Awesome Web Security
by qazbnm456 · qazbnm456/awesome-web-security
A curated list of Web Security materials and resources.
CRhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool - Written by @RhinoSecurityLabs.
Written by Dwight Hohnstein from Rhino Security Labs.
Written by Gareth Heyes.
OIntentionally vulnerable e-commerce application built with Next.js - Written by @kOaDT.
OProbably the most modern and sophisticated insecure web application - Written by @bkimminich and the @owaspjuiceshop team.
Free trainings and labs - Written by PortSwigger.
Learn SELinux by doing. Solve Puzzles, show skillz - Written by @selinuxgame.
Written by @malerisch and @steventseeley.
Written by @spengietz.
Written by @rhinobenjamin.
Written by Diary of a reverse-engineer.
Written by @moritzj.
Written by @wanderingglitch.
Written by SecuriTeam Secure Disclosure (SSD).
Written by @rramgattie.
Written by @riyazwalikar.
CAutomated All-in-One OS command injection and exploitation tool by @commixproject.
DDNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by @brannondorsey.
DDNS Rebinding Exploitation Framework. Dref does the heavy-lifting for DNS rebinding by @mwrlabs.
SIt includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine by @nccgroup.
WA malicious DNS server for executing DNS Rebinding attacks on the fly by @brannondorsey.
ultimate archive of Exploits, Shellcode, and Security Papers by Offensive Security.
Written by CRISTIAN CORNEA.
Written by @breenmachine.
MSandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.
OAn open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load.
RScan your code for security misconfiguration, search for passwords and secrets.
RScanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.
Written by Timothy Morgan.
Written by aaj at google.com and mkwst at google.com.
Written by Michał Bentkowski.
CScript that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.
DWeb crawler optimized for searching and analyzing the directory structure of a site by @nekmo.
FDictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
Online service that performs a deep analysis of the configuration of any SSL web server on the public internet. Provided by Qualys SSL Labs.
WCross-platform Python CLI that fetches historical URLs from the Wayback CDX API and outputs normalized parameterized URLs for fuzzing, by @aleff-github.
Written by Timothy Morgan.
CChrome extension and Express server that exploits keylogging abilities of CSS by @maxchehab.
DRip web accessible (distributed) version control systems: SVN/GIT/HG... by @kost.
KChrome extension that passively scans web pages for leaked API keys, tokens, and credentials across 10 attack surfaces using 80+ detection patterns and Shannon-entropy analysis, by @momenbasel.
AComprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by @djadmin.
Written by @umpox.
BList of bug bounty write-up that is categorized by the bug nature by @ngalongc.
Written by Belfer Center for Science and International Affairs.
Hands-on introduction to web application security fundamentals by Malcolm McDonald (Manning).
Written by @fransrosen.
HComprehensive Hack The Box writeup collection covering 75+ web challenges including XSS, SQLi, SSTI, SSRF, and deserialization, by @momenbasel.
Check if your internet-connected devices at home are public on Shodan by BullGuard.
Written by @itsC0rg1, @jmkeads and @matir.
Penetration Testing and Exploit Dev CheatSheet.
Series of tutorials to install, configure and tune ModSecurity and the Core Rule Set - Written by @ChrFolini.
Written by @m0bius.
Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet by University of Michigan.
Various databases which you can use for your OSINT research by @technisette.
FFOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans by ElevenPaths.
MOSINT and security extensions for the Marshall privacy browser, providing reconnaissance and security-testing plugins by @bad-antics.
Search engine for misconfigured public cloud storage buckets across any provider.
Free web toolkit for WHOIS/RDAP, DNS, IP geolocation, SSL certificate inspection and Certificate Transparency subdomain discovery.
RHigh performance offensive security tool for reconnaissance and vulnerability scanning by @evyatarmeged.
Rraven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin by @0x09AL.
Shodan is the world's first search engine for Internet-connected devices by @shodanhq.
SSocial Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) by @SpiderLabs.
Open source footprinting and intelligence-gathering tool by @binarypool.
TThe most complete open-source tool for Twitter intelligence analysis by @vaguileradiaz.
XXRay is a tool for recon, mapping and OSINT gathering from public networks by @evilsocket.
CThe Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis - by @GCHQ.
Written by @signalchaos.
Burp Suite is an integrated platform for performing security testing of web applications by portswigger.
DOpen source autonomous AI penetration testing platform that orchestrates 80+ offensive tools via Markdown playbooks and MCP across web, cloud, Active Directory and Kubernetes, with an evidence trail per finding by @ASCIT31.
NAI-driven penetration-testing platform that coordinates 10 agents and 38 vulnerability scanners covering OWASP Top 10, by @FrancescoStabile.
TA comprehensive web application audit framework to cover up everything from Reconnaissance and OSINT to Vulnerability Analysis by @tID.
AClient-side encryption engine for SQL databases, with strong selective encryption, SQL injections prevention and intrusion detection by @cossacklabs.
A next-generation open-source Web Application Firewall built on nginx, maintained by Bunkerity.
Open-source collaborative IPS written in Go that analyzes visitor behavior and shares threat signals across a community of operators, maintained by CrowdSec.
A set of tools for building/evaluating/monitoring content-security-policy to prevent/detect cross site scripting by Csper.
DDOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG by Cure53.
FSelf-hosted CAPTCHA with behavioral analysis, vision-AI agent detection, headless-browser fingerprinting, and SHA-256 proof-of-work, maintained by WebDecoy.
JSanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.
Interactive Content Security Policy builder for Laravel that outputs ready-to-use PHP middleware with nonce support and violation reporting, by @itxshakil.
PIn-process file-upload security middleware for Node.js that scans untrusted uploads before storage to detect malware, MIME spoofing, and risky archives, maintained by pompelmi.
UAn open-source web application firewall and API security gateway maintained by UUCORP.
VBrowser-side integrity verification and resumable downloads for large files using SRI hashes, defending against CDN compromise and supply-chain attacks, by @hamzaydia.
WZero-configuration WordPress bot-detection plugin combining WebDriver detection, headless-browser fingerprinting, behavioral analysis, and SHA-256 proof-of-work, maintained by WebDecoy.
Written by @securitymb.
HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
MInteractive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.
Written by Orange.
Written by @capacitorset.
Written by @denandz.
Written by Zombiehelp54.
FOpen-source WAF bypass and security-testing toolkit with 6,300+ payloads across OWASP categories, AI-assisted evasion engine, 27-check reconnaissance pipeline, and OWASP hardening audit, by @dalisecurity.
JFree software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.
NNuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by @projectdiscovery.
Free online collection of 29 client-side web security tools: web auditor, JWT attacker/decoder, CVE search, CSP evaluator, email security checker (SPF/DKIM/DMARC), subdomain scanner, and more. 100% client-side, privacy-first, open source by @ReplikanteK.
TURL security scanner combining threat intelligence (URLhaus, PhishTank, Spamhaus) with 40+ scam and phishing pattern detection by @undeadlist.
VHigh-fidelity vulnerability scanner fusing agentic AI with native speed, modularity, and precision, maintained by @j3ssie.
WIs an open source web application security scanner that uses "black-box" method, created by @m4ll0k.
Open-source web application security scanner maintained by the ZAP Core Team.
ZPrivacy-first Chrome extension that analyzes website security locally with on-device AI (WebGPU), producing trust scores from HTTPS, phishing, malicious-script, and cookie-compliance signals, by @sattyamjjain.
Open redirect/SSRF payload generator by intigriti.
Check if you have an account that has been compromised in a data breach by Troy Hunt.
Check if your email or domain was compromised by infostealer malware, maintained by Hudson Rock.
Enter an Identity (Domain Name, Organization Name, etc), a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID to search certificate(s) by @crtsh.
CGoogle's Certificate Transparency project fixes several structural flaws in the SSL certificate system by @google.
DAnalyze the security of any domain by finding all the information possible by @eldraco.
EEyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible by @ChrisTruncer.
SSublist3r is a multi-threaded sub-domain enumeration tool for penetration testers by @aboul3la.
TCode and Server-Side Template Injection Detection and Exploitation Tool by @epinna.
Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.
Initiative to showcase open source hacking tools for hackers and pentesters.
PFull-featured C2 framework which silently persists on webserver via evil PHP oneliner by @nil0x42.
Written by Mario Heiderich.
Complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels) - Written by @cure53.
Hands-on guide to implementing Content Security Policy in Laravel — nonce lifecycle, Vite and Livewire integration, violation reporting, and a pre-enforcement checklist, by @itxshakil.
XXSStrike is a program which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs by @s0md3v.
Written by Timothy D. Morgan.
Exfiltration using FTP protocol - Written by Ivan Novikov.
Written by Timothy D. Morgan and Omar Al Ibrahim.
B
A
P
S
A
S
P
C
V
P
P
X
J
S
U
B
G
I
P
R
F
I
W
D
G
G
L
P
S
E
I
N
E
G
G
C
I
N
A
A
P
Z
S
P
W
G
S
R
R
W
B
X
X
D