylogging (⭐3.2k) - Chrome extension and Express server that exploits keylogging abilities of CSS by @maxchehab.

• DVCS-Pillage (⭐327) - Pillage web accessible GIT, HG and BZR repositories by @evilpacket.

• dvcs-ripper (⭐1.8k) - Rip web accessible (distributed) version control systems: SVN/GIT/HG... by @kost.

• gitleaks (⭐27k) - Searches full repo history for secrets and keys by @zricethezav.

• GitMiner (⭐2.2k) - Tool for advanced mining for content on Github by @UnkL4b.

• HTTPLeaks (⭐2.1k) - All possible ways, a website can leak HTTP requests by @cure53.

Detecting / Server-Side Request Forgery

• bXSS (⭐570) - bXSS is a simple Blind XSS application adapted from cure53.de/m by @LewisArdern.

• malware-jail (⭐476) - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.

• repo-supervisor (⭐654) - Scan your code for security misconfiguration, search for passwords and secrets.

• retire.js (⭐4.1k) - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.

• sqlchop - SQL injection detection engine by chaitin.

• xsschop - XSS detection engine by chaitin.

Preventing / Server-Side Request Forgery

• js-xss (⭐5.3k) - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.

Proxy / Server-Side Request Forgery

• Charles - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

• mitmproxy (⭐43k) - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.

Webshell / Server-Side Request Forgery

• reverse-shell (⭐2k) - Reverse Shell as a Service by @lukechilds.

• Reverse-Shell-Manager (⭐246) - Reverse Shell Manager via Terminal @WangYihang.

• webshell (⭐11k) - This is a webshell open source project by @tennc.

• Webshell-Sniper (⭐424) - Manage your website via terminal by @WangYihang.

• Weevely (⭐3.5k) - Weaponized web shell by @epinna.

Disassembler / Server-Side Request Forgery

• Iaitō (⭐1.5k) - Qt and C++ GUI for radare2 reverse engineering framework by @hteso.

• plasma (⭐3.1k) - Plasma is an interactive disassembler for x86/ARM/MIPS by @plasma-disassembler.

• radare2 (⭐24k) - Unix-like reverse engineering framework and commandline tools by @radare.

Others / Server-Side Request Forgery

• CyberChef (⭐35k) - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by @GCHQ.

• Dnslogger - DNS Logger by @iagox86.

Social Engineering Database / Server-Side Request Forgery

• haveibeenpwned - Check if you have an account that has been compromised in a data breach by Troy Hunt.

Blogs / Server-Side Request Forgery

• BRETT BUERHAUS - Vulnerability disclosures and rambles on application security.

• Broken Browser - Fun with Browser Vulnerabilities.

• James Kettle - Head of Research at PortSwigger Web Security.

• leavesongs - China's talented web penetrator.

• n0tr00t - ~# n0tr00t Security Team.

• OpnSec - Open Mind Security!.

• Orange - Taiwan's talented web penetrator.

• Scrutiny - Internet Security through Web Browsers by Dhiraj Mishra.

Twitter Users / Server-Side Request Forgery

• @cure53berlin - Cure53 is a German cybersecurity firm.

• @filedescriptor - Active penetrator often tweets and writes useful articles.

• @garethheyes - English web penetrator.

• @h3xstream - Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

• @HackwithGitHub - Initiative to showcase open source hacking tools for hackers and pentesters.

• @hasegawayosuke - Japanese javascript security researcher.

• @kinugawamasato - Japanese web penetrator.

• @XssPayloads - The wonderland of JavaScript unexpected usages, and more.

Application / Server-Side Request Forgery

• SELinux Game - Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.

AWS / Server-Side Request Forgery

• FLAWS - Amazon AWS CTF challenge - Written by @0xdabbad00.

XSS / Server-Side Request Forgery

• alert(1) to win - Series of XSS challenges - Written by @steike.

• prompt(1) to win - Complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels) - Written by @cure53.

• XSS Challenges - Series of XSS challenges - Written by yamagata21.

• XSS game - Google XSS Challenge - Written by Google.

ModSecurity / OWASP ModSecurity Core Rule Set / Server-Side Request Forgery

• ModSecurity / OWASP ModSecurity Core Rule Set - Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.

Community / Server-Side Request Forgery

• Reddit

• Stack Overflow

Miscellaneous / Server-Side Request Forgery

• A glimpse into GitHub's Bug Bounty workflow - Written by @gregose.

• awesome-bug-bounty (⭐5.6k) - Comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by @djadmin.

• Brute Forcing Your Facebook Email and Phone Number - Written by PwnDizzle.

• bug-bounty-reference (⭐4.2k) - List of bug bounty write-up that is categorized by the bug nature by @ngalongc.

• EQGRP (⭐4.2k) - Decrypted content of eqgrp-auction-file.tar.xz by @x0rz.

• Google VRP and Unicorns - Written by Daniel Stelter-Gliese.

• Infosec_Reference (⭐5.9k) - Information Security Reference That Doesn't Suck by @rmusser01.

• Internet of Things Scanner - Check if your internet-connected devices at home are public on Shodan by BullGuard.

• notes (⭐1.3k) - Some public notes by @ChALkeR.

• Pentest + Exploit dev Cheatsheet wallpaper - Penetration Testing and Exploit Dev CheatSheet.

• The Definitive Security Data Science and Machine Learning Guide - Written by JASON TROS.