diff --git a/README.md b/README.md
index 3f18373..ebe55e2 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,7 @@ Your contributions and suggestions are heartily♥ welcome. (✿◕‿◕). Plea
   * [Network device discovery tools](#network-device-discovery-tools)
   * [OSINT Online Resources](#osint-online-resources)
   * [Source code repository searching tools](#source-code-repository-searching-tools)
+  * [Web application and resource analysis tools](#web-application-and-resource-analysis-tools)
 * [Online Resources](#online-resources)
   * [Online Code Samples and Examples](#online-code-samples-and-examples)
   * [Online Exploit Development Resources](#online-exploit-development-resources)
@@ -81,6 +82,11 @@ Your contributions and suggestions are heartily♥ welcome. (✿◕‿◕). Plea
 * [Steganography Tools](#steganography-tools)
 * [Vulnerability Databases](#vulnerability-databases)
 * [Web Exploitation](#web-exploitation)
+  * [Intercepting Web proxies](#intercepting-web-proxies)
+  * [Web file inclusion tools](#web-file-inclusion-tools)
+  * [Web injection tools](#web-injection-tools)
+  * [Web shells and C2 frameworks](#web-shells-and-c2-frameworks)
+  * [Web-accessible source code ripping tools](#web-accessible-source-code-ripping-tools)
   * [Web Exploitation Books](#web-exploitation-books)
 * [Windows Utilities](#windows-utilities)
 
@@ -397,6 +403,8 @@ See also [awesome-pcaptools](https://github.com/caesar0301/awesome-pcaptools).
 
 ### Proxies and Machine-in-the-Middle (MITM) Tools
 
+See also *[Intercepting Web proxies](#intercepting-web-proxies)*.
+
 * [BetterCAP](https://www.bettercap.org/) - Modular, portable and easily extensible MITM framework.
 * [Ettercap](http://www.ettercap-project.org) - Comprehensive, mature suite for machine-in-the-middle attacks.
 * [Habu](https://github.com/portantier/habu) - Python utility implementing a variety of network attacks, such as ARP poisoning, DHCP starvation, and more.
@@ -407,7 +415,6 @@ See also [awesome-pcaptools](https://github.com/caesar0301/awesome-pcaptools).
 * [dnschef](https://github.com/iphelix/dnschef) - Highly configurable DNS proxy for pentesters.
 * [evilgrade](https://github.com/infobyte/evilgrade) - Modular framework to take advantage of poor upgrade implementations by injecting fake updates.
 * [mallory](https://github.com/justmao945/mallory) - HTTP/HTTPS proxy over SSH.
-* [mitmproxy](https://mitmproxy.org/) - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
 * [oregano](https://github.com/nametoolong/oregano) - Python module that runs as a machine-in-the-middle (MITM) accepting Tor client requests.
 * [sylkie](https://dlrobertson.github.io/sylkie/) - Command line tool and library for testing networks for common address spoofing security vulnerabilities in IPv6 networks using the Neighbor Discovery Protocol.
 
@@ -590,9 +597,21 @@ See also [awesome-osint](https://github.com/jivoi/awesome-osint).
 
 ### Source code repository searching tools
 
+See also *[Web-accessible source code ripping tools](#web-accessible-source-code-ripping-tools)*.
+
 * [vcsmap](https://github.com/melvinsh/vcsmap) - Plugin-based tool to scan public version control systems for sensitive information.
 * [Yar](https://github.com/Furduhlutur/yar) - Clone git repositories to search through the whole commit history in order of commit time for secrets, tokens, or passwords.
 
+### Web application and resource analysis tools
+
+* [BlindElephant](http://blindelephant.sourceforge.net/) - Web application fingerprinter.
+* [EyeWitness](https://github.com/ChrisTruncer/EyeWitness) - Tool to take screenshots of websites, provide some server header info, and identify default credentials if possible.
+* [VHostScan](https://github.com/codingo/VHostScan) - Virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
+* [Wappalyzer](https://www.wappalyzer.com/) - Wappalyzer uncovers the technologies used on websites.
+* [WhatWeb](https://github.com/urbanadventurer/WhatWeb) - Website fingerprinter.
+* [wafw00f](https://github.com/EnableSecurity/wafw00f) - Identifies and fingerprints Web Application Firewall (WAF) products.
+* [webscreenshot](https://github.com/maaaaz/webscreenshot) - Simple script to take screenshots of websites from a list of sites.
+
 ## Operating System Distributions
 
 * [Android Tamer](https://androidtamer.com/) - Distribution built for Android security professionals that includes tools required for Android security testing.
@@ -770,39 +789,53 @@ See also [awesome-social-engineering](https://github.com/v2-dev/awesome-social-e
 
 ## Web Exploitation
 
-* [BlindElephant](http://blindelephant.sourceforge.net/) - Web application fingerprinter.
-* [Browser Exploitation Framework (BeEF)](https://github.com/beefproject/beef) - Command and control server for delivering exploits to commandeered Web browsers.
-* [Burp Suite](https://portswigger.net/burp/) - Integrated platform for performing security testing of web applications.
-* [Commix](https://github.com/commixproject/commix) - Automated all-in-one operating system command injection and exploitation tool.
-* [DVCS Ripper](https://github.com/kost/dvcs-ripper) - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR.
-* [EyeWitness](https://github.com/ChrisTruncer/EyeWitness) - Tool to take screenshots of websites, provide some server header info, and identify default credentials if possible.
-* [Fiddler](https://www.telerik.com/fiddler) - Free cross-platform web debugging proxy with user-friendly companion tools.
 * [FuzzDB](https://github.com/fuzzdb-project/fuzzdb) - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
-* [GitTools](https://github.com/internetwache/GitTools) - Automatically find and download Web-accessible `.git` repositories.
-* [Kadimus](https://github.com/P0cL4bs/Kadimus) - LFI scan and exploit tool.
-* [LFISuite](https://github.com/D35m0nd142/LFISuite) - Automatic LFI scanner and exploiter.
-* [NoSQLmap](https://github.com/codingo/NoSQLMap) - Automatic NoSQL injection and database takeover tool.
-* [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org/) - Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
 * [Offensive Web Testing Framework (OWTF)](https://www.owasp.org/index.php/OWASP_OWTF) - Python-based framework for pentesting Web applications based on the OWASP Testing Guide.
 * [Raccoon](https://github.com/evyatarmeged/Raccoon) - High performance offensive security tool for reconnaissance and vulnerability scanning.
-* [SQLmap](http://sqlmap.org/) - Automatic SQL injection and database takeover tool.
-* [VHostScan](https://github.com/codingo/VHostScan) - Virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
 * [WPSploit](https://github.com/espreto/wpsploit) - Exploit WordPress-powered websites with Metasploit.
-* [Wappalyzer](https://www.wappalyzer.com/) - Wappalyzer uncovers the technologies used on websites.
 * [WhatWaf](https://github.com/Ekultek/WhatWaf) - Detect and bypass web application firewalls and protection systems.
-* [WhatWeb](https://github.com/urbanadventurer/WhatWeb) - Website fingerprinter.
-* [autochrome](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/march/autochrome/) - Easy to install a test browser with all the appropriate setting needed for web application testing with native Burp support, from NCCGroup.
+* [autochrome](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/march/autochrome/) - Chrome browser profile preconfigured with appropriate settings needed for web application testing.
 * [badtouch](https://github.com/kpcyrd/badtouch) - Scriptable network authentication cracker.
-* [fimap](https://github.com/kurobeats/fimap) - Find, prepare, audit, exploit and even Google automatically for LFI/RFI bugs.
-* [liffy](https://github.com/hvqzao/liffy) - LFI exploitation tool.
 * [recursebuster](https://github.com/c-sto/recursebuster) - Content discovery tool to perform directory and file bruteforcing.
 * [sslstrip2](https://github.com/LeonardoNve/sslstrip2) - SSLStrip version to defeat HSTS.
 * [sslstrip](https://www.thoughtcrime.org/software/sslstrip/) - Demonstration of the HTTPS stripping attacks.
+
+### Intercepting Web proxies
+
+See also *[Proxies and Machine-in-the-Middle (MITM) Tools](#proxies-and-machine-in-the-middle-mitm-tools)*.
+
+* [Burp Suite](https://portswigger.net/burp/) - Integrated platform for performing security testing of web applications.
+* [Fiddler](https://www.telerik.com/fiddler) - Free cross-platform web debugging proxy with user-friendly companion tools.
+* [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org/) - Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
+* [mitmproxy](https://mitmproxy.org/) - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
+
+### Web file inclusion tools
+
+* [Kadimus](https://github.com/P0cL4bs/Kadimus) - LFI scan and exploit tool.
+* [LFISuite](https://github.com/D35m0nd142/LFISuite) - Automatic LFI scanner and exploiter.
+* [fimap](https://github.com/kurobeats/fimap) - Find, prepare, audit, exploit and even Google automatically for LFI/RFI bugs.
+* [liffy](https://github.com/hvqzao/liffy) - LFI exploitation tool.
+
+### Web injection tools
+
+* [Commix](https://github.com/commixproject/commix) - Automated all-in-one operating system command injection and exploitation tool.
+* [NoSQLmap](https://github.com/codingo/NoSQLMap) - Automatic NoSQL injection and database takeover tool.
+* [SQLmap](http://sqlmap.org/) - Automatic SQL injection and database takeover tool.
 * [tplmap](https://github.com/epinna/tplmap) - Automatic server-side template injection and Web server takeover tool.
-* [wafw00f](https://github.com/EnableSecurity/wafw00f) - Identifies and fingerprints Web Application Firewall (WAF) products.
-* [webscreenshot](https://github.com/maaaaz/webscreenshot) - Simple script to take screenshots of websites from a list of sites.
-* [weevely3](https://github.com/epinna/weevely3) - Weaponized PHP-based web shell.
+
+### Web shells and C2 frameworks
+
+* [Browser Exploitation Framework (BeEF)](https://github.com/beefproject/beef) - Command and control server for delivering exploits to commandeered Web browsers.
+* [DAws](https://github.com/dotcppfile/DAws) - Advanced Web shell.
+* [SharPyShell](https://github.com/antonioCoco/SharPyShell) - Tiny and obfuscated ASP.NET webshell for C# web applications.
 * [PhpSploit](https://github.com/nil0x42/phpsploit) - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner.
+* [weevely3](https://github.com/epinna/weevely3) - Weaponized PHP-based web shell.
+
+### Web-accessible source code ripping tools
+
+* [DVCS Ripper](https://github.com/kost/dvcs-ripper) - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR.
+* [GitTools](https://github.com/internetwache/GitTools) - Automatically find and download Web-accessible `.git` repositories.
+* [git-dumper](https://github.com/arthaud/git-dumper) - Tool to dump a git repository from a website.
 
 ### Web Exploitation Books