mirror of
https://github.com/qazbnm456/awesome-web-security.git
synced 2024-10-01 03:15:46 -04:00
A curated list of Web Security materials and resources.
.gitignore | ||
CONTRIBUTING.md | ||
README.md |
Awesome Web Security
🐶 A curated list of Web Security materials and resources.
Please read the contribution guidelines before contributing.
🌈 Want to strengthen your penetration skills?
I would recommend to play some awesome-ctfs.
Check out my repos 🐾 or say hi on my Twitter.
Menu
- Collection
- Resource
- Evasion
- Trick
- Browser Exploitation
- PoC
- Tool
- Blog
- Twitter User
- Miscellaneous
- Practice
Collection
- Drops (backup) - Drops was known as a famous knowledge base for hacking technology.
- Paper from Seebug - A knowledge base for hacking technology built by Seebug.
- Freebuf - Freebuf is the most popular forum in China for exchanging and sharing hacking technology.
- 安全脉搏 - A blog for Security things.
Resource
XSS
- H5SC - HTML5 Security Cheatsheet - A collection of HTML5 related XSS attack vectors by @cure53.
- XSS.png - A XSS mind map by @jackmasa.
SQL Injection
- HQL for pentesters - A brief introduction to Hibernate Query Injection.
XML
- XML实体攻击 - 从内网探测到命令执行步步惊心, written by 张天琪.
CSRF
- 讓我們來談談 CSRF, written by TechBridge.
Rails
- Rails 動態樣板路徑的風險, written by Shaolin.
- Rails Security, written by @qazbnm456.
AngularJS
Evasion
CSP
WAF
- 浅谈json参数解析对waf绕过的影响, written by doggy.
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities, written by @Brett Buerhaus.
JSMVC
- JavaScript MVC and Templating Frameworks, written by Mario Heiderich.
Trick
Remote Code Execution
- Exploiting Node.js deserialization bug for Remote Code Execution, written by OpSecX.
- eval长度限制绕过 && PHP5.6新特性, written by PHITHON.
- PHP垃圾回收机制UAF漏洞分析, written by ph1re.
- DRUPAL 7.X SERVICES MODULE UNSERIALIZE() TO RCE, written by Ambionics Security.
XSS
- ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else, written by Mario Heiderich.
- How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) , written by Marin Moulinier.
SQL Injection
- 屌智硬之mysql不用逗号注入, written by jinglingshu.
- 见招拆招:绕过WAF继续SQL注入常用方法, written by mikey.
- MySQL Error Based SQL Injection Using EXP, written by @osandamalith.
- SQL injection in an UPDATE query - a bug bounty story!, written by Zombiehelp54.
SSRF
- SSRF in https://imgur.com/vidgif/url, written by aesteral.
Header Injection
Others
- Some Tricks From My Secret Group, written by PHITHON.
Browser Exploitation
- First Step to Browser Exploitation, written by Brian Pak.
- JSON hijacking for the modern web, written by portswigger.
- IE11 Information disclosure - local file detection, written by James Lee.
PoC
JavaScript
- js-vuln-db - A collection of JavaScript engine CVEs with PoCs by @tunz.
- awesome-cve-poc - A curated list of CVE PoCs by @qazbnm456.
Tool
Code Generating
- VWGen - Vulnerable Web applications Generator by @qazbnm456.
Disassembler
- plasma - Plasma is an interactive disassembler for x86/ARM/MIPS by @plasma-disassembler.
- radare2 - unix-like reverse engineering framework and commandline tools by @radare.
- Iaitō - A Qt and C++ GUI for radare2 reverse engineering framework by @hteso.
Fuzzing
- wfuzz - Web application bruteforcer by @xmendez.
- charsetinspect - A script that inspects multi-byte character sets looking for characters with specific user-defined properties by @hack-all-the-things.
- IPObfuscator - A simple too to convert the IP to a DWORD IP by @OsandaMalith.
- wpscan - WPScan is a black box WordPress vulnerability scanner by @wpscanteam.
- JoomlaScan - A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan by @drego85.
Penetrating
- Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications by portswigger.
- mitmproxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by @mitmproxy.
Leaking
- HTTPLeaks - All possible ways, a website can leak HTTP requests by @cure53.
- dvcs-ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG... by @kost.
- DVCS-Pillage - Pillage web accessible GIT, HG and BZR repositories by @evilpacket.
Detecting
- sqlchop - [DEPRECATED] A novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis by chaitin.
- retire.js - Scanner detecting the use of JavaScript libraries with known vulnerabilities by @RetireJS.
- malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by @HynekPetrak.
Preventing
- js-xss -Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist by @leizongmin.
Others
Blog
- Orange - Taiwan's talented web penetrator.
- leavesongs - China's talented web penetrator.
- Broken Browser - Fun with Browser Vulnerabilities.
- Blog of Osanda - Security Researching and Reverse Engineering.
- BRETT BUERHAUS - Vulnerability disclosures and rambles on application security.
- n0tr00t - ~# n0tr00t Security Team.
Twitter User
- @filedescriptor - An active penetrator often tweets and writes useful articles
- @cure53berlin - Cure53 is a German cybersecurity firm.
- @XssPayloads - The wonderland of JavaScript unexpected usages, and more.
Miscellaneous
- awesome-bug-bounty - A comprehensive curated list of available Bug Bounty & Disclosure Programs and write-ups by @djadmin.
- bug-bounty-reference - A list of bug bounty write-up that is categorized by the bug nature by @ngalongc.
- 如何正確的取得使用者 IP ?, written by Allen Own.
- 1000php - 1000个PHP代码审计案例(2016.7以前乌云公开漏洞) by @Xyntax.
- Brute Forcing Your Facebook Email and Phone Number, written by PwnDizzle.
- GITLEAKS - Search engine for exposed secrets on lots of places.
- Pentest + Exploit dev Cheatsheet wallpaper - Penetration Testing and Exploit Dev CheatSheet.
- URL Hacking - 前端猥琐流, written by 0x_Jin.
- Hunting for Web Shells, written by Jacob Baines.
- The Definitive Security Data Science and Machine Learning Guide The Definitive Security Data Science and Machine Learning Guide, written by JASON TROS.
Practice
AWS
- FLAWS - Amazon AWS CTF challenge, written by @0xdabbad00.
XSS
- alert(1) to win - A series of XSS challenges, written by @steike.
- prompt(1) to win - A complex 16-Level XSS Challenge held in summer 2014 (+4 Hidden Levels), written by @cure53.
License
To the extent possible under law, @qazbnm456 has waived all copyright and related or neighboring rights to this work.